632 files changed, 65035 insertions, 17104 deletions

diff --git a/src/lib/libcrypto/Makefile.ssl b/src/lib/libcrypto/Makefile.ssl
index 6759b2e4d0..9d1a180571 100644
--- a/src/lib/libcrypto/Makefile.ssl
+++ b/src/lib/libcrypto/Makefile.ssl
@@ -5,14 +5,15 @@
 DIR=            crypto
 TOP=            ..
 CC=             cc
-INCLUDE=        -I. -I../include
-INCLUDES=       -I.. -I../../include
+INCLUDE=        -I. -I$(TOP) -I../include
+INCLUDES=       -I.. -I../.. -I../../include
 CFLAG=          -g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=     /usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 RM=             rm -f
 AR=             ar r
@@ -27,34 +28,36 @@ LIBS=
 
 SDIRS=  md2 md5 sha mdc2 hmac ripemd \
         des rc2 rc4 rc5 idea bf cast \
-        bn rsa dsa dh dso engine \
+        bn ec rsa dsa dh dso engine aes \
         buffer bio stack lhash rand err objects \
-        evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+        evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
 
 GENERAL=Makefile README crypto-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
-LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
+SHARED_LIB= libcrypto$(SHLIB_EXT)
+LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
 
 SRC= $(LIBSRC)
 
-EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h
-HEADER= cryptlib.h buildinf.h md32_common.h $(EXHEADER)
+EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
+        ossl_typ.h
+HEADER= cryptlib.h buildinf.h md32_common.h o_time.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
 top:
         @(cd ..; $(MAKE) DIRS=$(DIR) all)
 
-all: buildinf.h lib subdirs
+all: buildinf.h lib subdirs shared
 
 buildinf.h: ../Makefile.ssl
         ( echo "#ifndef MK1MF_BUILD"; \
         echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \
         echo "  #define CFLAGS \"$(CC) $(CFLAG)\""; \
         echo "  #define PLATFORM \"$(PLATFORM)\""; \
-        echo "  #define DATE \"`date`\""; \
+        echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
         echo "#endif" ) >buildinf.h
 
 testapps:
@@ -73,7 +76,7 @@ files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making 'files' in crypto/$$i..."; \
+        (cd $$i && echo "making 'files' in crypto/$$i..." && \
         $(MAKE) PERL='${PERL}' files ); \
         done;
 
@@ -84,27 +87,31 @@ links:
         @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
         @$(SHELL) $(TOP)/util/point.sh Makefile.ssl Makefile
         @for i in $(SDIRS); do \
-        (cd $$i; echo "making links in crypto/$$i..."; \
+        (cd $$i && echo "making links in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
         done;
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
+shared:
+        if [ -n "$(SHARED_LIBS)" ]; then \
+                (cd ..; make $(SHARED_LIB)); \
+        fi
+
 libs:
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making libs in crypto/$$i..."; \
+        (cd $$i && echo "making libs in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \
         done;
 
 tests:
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making tests in crypto/$$i..."; \
+        (cd $$i && echo "making tests in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
         done;
 
@@ -116,14 +123,14 @@ install:
         done;
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making install in crypto/$$i..."; \
+        (cd $$i && echo "making install in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
         done;
 
 lint:
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making lint in crypto/$$i..."; \
+        (cd $$i && echo "making lint in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \
         done;
 
@@ -133,7 +140,7 @@ depend:
         if [ ! -s buildinf.h ]; then rm buildinf.h; fi
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making depend in crypto/$$i..."; \
+        (cd $$i && echo "making depend in crypto/$$i..." && \
         $(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' DEPFLAG='${DEPFLAG}' depend ); \
         done;
 
@@ -141,7 +148,7 @@ clean:
         rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making clean in crypto/$$i..."; \
+        (cd $$i && echo "making clean in crypto/$$i..." && \
         $(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \
         done;
 
@@ -150,54 +157,58 @@ dclean:
         mv -f Makefile.new $(MAKEFILE)
         @for i in $(SDIRS) ;\
         do \
-        (cd $$i; echo "making dclean in crypto/$$i..."; \
+        (cd $$i && echo "making dclean in crypto/$$i..." && \
         $(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
         done;
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h
-cpt_err.o: ../include/openssl/err.h ../include/openssl/lhash.h
+cpt_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cpt_err.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cryptlib.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-cryptlib.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cryptlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cversion.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-cversion.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cversion.o: ../include/openssl/stack.h ../include/openssl/symhacks.h buildinf.h
-cversion.o: cryptlib.h
-ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
-tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
-tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
-tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
-uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
+cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cpt_err.c
+cryptlib.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+cryptlib.o: ../include/openssl/err.h ../include/openssl/lhash.h
+cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cryptlib.o: ../include/openssl/symhacks.h cryptlib.c cryptlib.h
+cversion.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
+cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h cversion.c
+ebcdic.o: ../include/openssl/opensslconf.h ebcdic.c
+ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
+ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+ex_data.o: ../include/openssl/symhacks.h cryptlib.h ex_data.c
+mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
+mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem.o: ../include/openssl/symhacks.h cryptlib.h mem.c
+mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
+mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c
+o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
+o_time.o: o_time.h
+tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
+tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+tmdiff.o: ../include/openssl/err.h ../include/openssl/lhash.h
+tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/symhacks.h ../include/openssl/tmdiff.h cryptlib.h
+tmdiff.o: tmdiff.c
+uid.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
+uid.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-uid.o: ../include/openssl/symhacks.h
+uid.o: ../include/openssl/symhacks.h uid.c
diff --git a/src/lib/libcrypto/aes/Makefile.ssl b/src/lib/libcrypto/aes/Makefile.ssl
new file mode 100644
index 0000000000..c189ce0824
--- /dev/null
+++ b/src/lib/libcrypto/aes/Makefile.ssl
@@ -0,0 +1,103 @@
+#
+# crypto/aes/Makefile
+#
+
+DIR=    aes
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=     /usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+# CFLAGS= -mpentiumpro $(INCLUDES) $(CFLAG) -O3 -fexpensive-optimizations -funroll-loops -fforce-addr
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+#TEST=aestest.c
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=aes_core.c aes_misc.c aes_ecb.c aes_cbc.c aes_cfb.c aes_ofb.c aes_ctr.c
+LIBOBJ=aes_core.o aes_misc.o aes_ecb.o aes_cbc.o aes_cfb.o aes_ofb.o aes_ctr.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= aes.h
+HEADER= aes_locl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+
+$(LIBOBJ): $(LIBSRC)
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install: installs
+
+installs:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+aes_cbc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
+aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
+aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
+aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h
+aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h
+aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_misc.o: ../../include/openssl/opensslconf.h
+aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c
+aes_ofb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
+aes_ofb.o: ../../include/openssl/opensslconf.h aes_locl.h aes_ofb.c
diff --git a/src/lib/libcrypto/aes/README b/src/lib/libcrypto/aes/README
new file mode 100644
index 0000000000..0f9620a80e
--- /dev/null
+++ b/src/lib/libcrypto/aes/README
@@ -0,0 +1,3 @@
+This is an OpenSSL-compatible version of AES (also called Rijndael).
+aes_core.c is basically the same as rijndael-alg-fst.c but with an
+API that looks like the rest of the OpenSSL symmetric cipher suite.
diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
new file mode 100644
index 0000000000..e8da921ec5
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes.h
@@ -0,0 +1,109 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_H
+#define HEADER_AES_H
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+static const int AES_DECRYPT = 0;
+static const int AES_ENCRYPT = 1;
+/* Because array size can't be a const in C, the following two are macros.
+   Both sizes are in bytes. */
+#define AES_MAXNR 14
+#define AES_BLOCK_SIZE 16
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* This should be a hidden type, but EVP requires that the size be known */
+struct aes_key_st {
+    unsigned long rd_key[4 *(AES_MAXNR + 1)];
+    int rounds;
+};
+typedef struct aes_key_st AES_KEY;
+
+const char *AES_options(void);
+
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+        AES_KEY *key);
+
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key);
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+        const AES_KEY *key, const int enc);
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, const int enc);
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc);
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num);
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num);
+
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* !HEADER_AES_H */
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
new file mode 100644
index 0000000000..3dfd7aba2a
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -0,0 +1,89 @@
+/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
+                     const unsigned long length, const AES_KEY *key,
+                     unsigned char *ivec, const int enc) {
+
+        int n;
+        unsigned long len = length;
+        unsigned char tmp[16];
+
+        assert(in && out && key && ivec);
+        assert(length % AES_BLOCK_SIZE == 0);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                while (len > 0) {
+                        for(n=0; n < 16; ++n)
+                                tmp[n] = in[n] ^ ivec[n];
+                        AES_encrypt(tmp, out, key);
+                        memcpy(ivec, out, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+        else
+                while (len > 0) {
+                        memcpy(tmp, in, 16);
+                        AES_decrypt(in, out, key);
+                        for(n=0; n < 16; ++n)
+                                out[n] ^= ivec[n];
+                        memcpy(ivec, tmp, 16);
+                        len -= 16;
+                        in += 16;
+                        out += 16;
+                }
+}
diff --git a/src/lib/libcrypto/aes/aes_cfb.c b/src/lib/libcrypto/aes/aes_cfb.c
new file mode 100644
index 0000000000..9b2917298a
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_cfb.c
@@ -0,0 +1,151 @@
+/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+
+void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num, const int enc) {
+
+        unsigned int n;
+        unsigned long l = length;
+        unsigned char c;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        if (enc) {
+                while (l--) {
+                        if (n == 0) {
+                                AES_encrypt(ivec, ivec, key);
+                        }
+                        ivec[n] = *(out++) = *(in++) ^ ivec[n];
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        } else {
+                while (l--) {
+                        if (n == 0) {
+                                AES_decrypt(ivec, ivec, key);
+                        }
+                        c = *(in);
+                        *(out++) = *(in++) ^ ivec[n];
+                        ivec[n] = c;
+                        n = (n+1) % AES_BLOCK_SIZE;
+                }
+        }
+
+        *num=n;
+}
+
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
new file mode 100644
index 0000000000..937988dd8c
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -0,0 +1,1251 @@
+/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */
+/**
+ * rijndael-alg-fst.c
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* Note: rewritten a little bit to provide error control and an OpenSSL-
+   compatible API */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+
+Td0[x] = Si[x].[0e, 09, 0d, 0b];
+Td1[x] = Si[x].[0b, 0e, 09, 0d];
+Td2[x] = Si[x].[0d, 0b, 0e, 09];
+Td3[x] = Si[x].[09, 0d, 0b, 0e];
+Td4[x] = Si[x].[01, 01, 01, 01];
+*/
+
+static const u32 Te0[256] = {
+    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const u32 Te1[256] = {
+    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const u32 Te2[256] = {
+    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const u32 Te3[256] = {
+
+    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const u32 Te4[256] = {
+    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+static const u32 Td0[256] = {
+    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
+    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
+    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
+    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
+    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
+    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
+    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
+    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
+    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
+    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
+    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
+    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
+    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
+    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
+    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
+    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
+    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
+    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
+    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
+    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
+    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
+    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
+    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
+    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
+    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
+    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
+    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
+    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
+    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
+    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
+    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
+    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
+    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
+    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
+    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
+    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
+    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
+    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
+    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
+    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
+    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
+    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
+    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
+    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
+    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
+    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
+    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
+    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
+    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
+    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
+    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
+    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
+    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
+    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
+    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
+    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
+    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
+    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
+    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
+    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
+    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
+    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
+    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
+    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
+};
+static const u32 Td1[256] = {
+    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
+    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
+    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
+    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
+    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
+    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
+    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
+    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
+    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
+    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
+    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
+    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
+    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
+    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
+    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
+    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
+    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
+    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
+    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
+    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
+    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
+    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
+    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
+    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
+    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
+    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
+    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
+    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
+    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
+    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
+    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
+    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
+    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
+    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
+    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
+    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
+    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
+    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
+    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
+    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
+    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
+    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
+    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
+    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
+    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
+    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
+    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
+    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
+    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
+    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
+    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
+    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
+    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
+    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
+    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
+    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
+    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
+    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
+    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
+    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
+    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
+    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
+    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
+    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
+};
+static const u32 Td2[256] = {
+    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
+    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
+    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
+    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
+    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
+    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
+    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
+    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
+    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
+    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
+    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
+    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
+    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
+    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
+    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
+    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
+    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
+    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
+    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
+    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
+
+    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
+    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
+    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
+    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
+    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
+    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
+    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
+    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
+    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
+    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
+    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
+    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
+    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
+    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
+    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
+    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
+    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
+    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
+    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
+    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
+    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
+    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
+    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
+    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
+    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
+    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
+    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
+    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
+    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
+    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
+    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
+    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
+    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
+    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
+    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
+    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
+    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
+    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
+    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
+    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
+    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
+    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
+    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
+    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
+};
+static const u32 Td3[256] = {
+    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
+    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
+    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
+    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
+    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
+    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
+    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
+    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
+    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
+    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
+    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
+    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
+    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
+    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
+    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
+    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
+    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
+    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
+    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
+    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
+    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
+    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
+    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
+    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
+    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
+    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
+    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
+    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
+    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
+    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
+    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
+    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
+    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
+    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
+    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
+    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
+    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
+    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
+    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
+    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
+    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
+    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
+    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
+    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
+    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
+    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
+    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
+    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
+    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
+    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
+    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
+    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
+    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
+    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
+    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
+    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
+    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
+    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
+    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
+    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
+    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
+    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
+    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
+    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
+};
+static const u32 Td4[256] = {
+    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
+    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
+    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
+    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
+    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
+    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
+    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
+    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
+    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
+    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
+    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
+    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
+    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
+    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
+    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
+    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
+    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
+    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
+    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
+    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
+    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
+    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
+    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
+    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
+    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
+    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
+    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
+    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
+    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
+    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
+    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
+    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
+    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
+    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
+    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
+    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
+    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
+    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
+    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
+    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
+    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
+    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
+    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
+    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
+    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
+    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
+    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
+    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
+    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
+    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
+    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
+    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
+    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
+    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
+    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
+    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
+    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
+    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
+    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
+    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
+    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
+    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
+    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
+    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
+};
+static const u32 rcon[] = {
+        0x01000000, 0x02000000, 0x04000000, 0x08000000,
+        0x10000000, 0x20000000, 0x40000000, 0x80000000,
+        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ */
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+                        AES_KEY *key) {
+
+        u32 *rk;
+        int i = 0;
+        u32 temp;
+
+        if (!userKey || !key)
+                return -1;
+        if (bits != 128 && bits != 192 && bits != 256)
+                return -2;
+
+        rk = key->rd_key;
+
+        if (bits==128)
+                key->rounds = 10;
+        else if (bits==192)
+                key->rounds = 12;
+        else
+                key->rounds = 14;
+
+        rk[0] = GETU32(userKey     );
+        rk[1] = GETU32(userKey +  4);
+        rk[2] = GETU32(userKey +  8);
+        rk[3] = GETU32(userKey + 12);
+        if (bits == 128) {
+                for (;;) {
+                        temp  = rk[3];
+                        rk[4] = rk[0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[5] = rk[1] ^ rk[4];
+                        rk[6] = rk[2] ^ rk[5];
+                        rk[7] = rk[3] ^ rk[6];
+                        if (++i == 10) {
+                                return 0;
+                        }
+                        rk += 4;
+                }
+        }
+        rk[4] = GETU32(userKey + 16);
+        rk[5] = GETU32(userKey + 20);
+        if (bits == 192) {
+                for (;;) {
+                        temp = rk[ 5];
+                        rk[ 6] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 7] = rk[ 1] ^ rk[ 6];
+                        rk[ 8] = rk[ 2] ^ rk[ 7];
+                        rk[ 9] = rk[ 3] ^ rk[ 8];
+                        if (++i == 8) {
+                                return 0;
+                        }
+                        rk[10] = rk[ 4] ^ rk[ 9];
+                        rk[11] = rk[ 5] ^ rk[10];
+                        rk += 6;
+                }
+        }
+        rk[6] = GETU32(userKey + 24);
+        rk[7] = GETU32(userKey + 28);
+        if (bits == 256) {
+                for (;;) {
+                        temp = rk[ 7];
+                        rk[ 8] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 9] = rk[ 1] ^ rk[ 8];
+                        rk[10] = rk[ 2] ^ rk[ 9];
+                        rk[11] = rk[ 3] ^ rk[10];
+                        if (++i == 7) {
+                                return 0;
+                        }
+                        temp = rk[11];
+                        rk[12] = rk[ 4] ^
+                                (Te4[(temp >> 24)       ] & 0xff000000) ^
+                                (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp      ) & 0xff] & 0x000000ff);
+                        rk[13] = rk[ 5] ^ rk[12];
+                        rk[14] = rk[ 6] ^ rk[13];
+                        rk[15] = rk[ 7] ^ rk[14];
+
+                        rk += 8;
+                }
+        }
+        return 0;
+}
+
+/**
+ * Expand the cipher key into the decryption key schedule.
+ */
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+                         AES_KEY *key) {
+
+        u32 *rk;
+        int i, j, status;
+        u32 temp;
+
+        /* first, start with an encryption schedule */
+        status = AES_set_encrypt_key(userKey, bits, key);
+        if (status < 0)
+                return status;
+
+        rk = key->rd_key;
+
+        /* invert the order of the round keys: */
+        for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
+                temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
+                temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
+                temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
+                temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
+        }
+        /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+        for (i = 1; i < (key->rounds); i++) {
+                rk += 4;
+                rk[0] =
+                        Td0[Te4[(rk[0] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[0]      ) & 0xff] & 0xff];
+                rk[1] =
+                        Td0[Te4[(rk[1] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[1]      ) & 0xff] & 0xff];
+                rk[2] =
+                        Td0[Te4[(rk[2] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[2]      ) & 0xff] & 0xff];
+                rk[3] =
+                        Td0[Te4[(rk[3] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[3]      ) & 0xff] & 0xff];
+        }
+        return 0;
+}
+
+/*
+ * Encrypt a single block
+ * in and out can overlap
+ */
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(in     ) ^ rk[0];
+        s1 = GETU32(in +  4) ^ rk[1];
+        s2 = GETU32(in +  8) ^ rk[2];
+        s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+        /* round 1: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+        /* round 2: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+        /* round 3: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+        /* round 4: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+        /* round 5: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+        /* round 6: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+        /* round 7: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+        /* round 8: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+        /* round 9: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+            s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+            s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+            s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+            t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+            t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+            t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+        }
+    }
+    rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Te0[(s0 >> 24)       ] ^
+            Te1[(s1 >> 16) & 0xff] ^
+            Te2[(s2 >>  8) & 0xff] ^
+            Te3[(s3      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Te0[(s1 >> 24)       ] ^
+            Te1[(s2 >> 16) & 0xff] ^
+            Te2[(s3 >>  8) & 0xff] ^
+            Te3[(s0      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Te0[(s2 >> 24)       ] ^
+            Te1[(s3 >> 16) & 0xff] ^
+            Te2[(s0 >>  8) & 0xff] ^
+            Te3[(s1      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Te0[(s3 >> 24)       ] ^
+            Te1[(s0 >> 16) & 0xff] ^
+            Te2[(s1 >>  8) & 0xff] ^
+            Te3[(s2      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Te0[(t0 >> 24)       ] ^
+            Te1[(t1 >> 16) & 0xff] ^
+            Te2[(t2 >>  8) & 0xff] ^
+            Te3[(t3      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Te0[(t1 >> 24)       ] ^
+            Te1[(t2 >> 16) & 0xff] ^
+            Te2[(t3 >>  8) & 0xff] ^
+            Te3[(t0      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Te0[(t2 >> 24)       ] ^
+            Te1[(t3 >> 16) & 0xff] ^
+            Te2[(t0 >>  8) & 0xff] ^
+            Te3[(t1      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Te0[(t3 >> 24)       ] ^
+            Te1[(t0 >> 16) & 0xff] ^
+            Te2[(t1 >>  8) & 0xff] ^
+            Te3[(t2      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Te4[(t0 >> 24)       ] & 0xff000000) ^
+                (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Te4[(t1 >> 24)       ] & 0xff000000) ^
+                (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Te4[(t2 >> 24)       ] & 0xff000000) ^
+                (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Te4[(t3 >> 24)       ] & 0xff000000) ^
+                (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
+/*
+ * Decrypt a single block
+ * in and out can overlap
+ */
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+                 const AES_KEY *key) {
+
+        const u32 *rk;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+        int r;
+#endif /* ?FULL_UNROLL */
+
+        assert(in && out && key);
+        rk = key->rd_key;
+
+        /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+    s0 = GETU32(in     ) ^ rk[0];
+    s1 = GETU32(in +  4) ^ rk[1];
+    s2 = GETU32(in +  8) ^ rk[2];
+    s3 = GETU32(in + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+    /* round 1: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
+    /* round 2: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
+    /* round 3: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
+    /* round 4: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
+    /* round 5: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
+    /* round 6: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
+    /* round 7: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
+    /* round 8: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
+    /* round 9: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
+    if (key->rounds > 10) {
+        /* round 10: */
+        s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
+        s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
+        s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
+        s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
+        t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
+        t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
+        t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
+        if (key->rounds > 12) {
+            /* round 12: */
+            s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
+            s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
+            s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
+            s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
+            t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
+            t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
+            t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
+        }
+    }
+        rk += key->rounds << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = key->rounds >> 1;
+    for (;;) {
+        t0 =
+            Td0[(s0 >> 24)       ] ^
+            Td1[(s3 >> 16) & 0xff] ^
+            Td2[(s2 >>  8) & 0xff] ^
+            Td3[(s1      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Td0[(s1 >> 24)       ] ^
+            Td1[(s0 >> 16) & 0xff] ^
+            Td2[(s3 >>  8) & 0xff] ^
+            Td3[(s2      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Td0[(s2 >> 24)       ] ^
+            Td1[(s1 >> 16) & 0xff] ^
+            Td2[(s0 >>  8) & 0xff] ^
+            Td3[(s3      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Td0[(s3 >> 24)       ] ^
+            Td1[(s2 >> 16) & 0xff] ^
+            Td2[(s1 >>  8) & 0xff] ^
+            Td3[(s0      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Td0[(t0 >> 24)       ] ^
+            Td1[(t3 >> 16) & 0xff] ^
+            Td2[(t2 >>  8) & 0xff] ^
+            Td3[(t1      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Td0[(t1 >> 24)       ] ^
+            Td1[(t0 >> 16) & 0xff] ^
+            Td2[(t3 >>  8) & 0xff] ^
+            Td3[(t2      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Td0[(t2 >> 24)       ] ^
+            Td1[(t1 >> 16) & 0xff] ^
+            Td2[(t0 >>  8) & 0xff] ^
+            Td3[(t3      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Td0[(t3 >> 24)       ] ^
+            Td1[(t2 >> 16) & 0xff] ^
+            Td2[(t1 >>  8) & 0xff] ^
+            Td3[(t0      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Td4[(t0 >> 24)       ] & 0xff000000) ^
+                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(out     , s0);
+        s1 =
+                (Td4[(t1 >> 24)       ] & 0xff000000) ^
+                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(out +  4, s1);
+        s2 =
+                (Td4[(t2 >> 24)       ] & 0xff000000) ^
+                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(out +  8, s2);
+        s3 =
+                (Td4[(t3 >> 24)       ] & 0xff000000) ^
+                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(out + 12, s3);
+}
+
diff --git a/src/lib/libcrypto/aes/aes_ctr.c b/src/lib/libcrypto/aes/aes_ctr.c
new file mode 100644
index 0000000000..8e800481de
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ctr.c
@@ -0,0 +1,117 @@
+/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* NOTE: CTR mode is big-endian.  The rest of the AES code
+ * is endian-neutral. */
+
+/* increment counter (128-bit int) by 2^64 */
+static void AES_ctr128_inc(unsigned char *counter) {
+        unsigned long c;
+
+        /* Grab 3rd dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 8);
+        c++;
+        PUTU32(counter + 8, c);
+#else
+        c = GETU32(counter + 4);
+        c++;
+        PUTU32(counter + 4, c);
+#endif
+
+        /* if no overflow, we're done */
+        if (c)
+                return;
+
+        /* Grab top dword of counter and increment */
+#ifdef L_ENDIAN
+        c = GETU32(counter + 12);
+        c++;
+        PUTU32(counter + 12, c);
+#else
+        c = GETU32(counter +  0);
+        c++;
+        PUTU32(counter +  0, c);
+#endif
+
+}
+
+/* The input encrypted as though 128bit counter mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *counter, unsigned int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+        unsigned char tmp[AES_BLOCK_SIZE];
+
+        assert(in && out && key && counter && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_ctr128_inc(counter);
+                        AES_encrypt(counter, tmp, key);
+                }
+                *(out++) = *(in++) ^ tmp[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libcrypto/aes/aes_ecb.c b/src/lib/libcrypto/aes/aes_ecb.c
new file mode 100644
index 0000000000..1cb2e07d3d
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ecb.c
@@ -0,0 +1,67 @@
+/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
+                     const AES_KEY *key, const int enc) {
+
+        assert(in && out && key);
+        assert((AES_ENCRYPT == enc)||(AES_DECRYPT == enc));
+
+        if (AES_ENCRYPT == enc)
+                AES_encrypt(in, out, key);
+        else
+                AES_decrypt(in, out, key);
+}
+
diff --git a/src/lib/libcrypto/aes/aes_locl.h b/src/lib/libcrypto/aes/aes_locl.h
new file mode 100644
index 0000000000..541d1d6e84
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_locl.h
@@ -0,0 +1,88 @@
+/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef HEADER_AES_LOCL_H
+#define HEADER_AES_LOCL_H
+
+#include <openssl/e_os2.h>
+
+#ifdef OPENSSL_NO_AES
+#error AES is disabled.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
+#include <string.h>
+#endif
+
+#ifdef _MSC_VER
+# define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+# define GETU32(p) SWAP(*((u32 *)(p)))
+# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
+#else
+# define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
+# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
+#endif
+
+typedef unsigned long u32;
+typedef unsigned short u16;
+typedef unsigned char u8;
+
+#define MAXKC   (256/32)
+#define MAXKB   (256/8)
+#define MAXNR   14
+
+/* This controls loop-unrolling in aes_core.c */
+#undef FULL_UNROLL
+
+#endif /* !HEADER_AES_LOCL_H */
diff --git a/src/lib/libcrypto/aes/aes_misc.c b/src/lib/libcrypto/aes/aes_misc.c
new file mode 100644
index 0000000000..090def25d5
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_misc.c
@@ -0,0 +1,64 @@
+/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#include <openssl/opensslv.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+const char *AES_version="AES" OPENSSL_VERSION_PTEXT;
+
+const char *AES_options(void) {
+#ifdef FULL_UNROLL
+        return "aes(full)";
+#else   
+        return "aes(partial)";
+#endif
+}
diff --git a/src/lib/libcrypto/aes/aes_ofb.c b/src/lib/libcrypto/aes/aes_ofb.c
new file mode 100644
index 0000000000..e33bdaea28
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_ofb.c
@@ -0,0 +1,136 @@
+/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <assert.h>
+#include <openssl/aes.h>
+#include "aes_locl.h"
+
+/* The input and output encrypted as though 128bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 128bit block we have used is contained in *num;
+ */
+void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
+        const unsigned long length, const AES_KEY *key,
+        unsigned char *ivec, int *num) {
+
+        unsigned int n;
+        unsigned long l=length;
+
+        assert(in && out && key && ivec && num);
+
+        n = *num;
+
+        while (l--) {
+                if (n == 0) {
+                        AES_encrypt(ivec, ivec, key);
+                }
+                *(out++) = *(in++) ^ ivec[n];
+                n = (n+1) % AES_BLOCK_SIZE;
+        }
+
+        *num=n;
+}
diff --git a/src/lib/libcrypto/asn1/Makefile.ssl b/src/lib/libcrypto/asn1/Makefile.ssl
index dace5be2bc..b423419ba3 100644
--- a/src/lib/libcrypto/asn1/Makefile.ssl
+++ b/src/lib/libcrypto/asn1/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    asn1
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -23,39 +24,33 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
-        a_null.c a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \
-        a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \
-        x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \
-        x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
-        d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \
-        d2i_s_pr.c i2d_s_pr.c d2i_s_pu.c i2d_s_pu.c \
+        a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c \
+        a_enum.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \
+        x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c x_bignum.c \
+        x_long.c x_name.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
         d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
         t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \
-        p7_i_s.c p7_signi.c p7_signd.c p7_recip.c p7_enc_c.c p7_evp.c \
-        p7_dgst.c p7_s_e.c p7_enc.c p7_lib.c \
-        f_int.c f_string.c i2d_dhp.c i2d_dsap.c d2i_dhp.c d2i_dsap.c n_pkey.c \
+        tasn_new.c tasn_fre.c tasn_enc.c tasn_dec.c tasn_utl.c tasn_typ.c \
+        f_int.c f_string.c n_pkey.c \
         f_enum.c a_hdr.c x_pkey.c a_bool.c x_exten.c \
         asn1_par.c asn1_lib.c asn1_err.c a_meth.c a_bytes.c a_strnid.c \
-        evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c
+        evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c asn_moid.c
 LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
-        a_null.o a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \
-        a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \
-        x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \
-        x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
-        d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \
-        d2i_s_pr.o i2d_s_pr.o d2i_s_pu.o i2d_s_pu.o \
+        a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o \
+        a_enum.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \
+        x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o x_bignum.o \
+        x_long.o x_name.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
         d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
         t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \
-        p7_i_s.o p7_signi.o p7_signd.o p7_recip.o p7_enc_c.o p7_evp.o \
-        p7_dgst.o p7_s_e.o p7_enc.o p7_lib.o \
-        f_int.o f_string.o i2d_dhp.o i2d_dsap.o d2i_dhp.o d2i_dsap.o n_pkey.o \
+        tasn_new.o tasn_fre.o tasn_enc.o tasn_dec.o tasn_utl.o tasn_typ.o \
+        f_int.o f_string.o n_pkey.o \
         f_enum.o a_hdr.o x_pkey.o a_bool.o x_exten.o \
         asn1_par.o asn1_lib.o asn1_err.o a_meth.o a_bytes.o a_strnid.o \
-        evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o
+        evp_asn1.o asn_pack.o p5_pbe.o p5_pbev2.o p8_pkey.o asn_moid.o
 
 SRC= $(LIBSRC)
 
-EXHEADER=  asn1.h asn1_mac.h
+EXHEADER=  asn1.h asn1_mac.h asn1t.h
 HEADER= $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -75,8 +70,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -116,1231 +110,777 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-a_bitstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_bitstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_bitstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_bitstr.o: ../../e_os.h ../../include/openssl/asn1.h
+a_bitstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_bitstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_bitstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_bitstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_bitstr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_bitstr.o: ../cryptlib.h
-a_bmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_bmp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_bmp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_bmp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_bmp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_bmp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_bmp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_bmp.o: ../cryptlib.h
-a_bool.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_bitstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_bitstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bitstr.c
+a_bool.o: ../../e_os.h ../../include/openssl/asn1.h
+a_bool.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 a_bool.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_bool.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_bool.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_bool.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_bool.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_bool.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_bool.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bool.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_bool.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_bool.o: ../cryptlib.h
-a_bytes.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_bool.o: ../cryptlib.h a_bool.c
+a_bytes.o: ../../e_os.h ../../include/openssl/asn1.h
 a_bytes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_bytes.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_bytes.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-a_bytes.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_bytes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_bytes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_bytes.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_bytes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 a_bytes.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_bytes.o: ../../include/openssl/symhacks.h ../cryptlib.h
-a_d2i_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-a_d2i_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_d2i_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_d2i_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_bytes.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bytes.c
+a_d2i_fp.o: ../../e_os.h ../../include/openssl/asn1.h
+a_d2i_fp.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
+a_d2i_fp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_d2i_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_d2i_fp.o: ../../include/openssl/opensslconf.h
-a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_d2i_fp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_d2i_fp.o: ../cryptlib.h
-a_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_d2i_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_d2i_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_d2i_fp.c
+a_digest.o: ../../e_os.h ../../include/openssl/asn1.h
+a_digest.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-a_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 a_digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 a_digest.o: ../../include/openssl/opensslconf.h
-a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-a_digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-a_digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-a_digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-a_digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-a_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-a_digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-a_dup.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-a_dup.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_dup.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_dup.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+a_digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+a_digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_digest.o: ../cryptlib.h a_digest.c
+a_dup.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_dup.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_dup.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 a_dup.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_dup.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_dup.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_dup.o: ../../include/openssl/symhacks.h ../cryptlib.h
-a_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_dup.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_dup.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_dup.o: ../cryptlib.h a_dup.c
+a_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_enum.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_enum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_enum.o: ../cryptlib.h
-a_gentm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_gentm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_gentm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_enum.o: ../cryptlib.h a_enum.c
+a_gentm.o: ../../e_os.h ../../include/openssl/asn1.h
+a_gentm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_gentm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_gentm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_gentm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_gentm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_gentm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_gentm.o: ../cryptlib.h
-a_hdr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-a_hdr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_hdr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_hdr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_gentm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_gentm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_gentm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_gentm.c
+a_hdr.o: ../../e_os.h ../../include/openssl/asn1.h
+a_hdr.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
+a_hdr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_hdr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 a_hdr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_hdr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_hdr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_hdr.o: ../../include/openssl/symhacks.h ../cryptlib.h
-a_i2d_fp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+a_hdr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_hdr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_hdr.o: ../cryptlib.h a_hdr.c
+a_i2d_fp.o: ../../e_os.h ../../include/openssl/asn1.h
 a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 a_i2d_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_i2d_fp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-a_i2d_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-a_i2d_fp.o: ../../include/openssl/opensslconf.h
-a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_i2d_fp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_i2d_fp.o: ../cryptlib.h
-a_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_i2d_fp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_i2d_fp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+a_i2d_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_i2d_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_i2d_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_i2d_fp.c
+a_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_int.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_int.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_int.o: ../cryptlib.h
-a_mbstr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_mbstr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_int.o: ../cryptlib.h a_int.c
+a_mbstr.o: ../../e_os.h ../../include/openssl/asn1.h
+a_mbstr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_mbstr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_mbstr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_mbstr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_mbstr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_mbstr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_mbstr.o: ../cryptlib.h
-a_meth.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_mbstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_mbstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_mbstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_mbstr.c
+a_meth.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_meth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_meth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_meth.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_meth.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_meth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_meth.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_meth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_meth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_meth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_meth.o: ../cryptlib.h
-a_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_null.o: ../cryptlib.h
-a_object.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_object.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_object.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_meth.o: ../cryptlib.h a_meth.c
+a_object.o: ../../e_os.h ../../include/openssl/asn1.h
+a_object.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_object.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_object.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_object.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_object.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_object.o: ../cryptlib.h
-a_octet.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_octet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_octet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_object.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_object.o: ../../include/openssl/symhacks.h ../cryptlib.h a_object.c
+a_octet.o: ../../e_os.h ../../include/openssl/asn1.h
+a_octet.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_octet.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_octet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_octet.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_octet.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_octet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_octet.o: ../cryptlib.h
-a_print.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_print.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_print.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_octet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_octet.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_octet.o: ../../include/openssl/symhacks.h ../cryptlib.h a_octet.c
+a_print.o: ../../e_os.h ../../include/openssl/asn1.h
+a_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_print.o: ../cryptlib.h
-a_set.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-a_set.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_print.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_print.o: ../../include/openssl/symhacks.h ../cryptlib.h a_print.c
+a_set.o: ../../e_os.h ../../include/openssl/asn1.h
+a_set.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
+a_set.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_set.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 a_set.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_set.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_set.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_set.o: ../../include/openssl/symhacks.h ../cryptlib.h
-a_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_set.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_set.o: ../cryptlib.h a_set.c
+a_sign.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+a_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 a_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-a_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-a_sign.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+a_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+a_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+a_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 a_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 a_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-a_sign.o: ../cryptlib.h
+a_sign.o: ../cryptlib.h a_sign.c
 a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-a_strex.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_strex.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
-a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_strex.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_strex.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+a_strex.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+a_strex.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 a_strex.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 a_strex.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_strex.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-a_strex.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-a_strex.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-a_strex.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-a_strex.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_strex.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-a_strex.o: charmap.h
-a_strnid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_strnid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_strex.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+a_strex.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+a_strex.o: ../../include/openssl/x509_vfy.h a_strex.c charmap.h
+a_strnid.o: ../../e_os.h ../../include/openssl/asn1.h
+a_strnid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_strnid.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_strnid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_strnid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 a_strnid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_strnid.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_strnid.o: ../cryptlib.h
-a_time.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_strnid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_strnid.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_strnid.o: ../../include/openssl/symhacks.h ../cryptlib.h a_strnid.c
+a_time.o: ../../e_os.h ../../include/openssl/asn1.h
+a_time.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 a_time.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_time.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_time.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_time.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_time.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_time.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_time.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_time.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_time.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_time.o: ../cryptlib.h
-a_type.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-a_type.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-a_type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+a_time.o: ../cryptlib.h ../o_time.h a_time.c
+a_type.o: ../../e_os.h ../../include/openssl/asn1.h
+a_type.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+a_type.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+a_type.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 a_type.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 a_type.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-a_type.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-a_type.o: ../../include/openssl/symhacks.h ../cryptlib.h
-a_utctm.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_utctm.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_utctm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+a_type.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+a_type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_type.o: ../cryptlib.h a_type.c
+a_utctm.o: ../../e_os.h ../../include/openssl/asn1.h
+a_utctm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_utctm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_utctm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 a_utctm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_utctm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_utctm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_utctm.o: ../cryptlib.h
-a_utf8.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+a_utctm.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_utctm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+a_utctm.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_utctm.c
+a_utf8.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 a_utf8.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_utf8.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_utf8.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+a_utf8.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+a_utf8.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+a_utf8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+a_utf8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 a_utf8.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_utf8.o: ../cryptlib.h
-a_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-a_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+a_utf8.o: ../cryptlib.h a_utf8.c
+a_verify.o: ../../e_os.h ../../include/openssl/asn1.h
+a_verify.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+a_verify.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 a_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-a_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-a_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-a_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-a_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-a_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+a_verify.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+a_verify.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 a_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 a_verify.o: ../../include/openssl/opensslconf.h
-a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-a_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-a_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-a_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-a_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-a_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-a_verify.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-a_vis.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-a_vis.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-a_vis.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-a_vis.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-a_vis.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-a_vis.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-a_vis.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-a_vis.o: ../cryptlib.h
+a_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+a_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+a_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+a_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+a_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+a_verify.o: ../cryptlib.h a_verify.c
 asn1_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 asn1_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-asn1_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-asn1_err.o: ../../include/openssl/opensslconf.h
-asn1_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-asn1_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-asn1_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
+asn1_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn1_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+asn1_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn1_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn1_err.o: ../../include/openssl/symhacks.h asn1_err.c
+asn1_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 asn1_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 asn1_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-asn1_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-asn1_lib.o: ../../include/openssl/opensslconf.h
-asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-asn1_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-asn1_lib.o: ../cryptlib.h
-asn1_par.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-asn1_par.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-asn1_par.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn1_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn1_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn1_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn1_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_lib.c
+asn1_par.o: ../../e_os.h ../../include/openssl/asn1.h
+asn1_par.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+asn1_par.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 asn1_par.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 asn1_par.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 asn1_par.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-asn1_par.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-asn1_par.o: ../cryptlib.h
-asn_pack.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-asn_pack.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-asn_pack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+asn1_par.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn1_par.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn1_par.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_par.c
+asn_moid.o: ../../e_os.h ../../include/openssl/asn1.h
+asn_moid.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+asn_moid.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+asn_moid.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+asn_moid.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
+asn_moid.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+asn_moid.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+asn_moid.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+asn_moid.o: ../../include/openssl/opensslconf.h
+asn_moid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn_moid.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+asn_moid.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+asn_moid.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+asn_moid.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+asn_moid.o: ../cryptlib.h asn_moid.c
+asn_pack.o: ../../e_os.h ../../include/openssl/asn1.h
+asn_pack.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+asn_pack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 asn_pack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 asn_pack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-asn_pack.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-asn_pack.o: ../cryptlib.h
-d2i_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-d2i_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-d2i_dhp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-d2i_dhp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-d2i_dhp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-d2i_dhp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-d2i_dhp.o: ../cryptlib.h
-d2i_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_dsap.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-d2i_dsap.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_dsap.o: ../../include/openssl/opensslconf.h
-d2i_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-d2i_dsap.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-d2i_dsap.o: ../cryptlib.h
-d2i_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-d2i_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-d2i_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-d2i_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+asn_pack.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+asn_pack.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+asn_pack.o: ../../include/openssl/symhacks.h ../cryptlib.h asn_pack.c
+d2i_pr.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+d2i_pr.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+d2i_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 d2i_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-d2i_pr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-d2i_pr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-d2i_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-d2i_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_pr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-d2i_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+d2i_pr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+d2i_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 d2i_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pr.o: ../../include/openssl/symhacks.h ../cryptlib.h
-d2i_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-d2i_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-d2i_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-d2i_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pr.o: ../cryptlib.h d2i_pr.c
+d2i_pu.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+d2i_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+d2i_pu.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+d2i_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 d2i_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-d2i_pu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-d2i_pu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-d2i_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-d2i_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_pu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-d2i_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-d2i_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+d2i_pu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+d2i_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+d2i_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 d2i_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-d2i_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-d2i_pu.o: ../../include/openssl/symhacks.h ../cryptlib.h
-d2i_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_r_pr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-d2i_r_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_r_pr.o: ../../include/openssl/opensslconf.h
-d2i_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-d2i_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-d2i_r_pr.o: ../../include/openssl/symhacks.h ../cryptlib.h
-d2i_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_r_pu.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-d2i_r_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_r_pu.o: ../../include/openssl/opensslconf.h
-d2i_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-d2i_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-d2i_r_pu.o: ../../include/openssl/symhacks.h ../cryptlib.h
-d2i_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_s_pr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-d2i_s_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_s_pr.o: ../../include/openssl/opensslconf.h
-d2i_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-d2i_s_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-d2i_s_pr.o: ../cryptlib.h
-d2i_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-d2i_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-d2i_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-d2i_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-d2i_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-d2i_s_pu.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-d2i_s_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-d2i_s_pu.o: ../../include/openssl/opensslconf.h
-d2i_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-d2i_s_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-d2i_s_pu.o: ../cryptlib.h
-evp_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-evp_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-evp_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-evp_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+d2i_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+d2i_pu.o: ../cryptlib.h d2i_pu.c
+evp_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_asn1.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
+evp_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+evp_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 evp_asn1.o: ../../include/openssl/opensslconf.h
-evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-evp_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_asn1.o: ../cryptlib.h
-f_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+evp_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_asn1.c
+f_enum.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 f_enum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-f_enum.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-f_enum.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-f_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+f_enum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+f_enum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+f_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_enum.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 f_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-f_enum.o: ../cryptlib.h
-f_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+f_enum.o: ../cryptlib.h f_enum.c
+f_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 f_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-f_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-f_int.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-f_int.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+f_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+f_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+f_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+f_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 f_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-f_int.o: ../cryptlib.h
-f_string.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-f_string.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-f_string.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+f_int.o: ../cryptlib.h f_int.c
+f_string.o: ../../e_os.h ../../include/openssl/asn1.h
+f_string.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+f_string.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 f_string.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 f_string.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-f_string.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-f_string.o: ../cryptlib.h
-i2d_dhp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_dhp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_dhp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_dhp.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-i2d_dhp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-i2d_dhp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-i2d_dhp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i2d_dhp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i2d_dhp.o: ../cryptlib.h
-i2d_dsap.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_dsap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_dsap.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_dsap.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_dsap.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_dsap.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-i2d_dsap.o: ../../include/openssl/opensslconf.h
-i2d_dsap.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i2d_dsap.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i2d_dsap.o: ../cryptlib.h
-i2d_pr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-i2d_pr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-i2d_pr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-i2d_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+f_string.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+f_string.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+f_string.o: ../../include/openssl/symhacks.h ../cryptlib.h f_string.c
+i2d_pr.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+i2d_pr.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+i2d_pr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 i2d_pr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-i2d_pr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-i2d_pr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-i2d_pr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-i2d_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_pr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-i2d_pr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+i2d_pr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+i2d_pr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 i2d_pr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pr.o: ../../include/openssl/symhacks.h ../cryptlib.h
-i2d_pu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-i2d_pu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-i2d_pu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-i2d_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+i2d_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pr.o: ../cryptlib.h i2d_pr.c
+i2d_pu.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+i2d_pu.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+i2d_pu.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+i2d_pu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 i2d_pu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-i2d_pu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-i2d_pu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-i2d_pu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-i2d_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_pu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-i2d_pu.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-i2d_pu.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+i2d_pu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+i2d_pu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+i2d_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 i2d_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-i2d_pu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-i2d_pu.o: ../../include/openssl/symhacks.h ../cryptlib.h
-i2d_r_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_r_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_r_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_r_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_r_pr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-i2d_r_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_r_pr.o: ../../include/openssl/opensslconf.h
-i2d_r_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-i2d_r_pr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-i2d_r_pr.o: ../../include/openssl/symhacks.h ../cryptlib.h
-i2d_r_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_r_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_r_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_r_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_r_pu.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-i2d_r_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_r_pu.o: ../../include/openssl/opensslconf.h
-i2d_r_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-i2d_r_pu.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-i2d_r_pu.o: ../../include/openssl/symhacks.h ../cryptlib.h
-i2d_s_pr.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_s_pr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_s_pr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_s_pr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_s_pr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_s_pr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-i2d_s_pr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_s_pr.o: ../../include/openssl/opensslconf.h
-i2d_s_pr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i2d_s_pr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i2d_s_pr.o: ../cryptlib.h
-i2d_s_pu.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-i2d_s_pu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-i2d_s_pu.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-i2d_s_pu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-i2d_s_pu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-i2d_s_pu.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-i2d_s_pu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-i2d_s_pu.o: ../../include/openssl/opensslconf.h
-i2d_s_pu.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-i2d_s_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-i2d_s_pu.o: ../cryptlib.h
-n_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-n_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-n_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-n_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-n_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+i2d_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+i2d_pu.o: ../cryptlib.h i2d_pu.c
+n_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+n_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h
+n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+n_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+n_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-n_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-n_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-n_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-n_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-n_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-n_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-n_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+n_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+n_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+n_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 n_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 n_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 n_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-nsseq.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-nsseq.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-nsseq.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-nsseq.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-nsseq.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-nsseq.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-nsseq.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-nsseq.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-nsseq.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-nsseq.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-nsseq.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-nsseq.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-nsseq.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h n_pkey.c
+nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+nsseq.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+nsseq.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+nsseq.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+nsseq.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+nsseq.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+nsseq.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+nsseq.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+nsseq.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 nsseq.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 nsseq.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-nsseq.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p5_pbe.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+nsseq.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h nsseq.c
+p5_pbe.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_pbe.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 p5_pbe.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p5_pbe.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p5_pbe.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p5_pbe.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p5_pbe.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p5_pbe.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p5_pbe.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p5_pbe.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p5_pbe.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p5_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_pbe.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p5_pbe.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p5_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p5_pbe.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-p5_pbe.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p5_pbe.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p5_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p5_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_pbe.o: ../cryptlib.h
-p5_pbev2.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p5_pbev2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p5_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p5_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p5_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_pbe.c
+p5_pbev2.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_pbev2.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 p5_pbev2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p5_pbev2.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p5_pbev2.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p5_pbev2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p5_pbev2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p5_pbev2.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p5_pbev2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p5_pbev2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_pbev2.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p5_pbev2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p5_pbev2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p5_pbev2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p5_pbev2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p5_pbev2.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-p5_pbev2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p5_pbev2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p5_pbev2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p5_pbev2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_pbev2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_pbev2.o: ../cryptlib.h
-p7_dgst.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_dgst.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_dgst.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_dgst.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_dgst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_dgst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_dgst.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_dgst.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_dgst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_dgst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_dgst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_dgst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_dgst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_dgst.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_enc.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_enc.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_enc.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_enc.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_enc.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_enc.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_enc.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_enc_c.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_enc_c.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_enc_c.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_enc_c.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_enc_c.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_enc_c.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_enc_c.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_enc_c.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_enc_c.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_enc_c.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_enc_c.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_enc_c.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_enc_c.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_enc_c.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_enc_c.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_enc_c.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_enc_c.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_enc_c.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_enc_c.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_evp.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_evp.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_evp.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_evp.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_evp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_evp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_evp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_evp.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_evp.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_evp.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_evp.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_evp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_evp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_evp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_evp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_evp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_evp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_evp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_evp.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_i_s.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_i_s.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_i_s.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_i_s.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_i_s.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_i_s.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_i_s.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_i_s.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_i_s.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_i_s.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_i_s.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_i_s.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_i_s.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_i_s.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_i_s.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_i_s.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_i_s.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_i_s.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_i_s.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_recip.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_recip.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_recip.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_recip.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_recip.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_recip.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_recip.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_recip.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_recip.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_recip.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_recip.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_recip.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_recip.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_recip.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_recip.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_recip.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_recip.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_recip.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_recip.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_s_e.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_s_e.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_s_e.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_s_e.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_s_e.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_s_e.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_s_e.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_s_e.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_s_e.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_s_e.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_s_e.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_s_e.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_s_e.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_s_e.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_s_e.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_s_e.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_s_e.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_s_e.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_s_e.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_signd.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_signd.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_signd.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_signd.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_signd.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_signd.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_signd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_signd.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_signd.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_signd.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_signd.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_signd.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_signd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_signd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_signd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_signd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_signd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_signd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_signd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p7_signi.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p7_signi.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p7_signi.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p7_signi.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p7_signi.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p7_signi.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p7_signi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p7_signi.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p7_signi.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p7_signi.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p7_signi.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p7_signi.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p7_signi.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p7_signi.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p7_signi.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p7_signi.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p7_signi.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p7_signi.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p7_signi.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p8_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p8_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p5_pbev2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p5_pbev2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+p5_pbev2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_pbev2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_pbev2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p5_pbev2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_pbev2.c
+p8_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+p8_pkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 p8_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p8_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p8_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p8_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p8_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p8_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p8_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p8_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p8_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p8_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p8_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p8_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p8_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p8_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p8_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p8_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p8_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p8_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p8_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p8_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-t_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-t_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-t_bitst.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p8_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p8_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p8_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p8_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p8_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p8_pkey.o: ../cryptlib.h p8_pkey.c
+t_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
+t_bitst.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+t_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+t_bitst.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+t_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 t_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_bitst.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_bitst.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-t_bitst.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-t_bitst.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_bitst.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_bitst.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+t_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+t_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+t_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 t_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 t_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 t_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h
-t_crl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_crl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_crl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h t_bitst.c
+t_crl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_crl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-t_crl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-t_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_crl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_crl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_crl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_crl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_crl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_crl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_crl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_crl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_crl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_crl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_crl.o: ../../include/openssl/x509v3.h ../cryptlib.h
-t_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-t_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-t_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-t_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+t_crl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+t_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+t_crl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+t_crl.o: ../cryptlib.h t_crl.c
+t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+t_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+t_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 t_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 t_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_pkey.o: ../cryptlib.h
-t_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
+t_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+t_pkey.o: ../../include/openssl/symhacks.h ../cryptlib.h t_pkey.c
+t_req.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_req.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-t_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-t_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_req.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_req.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_req.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_req.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_req.o: ../../include/openssl/x509v3.h ../cryptlib.h
-t_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-t_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+t_req.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+t_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+t_req.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+t_req.o: ../cryptlib.h t_req.c
+t_spki.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 t_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-t_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-t_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_spki.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+t_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+t_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+t_spki.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 t_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-t_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-t_spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-t_spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-t_spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-t_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-t_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-t_x509.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-t_x509.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-t_x509.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+t_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+t_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+t_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+t_spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+t_spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+t_spki.o: ../cryptlib.h t_spki.c
+t_x509.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+t_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 t_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-t_x509.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_x509.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-t_x509.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-t_x509.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-t_x509.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-t_x509.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-t_x509.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+t_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+t_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+t_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 t_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 t_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-t_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-t_x509.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-t_x509.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-t_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-t_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-t_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-t_x509.o: ../../include/openssl/x509v3.h ../cryptlib.h
-t_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-t_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-t_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-t_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-t_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+t_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+t_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+t_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+t_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+t_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+t_x509.o: ../cryptlib.h t_x509.c
+t_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
+t_x509a.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+t_x509a.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+t_x509a.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 t_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-t_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-t_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-t_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-t_x509a.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-t_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-t_x509a.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-t_x509a.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+t_x509a.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+t_x509a.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+t_x509a.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+t_x509a.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 t_x509a.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 t_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 t_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_algor.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_algor.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_algor.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_algor.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_algor.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_algor.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_algor.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_algor.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_algor.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+t_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h t_x509a.c
+tasn_dec.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_dec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+tasn_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+tasn_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tasn_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tasn_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_dec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_dec.o: ../../include/openssl/symhacks.h tasn_dec.c
+tasn_enc.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_enc.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tasn_enc.o: ../../include/openssl/opensslconf.h
+tasn_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_enc.o: ../../include/openssl/symhacks.h tasn_enc.c
+tasn_fre.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_fre.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_fre.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_fre.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tasn_fre.o: ../../include/openssl/opensslconf.h
+tasn_fre.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_fre.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_fre.o: ../../include/openssl/symhacks.h tasn_fre.c
+tasn_new.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_new.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_new.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_new.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tasn_new.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tasn_new.o: ../../include/openssl/opensslconf.h
+tasn_new.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_new.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_new.o: ../../include/openssl/symhacks.h tasn_new.c
+tasn_typ.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_typ.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_typ.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_typ.o: ../../include/openssl/opensslconf.h
+tasn_typ.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_typ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_typ.o: ../../include/openssl/symhacks.h tasn_typ.c
+tasn_utl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+tasn_utl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+tasn_utl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+tasn_utl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+tasn_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tasn_utl.o: ../../include/openssl/opensslconf.h
+tasn_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tasn_utl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tasn_utl.o: ../../include/openssl/symhacks.h tasn_utl.c
+x_algor.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+x_algor.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x_algor.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_algor.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x_algor.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+x_algor.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_algor.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_algor.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_algor.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_algor.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_algor.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_algor.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_algor.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_algor.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_attrib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_attrib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_algor.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_algor.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_algor.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_algor.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_algor.o: x_algor.c
+x_attrib.o: ../../e_os.h ../../include/openssl/asn1.h
+x_attrib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_attrib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_attrib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_attrib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_attrib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_attrib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_attrib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_attrib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_attrib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_attrib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_attrib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_attrib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_attrib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_attrib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_attrib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_attrib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_attrib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_attrib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_cinf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_cinf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_cinf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_cinf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_cinf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_cinf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_cinf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_cinf.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_cinf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_cinf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_cinf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_cinf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_cinf.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_cinf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_cinf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_cinf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_cinf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_cinf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_cinf.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_crl.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_crl.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_attrib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_attrib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_attrib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_attrib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_attrib.o: ../cryptlib.h x_attrib.c
+x_bignum.o: ../../e_os.h ../../include/openssl/asn1.h
+x_bignum.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_bignum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_bignum.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x_bignum.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+x_bignum.o: ../../include/openssl/opensslconf.h
+x_bignum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_bignum.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+x_bignum.o: ../../include/openssl/symhacks.h ../cryptlib.h x_bignum.c
+x_crl.o: ../../e_os.h ../../include/openssl/asn1.h
+x_crl.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_crl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_crl.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_crl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_crl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_crl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_crl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_crl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_crl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_crl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_crl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_crl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_crl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_crl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_crl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_crl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_crl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_crl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_exten.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_exten.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x_exten.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_exten.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_exten.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_exten.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_exten.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_exten.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_exten.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_exten.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_crl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_crl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_crl.o: ../cryptlib.h x_crl.c
+x_exten.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+x_exten.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x_exten.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x_exten.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x_exten.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+x_exten.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_exten.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_exten.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_exten.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_exten.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_exten.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_exten.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_exten.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_exten.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_exten.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_exten.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_exten.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_exten.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_exten.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_exten.o: x_exten.c
+x_info.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 x_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_info.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_info.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_info.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_info.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_info.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_info.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_name.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_name.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_info.o: ../cryptlib.h x_info.c
+x_long.o: ../../e_os.h ../../include/openssl/asn1.h
+x_long.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+x_long.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_long.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+x_long.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+x_long.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_long.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+x_long.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_long.o: ../cryptlib.h x_long.c
+x_name.o: ../../e_os.h ../../include/openssl/asn1.h
+x_name.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_name.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_name.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_name.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_name.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_name.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_name.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_name.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_name.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_name.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_name.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_name.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_name.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_pkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_name.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_name.o: ../cryptlib.h x_name.c
+x_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 x_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_pkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_pkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_pkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_pkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_pkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_pkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_pkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_pubkey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_pubkey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_pkey.o: ../cryptlib.h x_pkey.c
+x_pubkey.o: ../../e_os.h ../../include/openssl/asn1.h
+x_pubkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_pubkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_pubkey.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_pubkey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_pubkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_pubkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_pubkey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_pubkey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_pubkey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_pubkey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_pubkey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_pubkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_pubkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_pubkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_pubkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_pubkey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_pubkey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_pubkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_pubkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_pubkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_pubkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_req.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_req.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_pubkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_pubkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_pubkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_pubkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_pubkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_pubkey.o: ../cryptlib.h x_pubkey.c
+x_req.o: ../../e_os.h ../../include/openssl/asn1.h
+x_req.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_req.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_req.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_req.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_req.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_req.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_req.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_req.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_req.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_req.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_req.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_req.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_sig.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_sig.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_req.o: ../cryptlib.h x_req.c
+x_sig.o: ../../e_os.h ../../include/openssl/asn1.h
+x_sig.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_sig.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_sig.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_sig.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_sig.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_sig.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_sig.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_sig.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_sig.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_sig.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_sig.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_sig.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_sig.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_sig.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_sig.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_sig.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_sig.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_sig.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_sig.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_sig.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_sig.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_sig.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_sig.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_sig.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_sig.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_sig.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_sig.o: ../cryptlib.h x_sig.c
+x_spki.o: ../../e_os.h ../../include/openssl/asn1.h
+x_spki.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_spki.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_spki.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_spki.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_val.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_val.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_spki.o: ../cryptlib.h x_spki.c
+x_val.o: ../../e_os.h ../../include/openssl/asn1.h
+x_val.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_val.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_val.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_val.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_val.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_val.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_val.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_val.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_val.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_val.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_val.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_val.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_val.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_val.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_val.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_val.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_val.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_val.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_val.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_val.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_val.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_x509.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_x509.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_val.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_val.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_val.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_val.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_val.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_val.o: ../cryptlib.h x_val.c
+x_x509.o: ../../e_os.h ../../include/openssl/asn1.h
+x_x509.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_x509.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_x509.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-x_x509.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x_x509.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 x_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_x509.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 x_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_x509.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_x509.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_x509.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_x509.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x_x509.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_x509.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_x509.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+x_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x_x509.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+x_x509.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 x_x509.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 x_x509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x_x509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_x509.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x_x509.o: ../cryptlib.h
-x_x509a.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x_x509a.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+x_x509.o: ../cryptlib.h x_x509.c
+x_x509a.o: ../../e_os.h ../../include/openssl/asn1.h
+x_x509a.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_x509a.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x_x509a.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x_x509a.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x_x509a.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x_x509a.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x_x509a.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x_x509a.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x_x509a.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_x509a.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x_x509a.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x_x509a.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x_x509a.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x_x509a.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x_x509a.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x_x509a.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x_x509a.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_x509a.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_x509a.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x_x509a.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_x509a.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x_x509a.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x_x509a.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x_x509a.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x_x509a.o: ../cryptlib.h x_x509a.c
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index 7013a407ad..c36817c1ee 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -60,27 +60,9 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-ASN1_BIT_STRING *ASN1_BIT_STRING_new(void)
-{ return M_ASN1_BIT_STRING_new(); }
-
-void ASN1_BIT_STRING_free(ASN1_BIT_STRING *x)
-{ M_ASN1_BIT_STRING_free(x); }
-
 int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
 { return M_ASN1_BIT_STRING_set(x, d, len); }
 
-int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
-{
-        int len, ret;
-        len = i2c_ASN1_BIT_STRING(a, NULL);     
-        ret=ASN1_object_size(0,len,V_ASN1_BIT_STRING);
-        if(pp) {
-                ASN1_put_object(pp,0,len,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
-                i2c_ASN1_BIT_STRING(a, pp);     
-        }
-        return ret;
-}
-
 int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
         {
         int ret,j,bits,len;
@@ -129,40 +111,6 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
         return(ret);
         }
 
-
-/* Convert DER encoded ASN1 BIT_STRING to ASN1_BIT_STRING structure */
-ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
-             long length)
-{
-        unsigned char *p;
-        long len;
-        int i;
-        int inf,tag,xclass;
-        ASN1_BIT_STRING *ret;
-
-        p= *pp;
-        inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
-        if (inf & 0x80)
-                {
-                i=ASN1_R_BAD_OBJECT_HEADER;
-                goto err;
-                }
-
-        if (tag != V_ASN1_BIT_STRING)
-                {
-                i=ASN1_R_EXPECTING_A_BIT_STRING;
-                goto err;
-                }
-        if (len < 1) { i=ASN1_R_STRING_TOO_SHORT; goto err; }
-        ret = c2i_ASN1_BIT_STRING(a, &p, len);
-        if(ret) *pp = p;
-        return ret;
-err:
-        ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
-        return(NULL);
-
-}
-
 ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
              long len)
         {
@@ -224,6 +172,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
         w=n/8;
         v=1<<(7-(n&0x07));
         iv= ~v;
+        if (!value) v=0;
 
         a->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear, set on write */
 
diff --git a/src/lib/libcrypto/asn1/a_bool.c b/src/lib/libcrypto/asn1/a_bool.c
index 18fa61840b..24333ea4d5 100644
--- a/src/lib/libcrypto/asn1/a_bool.c
+++ b/src/lib/libcrypto/asn1/a_bool.c
@@ -58,7 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 
 int i2d_ASN1_BOOLEAN(int a, unsigned char **pp)
         {
@@ -110,3 +110,5 @@ err:
         ASN1err(ASN1_F_D2I_ASN1_BOOLEAN,i);
         return(ret);
         }
+
+
diff --git a/src/lib/libcrypto/asn1/a_bytes.c b/src/lib/libcrypto/asn1/a_bytes.c
index 3a0c0c7835..bb88660f58 100644
--- a/src/lib/libcrypto/asn1/a_bytes.c
+++ b/src/lib/libcrypto/asn1/a_bytes.c
@@ -58,18 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
-
-static unsigned long tag2bit[32]={
-0,      0,      0,      B_ASN1_BIT_STRING,      /* tags  0 -  3 */
-B_ASN1_OCTET_STRING,    0,      0,              B_ASN1_UNKNOWN,/* tags  4- 7 */
-B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags  8-11 */
-B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
-0,      0,      B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,
-B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,0,
-0,B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,
-B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN,
-        };
+#include <openssl/asn1.h>
 
 static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c);
 /* type is a 'bitmap' of acceptable string types.
@@ -92,7 +81,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
                 i=ASN1_R_TAG_VALUE_TOO_HIGH;;
                 goto err;
                 }
-        if (!(tag2bit[tag] & type))
+        if (!(ASN1_tag2bit(tag) & type))
                 {
                 i=ASN1_R_WRONG_TYPE;
                 goto err;
diff --git a/src/lib/libcrypto/asn1/a_d2i_fp.c b/src/lib/libcrypto/asn1/a_d2i_fp.c
index a49d1cb289..a80fbe9ff7 100644
--- a/src/lib/libcrypto/asn1/a_d2i_fp.c
+++ b/src/lib/libcrypto/asn1/a_d2i_fp.c
@@ -61,9 +61,11 @@
 #include <openssl/buffer.h>
 #include <openssl/asn1_mac.h>
 
-#define HEADER_SIZE   8
+static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
+
+#ifndef NO_OLD_ASN1
+#ifndef OPENSSL_NO_FP_API
 
-#ifndef NO_FP_API
 char *ASN1_d2i_fp(char *(*xnew)(), char *(*d2i)(), FILE *in,
              unsigned char **x)
         {
@@ -85,10 +87,65 @@ char *ASN1_d2i_fp(char *(*xnew)(), char *(*d2i)(), FILE *in,
 char *ASN1_d2i_bio(char *(*xnew)(), char *(*d2i)(), BIO *in,
              unsigned char **x)
         {
+        BUF_MEM *b = NULL;
+        unsigned char *p;
+        char *ret=NULL;
+        int len;
+
+        len = asn1_d2i_read_bio(in, &b);
+        if(len < 0) goto err;
+
+        p=(unsigned char *)b->data;
+        ret=d2i(x,&p,len);
+err:
+        if (b != NULL) BUF_MEM_free(b);
+        return(ret);
+        }
+
+#endif
+
+void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x)
+        {
+        BUF_MEM *b = NULL;
+        unsigned char *p;
+        void *ret=NULL;
+        int len;
+
+        len = asn1_d2i_read_bio(in, &b);
+        if(len < 0) goto err;
+
+        p=(unsigned char *)b->data;
+        ret=ASN1_item_d2i(x,&p,len, it);
+err:
+        if (b != NULL) BUF_MEM_free(b);
+        return(ret);
+        }
+
+#ifndef OPENSSL_NO_FP_API
+void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
+        {
+        BIO *b;
+        char *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_D2I_FP,ERR_R_BUF_LIB);
+                return(NULL);
+                }
+        BIO_set_fp(b,in,BIO_NOCLOSE);
+        ret=ASN1_item_d2i_bio(it,b,x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+#define HEADER_SIZE   8
+static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
+        {
         BUF_MEM *b;
         unsigned char *p;
         int i;
-        char *ret=NULL;
+        int ret=-1;
         ASN1_CTX c;
         int want=HEADER_SIZE;
         int eos=0;
@@ -99,7 +156,7 @@ char *ASN1_d2i_bio(char *(*xnew)(), char *(*d2i)(), BIO *in,
         if (b == NULL)
                 {
                 ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
-                return(NULL);
+                return -1;
                 }
 
         ERR_clear_error();
@@ -187,8 +244,8 @@ char *ASN1_d2i_bio(char *(*xnew)(), char *(*d2i)(), BIO *in,
                         }
                 }
 
-        p=(unsigned char *)b->data;
-        ret=d2i(x,&p,off);
+        *pb = b;
+        return off;
 err:
         if (b != NULL) BUF_MEM_free(b);
         return(ret);
diff --git a/src/lib/libcrypto/asn1/a_digest.c b/src/lib/libcrypto/asn1/a_digest.c
index 8257b8639e..4931e222a0 100644
--- a/src/lib/libcrypto/asn1/a_digest.c
+++ b/src/lib/libcrypto/asn1/a_digest.c
@@ -69,10 +69,11 @@
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
 
+#ifndef NO_ASN1_OLD
+
 int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
                 unsigned char *md, unsigned int *len)
         {
-        EVP_MD_CTX ctx;
         int i;
         unsigned char *str,*p;
 
@@ -81,9 +82,24 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
         p=str;
         i2d(data,&p);
 
-        EVP_DigestInit(&ctx,type);
-        EVP_DigestUpdate(&ctx,str,i);
-        EVP_DigestFinal(&ctx,md,len);
+        EVP_Digest(str, i, md, len, type, NULL);
+        OPENSSL_free(str);
+        return(1);
+        }
+
+#endif
+
+
+int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
+                unsigned char *md, unsigned int *len)
+        {
+        int i;
+        unsigned char *str = NULL;
+
+        i=ASN1_item_i2d(asn,&str, it);
+        if (!str) return(0);
+
+        EVP_Digest(str, i, md, len, type, NULL);
         OPENSSL_free(str);
         return(1);
         }
diff --git a/src/lib/libcrypto/asn1/a_dup.c b/src/lib/libcrypto/asn1/a_dup.c
index c3bda58a5d..58a017884c 100644
--- a/src/lib/libcrypto/asn1/a_dup.c
+++ b/src/lib/libcrypto/asn1/a_dup.c
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
 
-#define READ_CHUNK   2048
+#ifndef NO_OLD_ASN1
 
 char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
         {
@@ -81,3 +81,27 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
         OPENSSL_free(b);
         return(ret);
         }
+
+#endif
+
+/* ASN1_ITEM version of dup: this follows the model above except we don't need
+ * to allocate the buffer. At some point this could be rewritten to directly dup
+ * the underlying structure instead of doing and encode and decode.
+ */
+
+void *ASN1_item_dup(const ASN1_ITEM *it, void *x)
+        {
+        unsigned char *b = NULL, *p;
+        long i;
+        void *ret;
+
+        if (x == NULL) return(NULL);
+
+        i=ASN1_item_i2d(x,&b,it);
+        if (b == NULL)
+                { ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
+        p= b;
+        ret=ASN1_item_d2i(NULL,&p,i, it);
+        OPENSSL_free(b);
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index 1428d1df7a..8a315fa371 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -65,60 +65,6 @@
  * for comments on encoding see a_int.c
  */
 
-ASN1_ENUMERATED *ASN1_ENUMERATED_new(void)
-{ return M_ASN1_ENUMERATED_new(); }
-
-void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x)
-{ M_ASN1_ENUMERATED_free(x); }
-
-
-int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
-{
-        int len, ret;
-        if(!a) return 0;
-        len = i2c_ASN1_INTEGER(a, NULL);        
-        ret=ASN1_object_size(0,len,V_ASN1_ENUMERATED);
-        if(pp) {
-                ASN1_put_object(pp,0,len,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
-                i2c_ASN1_INTEGER(a, pp);        
-        }
-        return ret;
-}
-
-ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
-             long length)
-{
-        unsigned char *p;
-        long len;
-        int i;
-        int inf,tag,xclass;
-        ASN1_ENUMERATED *ret;
-
-        p= *pp;
-        inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
-        if (inf & 0x80)
-                {
-                i=ASN1_R_BAD_OBJECT_HEADER;
-                goto err;
-                }
-
-        if (tag != V_ASN1_ENUMERATED)
-                {
-                i=ASN1_R_EXPECTING_AN_ENUMERATED;
-                goto err;
-                }
-        ret = c2i_ASN1_INTEGER(a, &p, len);
-        if(ret) {
-                ret->type = (V_ASN1_NEG & ret->type) | V_ASN1_ENUMERATED;
-                *pp = p;
-        }
-        return ret;
-err:
-        ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
-        return(NULL);
-
-}
-
 int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
         {
         int i,j,k;
@@ -168,7 +114,7 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
         if (i == V_ASN1_NEG_ENUMERATED)
                 neg=1;
         else if (i != V_ASN1_ENUMERATED)
-                return(0);
+                return -1;
         
         if (a->length > sizeof(long))
                 {
@@ -176,7 +122,7 @@ long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a)
                 return(0xffffffffL);
                 }
         if (a->data == NULL)
-                return(0);
+                return 0;
 
         for (i=0; i<a->length; i++)
                 {
diff --git a/src/lib/libcrypto/asn1/a_gentm.c b/src/lib/libcrypto/asn1/a_gentm.c
index 314479a03d..cd09f68b38 100644
--- a/src/lib/libcrypto/asn1/a_gentm.c
+++ b/src/lib/libcrypto/asn1/a_gentm.c
@@ -61,13 +61,10 @@
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
+#include "o_time.h"
 #include <openssl/asn1.h>
 
-ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void)
-{ return M_ASN1_GENERALIZEDTIME_new(); }
-
-void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *x)
-{ M_ASN1_GENERALIZEDTIME_free(x); }
+#if 0
 
 int i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a, unsigned char **pp)
         {
@@ -116,6 +113,8 @@ err:
         return(NULL);
         }
 
+#endif
+
 int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
         {
         static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
@@ -147,6 +146,19 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 
                 if ((n < min[i]) || (n > max[i])) goto err;
                 }
+        /* Optional fractional seconds: decimal point followed by one
+         * or more digits.
+         */
+        if (a[o] == '.')
+                {
+                if (++o > l) goto err;
+                i = o;
+                while ((a[o] >= '0') && (a[o] <= '9') && (o <= l))
+                        o++;
+                /* Must have at least one digit after decimal point */
+                if (i == o) goto err;
+                }
+
         if (a[o] == 'Z')
                 o++;
         else if ((a[o] == '+') || (a[o] == '-'))
@@ -182,6 +194,7 @@ int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str)
                         {
                         ASN1_STRING_set((ASN1_STRING *)s,
                                 (unsigned char *)str,t.length);
+                        s->type=V_ASN1_GENERALIZEDTIME;
                         }
                 return(1);
                 }
@@ -194,21 +207,17 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
         {
         char *p;
         struct tm *ts;
-#if defined(THREADS) && !defined(WIN32)
         struct tm data;
-#endif
 
         if (s == NULL)
                 s=M_ASN1_GENERALIZEDTIME_new();
         if (s == NULL)
                 return(NULL);
 
-#if defined(THREADS) && !defined(WIN32)
-        gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
-        ts=&data;
-#else
-        ts=gmtime(&t);
-#endif
+        ts=OPENSSL_gmtime(&t, &data);
+        if (ts == NULL)
+                return(NULL);
+
         p=(char *)s->data;
         if ((p == NULL) || (s->length < 16))
                 {
diff --git a/src/lib/libcrypto/asn1/a_i2d_fp.c b/src/lib/libcrypto/asn1/a_i2d_fp.c
index aee29a7790..f4f1b73ebe 100644
--- a/src/lib/libcrypto/asn1/a_i2d_fp.c
+++ b/src/lib/libcrypto/asn1/a_i2d_fp.c
@@ -59,9 +59,11 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
 
-#ifndef NO_FP_API
+#ifndef NO_OLD_ASN1
+
+#ifndef OPENSSL_NO_FP_API
 int ASN1_i2d_fp(int (*i2d)(), FILE *out, unsigned char *x)
         {
         BIO *b;
@@ -111,3 +113,51 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
         OPENSSL_free(b);
         return(ret);
         }
+
+#endif
+
+#ifndef OPENSSL_NO_FP_API
+int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)
+        {
+        BIO *b;
+        int ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_I2D_FP,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,out,BIO_NOCLOSE);
+        ret=ASN1_item_i2d_bio(it,b,x);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
+
+int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
+        {
+        unsigned char *b = NULL;
+        int i,j=0,n,ret=1;
+
+        n = ASN1_item_i2d(x, &b, it);
+        if (b == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+
+        for (;;)
+                {
+                i=BIO_write(out,&(b[j]),n);
+                if (i == n) break;
+                if (i <= 0)
+                        {
+                        ret=0;
+                        break;
+                        }
+                j+=i;
+                n-=i;
+                }
+        OPENSSL_free(b);
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 6f0413f885..496704b9a5 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -60,33 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-ASN1_INTEGER *ASN1_INTEGER_new(void)
-{ return M_ASN1_INTEGER_new();}
-
-void ASN1_INTEGER_free(ASN1_INTEGER *x)
-{ M_ASN1_INTEGER_free(x);}
-
 ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}
 
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
 { return M_ASN1_INTEGER_cmp(x,y);}
 
-/* Output ASN1 INTEGER including tag+length */
-
-int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
-{
-        int len, ret;
-        if(!a) return 0;
-        len = i2c_ASN1_INTEGER(a, NULL);        
-        ret=ASN1_object_size(0,len,V_ASN1_INTEGER);
-        if(pp) {
-                ASN1_put_object(pp,0,len,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
-                i2c_ASN1_INTEGER(a, pp);        
-        }
-        return ret;
-}
-
 /* 
  * This converts an ASN1 INTEGER into its content encoding.
  * The internal representation is an ASN1_STRING whose data is a big endian
@@ -174,39 +153,6 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
         return(ret);
         }
 
-/* Convert DER encoded ASN1 INTEGER to ASN1_INTEGER structure */
-ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
-             long length)
-{
-        unsigned char *p;
-        long len;
-        int i;
-        int inf,tag,xclass;
-        ASN1_INTEGER *ret;
-
-        p= *pp;
-        inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
-        if (inf & 0x80)
-                {
-                i=ASN1_R_BAD_OBJECT_HEADER;
-                goto err;
-                }
-
-        if (tag != V_ASN1_INTEGER)
-                {
-                i=ASN1_R_EXPECTING_AN_INTEGER;
-                goto err;
-                }
-        ret = c2i_ASN1_INTEGER(a, &p, len);
-        if(ret) *pp = p;
-        return ret;
-err:
-        ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
-        return(NULL);
-
-}
-
-
 /* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */
 
 ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
@@ -414,7 +360,7 @@ long ASN1_INTEGER_get(ASN1_INTEGER *a)
         if (i == V_ASN1_NEG_INTEGER)
                 neg=1;
         else if (i != V_ASN1_INTEGER)
-                return(0);
+                return -1;
         
         if (a->length > sizeof(long))
                 {
@@ -422,7 +368,7 @@ long ASN1_INTEGER_get(ASN1_INTEGER *a)
                 return(0xffffffffL);
                 }
         if (a->data == NULL)
-                return(0);
+                return 0;
 
         for (i=0; i<a->length; i++)
                 {
@@ -453,6 +399,12 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
         len=((j == 0)?0:((j/8)+1));
         ret->data=(unsigned char *)OPENSSL_malloc(len+4);
         ret->length=BN_bn2bin(bn,ret->data);
+        /* Correct zero case */
+        if(!ret->length)
+                {
+                ret->data[0] = 0;
+                ret->length = 1;
+                }
         return(ret);
 err:
         if (ret != ai) M_ASN1_INTEGER_free(ret);
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 20caa2d3bd..71ce7c3896 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -302,7 +302,7 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
         }
 
 ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
-             char *sn, char *ln)
+             const char *sn, const char *ln)
         {
         ASN1_OBJECT o;
 
diff --git a/src/lib/libcrypto/asn1/a_octet.c b/src/lib/libcrypto/asn1/a_octet.c
index 2586f4327d..9690bae0f1 100644
--- a/src/lib/libcrypto/asn1/a_octet.c
+++ b/src/lib/libcrypto/asn1/a_octet.c
@@ -60,12 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void)
-{ return M_ASN1_OCTET_STRING_new(); }
-
-void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *x)
-{ M_ASN1_OCTET_STRING_free(x); }
-
 ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *x)
 { return M_ASN1_OCTET_STRING_dup(x); }
 
@@ -75,21 +69,3 @@ int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b)
 int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, unsigned char *d, int len)
 { return M_ASN1_OCTET_STRING_set(x, d, len); }
 
-int i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a, unsigned char **pp)
-{ return M_i2d_ASN1_OCTET_STRING(a, pp); }
-
-ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
-             unsigned char **pp, long length)
-        {
-        ASN1_OCTET_STRING *ret=NULL;
-
-        ret=(ASN1_OCTET_STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
-                pp,length,V_ASN1_OCTET_STRING,V_ASN1_UNIVERSAL);
-        if (ret == NULL)
-                {
-                ASN1err(ASN1_F_D2I_ASN1_OCTET_STRING,ERR_R_NESTED_ASN1_ERROR);
-                return(NULL);
-                }
-        return(ret);
-        }
-
diff --git a/src/lib/libcrypto/asn1/a_print.c b/src/lib/libcrypto/asn1/a_print.c
index b7bd2bd18a..8035513f04 100644
--- a/src/lib/libcrypto/asn1/a_print.c
+++ b/src/lib/libcrypto/asn1/a_print.c
@@ -60,50 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-ASN1_IA5STRING *ASN1_IA5STRING_new(void)
-{ return M_ASN1_IA5STRING_new();}
-
-void ASN1_IA5STRING_free(ASN1_IA5STRING *x)
-{ M_ASN1_IA5STRING_free(x);}
-
-int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a, unsigned char **pp)
-        { return(M_i2d_ASN1_IA5STRING(a,pp)); }
-
-ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a, unsigned char **pp,
-             long l)
-        { return(M_d2i_ASN1_IA5STRING(a,pp,l)); }
-
-ASN1_T61STRING *ASN1_T61STRING_new(void)
-{ return M_ASN1_T61STRING_new();}
-
-void ASN1_T61STRING_free(ASN1_T61STRING *x)
-{ M_ASN1_T61STRING_free(x);}
-
-ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a, unsigned char **pp,
-             long l)
-        { return(M_d2i_ASN1_T61STRING(a,pp,l)); }
-
-ASN1_PRINTABLESTRING *ASN1_PRINTABLESTRING_new(void)
-{ return M_ASN1_PRINTABLESTRING_new();}
-
-void ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *x)
-{ M_ASN1_PRINTABLESTRING_free(x);}
-
-ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
-             unsigned char **pp, long l)
-        { return(M_d2i_ASN1_PRINTABLESTRING(a,pp,
-             l)); }
-
-int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp)
-        { return(M_i2d_ASN1_PRINTABLESTRING(a,pp)); }
-
-int i2d_ASN1_PRINTABLE(ASN1_STRING *a, unsigned char **pp)
-        { return(M_i2d_ASN1_PRINTABLE(a,pp)); }
-
-ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **a, unsigned char **pp,
-             long l)
-        { return(M_d2i_ASN1_PRINTABLE(a,pp,l)); }
-
 int ASN1_PRINTABLE_type(unsigned char *s, int len)
         {
         int c;
@@ -169,29 +125,3 @@ int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s)
         s->type=ASN1_PRINTABLE_type(s->data,s->length);
         return(1);
         }
-
-ASN1_STRING *DIRECTORYSTRING_new(void)
-{ return M_DIRECTORYSTRING_new();}
-
-void DIRECTORYSTRING_free(ASN1_STRING *x)
-{ M_DIRECTORYSTRING_free(x);}
-
-int i2d_DIRECTORYSTRING(ASN1_STRING *a, unsigned char **pp)
-        { return(M_i2d_DIRECTORYSTRING(a,pp)); }
-
-ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
-             long l)
-        { return(M_d2i_DIRECTORYSTRING(a,pp,l)); }
-
-ASN1_STRING *DISPLAYTEXT_new(void)
-{ return M_DISPLAYTEXT_new();}
-
-void DISPLAYTEXT_free(ASN1_STRING *x)
-{ M_DISPLAYTEXT_free(x);}
-
-int i2d_DISPLAYTEXT(ASN1_STRING *a, unsigned char **pp)
-        { return(M_i2d_DISPLAYTEXT(a,pp)); }
-
-ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **a, unsigned char **pp,
-             long l)
-        { return(M_d2i_DISPLAYTEXT(a,pp,l)); }
diff --git a/src/lib/libcrypto/asn1/a_set.c b/src/lib/libcrypto/asn1/a_set.c
index caf5a1419c..19bb60fca8 100644
--- a/src/lib/libcrypto/asn1/a_set.c
+++ b/src/lib/libcrypto/asn1/a_set.c
@@ -60,6 +60,8 @@
 #include "cryptlib.h"
 #include <openssl/asn1_mac.h>
 
+#ifndef NO_ASN1_OLD
+
 typedef struct
     {
     unsigned char *pbData;
@@ -215,3 +217,4 @@ err:
         return(NULL);
         }
 
+#endif
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index 4c651706d2..de53b44144 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <time.h>
@@ -71,6 +124,8 @@
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 
+#ifndef NO_ASN1_OLD
+
 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
              ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
              const EVP_MD *type)
@@ -80,6 +135,7 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
         int i,inl=0,outl=0,outll=0;
         X509_ALGOR *a;
 
+        EVP_MD_CTX_init(&ctx);
         for (i=0; i<2; i++)
                 {
                 if (i == 0)
@@ -87,7 +143,14 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
                 else
                         a=algor2;
                 if (a == NULL) continue;
-                if (    (a->parameter == NULL) || 
+                if (type->pkey_type == NID_dsaWithSHA1)
+                        {
+                        /* special case: RFC 2459 tells us to omit 'parameters'
+                         * with id-dsa-with-sha1 */
+                        ASN1_TYPE_free(a->parameter);
+                        a->parameter = NULL;
+                        }
+                else if ((a->parameter == NULL) || 
                         (a->parameter->type != V_ASN1_NULL))
                         {
                         ASN1_TYPE_free(a->parameter);
@@ -120,7 +183,90 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
         p=buf_in;
 
         i2d(data,&p);
-        EVP_SignInit(&ctx,type);
+        EVP_SignInit_ex(&ctx,type, NULL);
+        EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
+        if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
+                        (unsigned int *)&outl,pkey))
+                {
+                outl=0;
+                ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
+                goto err;
+                }
+        if (signature->data != NULL) OPENSSL_free(signature->data);
+        signature->data=buf_out;
+        buf_out=NULL;
+        signature->length=outl;
+        /* In the interests of compatibility, I'll make sure that
+         * the bit string has a 'not-used bits' value of 0
+         */
+        signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+        signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
+err:
+        EVP_MD_CTX_cleanup(&ctx);
+        if (buf_in != NULL)
+                { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+        if (buf_out != NULL)
+                { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+        return(outl);
+        }
+
+#endif
+
+int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
+             ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey,
+             const EVP_MD *type)
+        {
+        EVP_MD_CTX ctx;
+        unsigned char *buf_in=NULL,*buf_out=NULL;
+        int i,inl=0,outl=0,outll=0;
+        X509_ALGOR *a;
+
+        EVP_MD_CTX_init(&ctx);
+        for (i=0; i<2; i++)
+                {
+                if (i == 0)
+                        a=algor1;
+                else
+                        a=algor2;
+                if (a == NULL) continue;
+                if (type->pkey_type == NID_dsaWithSHA1)
+                        {
+                        /* special case: RFC 2459 tells us to omit 'parameters'
+                         * with id-dsa-with-sha1 */
+                        ASN1_TYPE_free(a->parameter);
+                        a->parameter = NULL;
+                        }
+                else if ((a->parameter == NULL) || 
+                        (a->parameter->type != V_ASN1_NULL))
+                        {
+                        ASN1_TYPE_free(a->parameter);
+                        if ((a->parameter=ASN1_TYPE_new()) == NULL) goto err;
+                        a->parameter->type=V_ASN1_NULL;
+                        }
+                ASN1_OBJECT_free(a->algorithm);
+                a->algorithm=OBJ_nid2obj(type->pkey_type);
+                if (a->algorithm == NULL)
+                        {
+                        ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
+                        goto err;
+                        }
+                if (a->algorithm->length == 0)
+                        {
+                        ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+                        goto err;
+                        }
+                }
+        inl=ASN1_item_i2d(asn,&buf_in, it);
+        outll=outl=EVP_PKEY_size(pkey);
+        buf_out=(unsigned char *)OPENSSL_malloc((unsigned int)outl);
+        if ((buf_in == NULL) || (buf_out == NULL))
+                {
+                outl=0;
+                ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        EVP_SignInit_ex(&ctx,type, NULL);
         EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
         if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
                         (unsigned int *)&outl,pkey))
@@ -139,7 +285,7 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
         signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
         signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
 err:
-        memset(&ctx,0,sizeof(ctx));
+        EVP_MD_CTX_cleanup(&ctx);
         if (buf_in != NULL)
                 { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
         if (buf_out != NULL)
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 569b811998..128aa7e772 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -371,6 +371,8 @@ static int do_indent(char_io *io_ch, void *arg, int indent)
         return 1;
 }
 
+#define FN_WIDTH_LN     25
+#define FN_WIDTH_SN     10
 
 static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
                                 int indent, unsigned long flags)
@@ -456,19 +458,29 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
                 val = X509_NAME_ENTRY_get_data(ent);
                 fn_nid = OBJ_obj2nid(fn);
                 if(fn_opt != XN_FLAG_FN_NONE) {
-                        int objlen;
+                        int objlen, fld_len;
                         if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
                                 OBJ_obj2txt(objtmp, 80, fn, 1);
+                                fld_len = 0; /* XXX: what should this be? */
                                 objbuf = objtmp;
                         } else {
-                                if(fn_opt == XN_FLAG_FN_SN) 
+                                if(fn_opt == XN_FLAG_FN_SN) {
+                                        fld_len = FN_WIDTH_SN;
                                         objbuf = OBJ_nid2sn(fn_nid);
-                                else if(fn_opt == XN_FLAG_FN_LN)
+                                } else if(fn_opt == XN_FLAG_FN_LN) {
+                                        fld_len = FN_WIDTH_LN;
                                         objbuf = OBJ_nid2ln(fn_nid);
-                                else objbuf = "";
+                                } else {
+                                        fld_len = 0; /* XXX: what should this be? */
+                                        objbuf = "";
+                                }
                         }
                         objlen = strlen(objbuf);
                         if(!io_ch(arg, objbuf, objlen)) return -1;
+                        if ((objlen < fld_len) && (flags & XN_FLAG_FN_ALIGN)) {
+                                if (!do_indent(io_ch, arg, fld_len - objlen)) return -1;
+                                outlen += fld_len - objlen;
+                        }
                         if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
                         outlen += objlen + sep_eq_len;
                 }
@@ -491,12 +503,24 @@ static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
 
 int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
 {
+        if(flags == XN_FLAG_COMPAT)
+                return X509_NAME_print(out, nm, indent);
         return do_name_ex(send_bio_chars, out, nm, indent, flags);
 }
 
 
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
 {
+        if(flags == XN_FLAG_COMPAT)
+                {
+                BIO *btmp;
+                int ret;
+                btmp = BIO_new_fp(fp, BIO_NOCLOSE);
+                if(!btmp) return -1;
+                ret = X509_NAME_print(btmp, nm, indent);
+                BIO_free(btmp);
+                return ret;
+                }
         return do_name_ex(send_fp_chars, fp, nm, indent, flags);
 }
 
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 732e68fe46..04789d1c63 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -105,9 +105,9 @@ int ASN1_STRING_set_default_mask_asc(char *p)
                 mask = strtoul(p + 5, &end, 0);
                 if(*end) return 0;
         } else if(!strcmp(p, "nombstr"))
-                         mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
+                         mask = ~((unsigned long)(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING));
         else if(!strcmp(p, "pkix"))
-                        mask = ~B_ASN1_T61STRING;
+                        mask = ~((unsigned long)B_ASN1_T61STRING);
         else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
         else if(!strcmp(p, "default"))
             mask = 0xFFFFFFFFL;
@@ -170,8 +170,10 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_givenName,                 1, ub_name, DIRSTRING_TYPE, 0},
 {NID_surname,                   1, ub_name, DIRSTRING_TYPE, 0},
 {NID_initials,                  1, ub_name, DIRSTRING_TYPE, 0},
+{NID_friendlyName,              -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,                      1, ub_name, DIRSTRING_TYPE, 0},
-{NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
+{NID_dnQualifier,               -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_ms_csp_name,               -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };
 
 static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 8c0ddee4ac..27ddd30899 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -64,14 +64,14 @@
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
-#include <openssl/asn1.h>
+#include "o_time.h"
+#include <openssl/asn1t.h>
 
-ASN1_TIME *ASN1_TIME_new(void)
-{ return M_ASN1_TIME_new(); }
+IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)
 
-void ASN1_TIME_free(ASN1_TIME *x)
-{ M_ASN1_TIME_free(x); }
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_TIME)
 
+#if 0
 int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
         {
 #ifdef CHARSET_EBCDIC
@@ -95,33 +95,64 @@ int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **pp)
         ASN1err(ASN1_F_I2D_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
         return -1;
         }
-
-
-ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, unsigned char **pp, long length)
-        {
-        unsigned char tag;
-        tag = **pp & ~V_ASN1_CONSTRUCTED;
-        if(tag == (V_ASN1_UTCTIME|V_ASN1_UNIVERSAL))
-                                         return d2i_ASN1_UTCTIME(a, pp, length);
-        if(tag == (V_ASN1_GENERALIZEDTIME|V_ASN1_UNIVERSAL))
-                                return d2i_ASN1_GENERALIZEDTIME(a, pp, length);
-        ASN1err(ASN1_F_D2I_ASN1_TIME,ASN1_R_EXPECTING_A_TIME);
-        return(NULL);
-        }
+#endif
 
 
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
         {
         struct tm *ts;
-#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
         struct tm data;
 
-        gmtime_r(&t,&data);
-        ts=&data; /* should return &data, but doesn't on some systems, so we don't even look at the return value */
-#else
-        ts=gmtime(&t);
-#endif
+        ts=OPENSSL_gmtime(&t,&data);
+        if (ts == NULL)
+                return NULL;
         if((ts->tm_year >= 50) && (ts->tm_year < 150))
                                         return ASN1_UTCTIME_set(s, t);
         return ASN1_GENERALIZEDTIME_set(s,t);
         }
+
+int ASN1_TIME_check(ASN1_TIME *t)
+        {
+        if (t->type == V_ASN1_GENERALIZEDTIME)
+                return ASN1_GENERALIZEDTIME_check(t);
+        else if (t->type == V_ASN1_UTCTIME)
+                return ASN1_UTCTIME_check(t);
+        return 0;
+        }
+
+/* Convert an ASN1_TIME structure to GeneralizedTime */
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
+        {
+        ASN1_GENERALIZEDTIME *ret;
+        char *str;
+
+        if (!ASN1_TIME_check(t)) return NULL;
+
+        if (!out || !*out)
+                {
+                if (!(ret = ASN1_GENERALIZEDTIME_new ()))
+                        return NULL;
+                if (out) *out = ret;
+                }
+        else ret = *out;
+
+        /* If already GeneralizedTime just copy across */
+        if (t->type == V_ASN1_GENERALIZEDTIME)
+                {
+                if(!ASN1_STRING_set(ret, t->data, t->length))
+                        return NULL;
+                return ret;
+                }
+
+        /* grow the string */
+        if (!ASN1_STRING_set(ret, NULL, t->length + 2))
+                return NULL;
+        str = (char *)ret->data;
+        /* Work out the century and prepend */
+        if (t->data[0] >= '5') strcpy(str, "19");
+        else strcpy(str, "20");
+
+        strcat(str, (char *)t->data);
+
+        return ret;
+        }
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index e72a6b29e0..96e111cf23 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -57,236 +57,8 @@
  */
 
 #include <stdio.h>
+#include <openssl/asn1t.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
-
-static void ASN1_TYPE_component_free(ASN1_TYPE *a);
-int i2d_ASN1_TYPE(ASN1_TYPE *a, unsigned char **pp)
-        {
-        int r=0;
-
-        if (a == NULL) return(0);
-
-        switch (a->type)
-                {
-        case V_ASN1_NULL:
-                if (pp != NULL)
-                        ASN1_put_object(pp,0,0,V_ASN1_NULL,V_ASN1_UNIVERSAL);
-                r=2;
-                break;
-        case V_ASN1_INTEGER:
-        case V_ASN1_NEG_INTEGER:
-                r=i2d_ASN1_INTEGER(a->value.integer,pp);
-                break;
-        case V_ASN1_ENUMERATED:
-        case V_ASN1_NEG_ENUMERATED:
-                r=i2d_ASN1_ENUMERATED(a->value.enumerated,pp);
-                break;
-        case V_ASN1_BIT_STRING:
-                r=i2d_ASN1_BIT_STRING(a->value.bit_string,pp);
-                break;
-        case V_ASN1_OCTET_STRING:
-                r=i2d_ASN1_OCTET_STRING(a->value.octet_string,pp);
-                break;
-        case V_ASN1_OBJECT:
-                r=i2d_ASN1_OBJECT(a->value.object,pp);
-                break;
-        case V_ASN1_PRINTABLESTRING:
-                r=M_i2d_ASN1_PRINTABLESTRING(a->value.printablestring,pp);
-                break;
-        case V_ASN1_T61STRING:
-                r=M_i2d_ASN1_T61STRING(a->value.t61string,pp);
-                break;
-        case V_ASN1_IA5STRING:
-                r=M_i2d_ASN1_IA5STRING(a->value.ia5string,pp);
-                break;
-        case V_ASN1_GENERALSTRING:
-                r=M_i2d_ASN1_GENERALSTRING(a->value.generalstring,pp);
-                break;
-        case V_ASN1_UNIVERSALSTRING:
-                r=M_i2d_ASN1_UNIVERSALSTRING(a->value.universalstring,pp);
-                break;
-        case V_ASN1_UTF8STRING:
-                r=M_i2d_ASN1_UTF8STRING(a->value.utf8string,pp);
-                break;
-        case V_ASN1_VISIBLESTRING:
-                r=M_i2d_ASN1_VISIBLESTRING(a->value.visiblestring,pp);
-                break;
-        case V_ASN1_BMPSTRING:
-                r=M_i2d_ASN1_BMPSTRING(a->value.bmpstring,pp);
-                break;
-        case V_ASN1_UTCTIME:
-                r=i2d_ASN1_UTCTIME(a->value.utctime,pp);
-                break;
-        case V_ASN1_GENERALIZEDTIME:
-                r=i2d_ASN1_GENERALIZEDTIME(a->value.generalizedtime,pp);
-                break;
-        case V_ASN1_SET:
-        case V_ASN1_SEQUENCE:
-        case V_ASN1_OTHER:
-        default:
-                if (a->value.set == NULL)
-                        r=0;
-                else
-                        {
-                        r=a->value.set->length;
-                        if (pp != NULL)
-                                {
-                                memcpy(*pp,a->value.set->data,r);
-                                *pp+=r;
-                                }
-                        }
-                break;
-                }
-        return(r);
-        }
-
-ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, unsigned char **pp, long length)
-        {
-        ASN1_TYPE *ret=NULL;
-        unsigned char *q,*p,*max;
-        int inf,tag,xclass;
-        long len;
-
-        if ((a == NULL) || ((*a) == NULL))
-                {
-                if ((ret=ASN1_TYPE_new()) == NULL) goto err;
-                }
-        else
-                ret=(*a);
-
-        p= *pp;
-        q=p;
-        max=(p+length);
-
-        inf=ASN1_get_object(&q,&len,&tag,&xclass,length);
-        if (inf & 0x80) goto err;
-        /* If not universal tag we've no idea what it is */
-        if(xclass != V_ASN1_UNIVERSAL) tag = V_ASN1_OTHER;
-        
-        ASN1_TYPE_component_free(ret);
-
-        switch (tag)
-                {
-        case V_ASN1_NULL:
-                p=q;
-                ret->value.ptr=NULL;
-                break;
-        case V_ASN1_INTEGER:
-                if ((ret->value.integer=
-                        d2i_ASN1_INTEGER(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_ENUMERATED:
-                if ((ret->value.enumerated=
-                        d2i_ASN1_ENUMERATED(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_BIT_STRING:
-                if ((ret->value.bit_string=
-                        d2i_ASN1_BIT_STRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_OCTET_STRING:
-                if ((ret->value.octet_string=
-                        d2i_ASN1_OCTET_STRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_VISIBLESTRING:
-                if ((ret->value.visiblestring=
-                        d2i_ASN1_VISIBLESTRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_UTF8STRING:
-                if ((ret->value.utf8string=
-                        d2i_ASN1_UTF8STRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_OBJECT:
-                if ((ret->value.object=
-                        d2i_ASN1_OBJECT(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_PRINTABLESTRING:
-                if ((ret->value.printablestring=
-                        d2i_ASN1_PRINTABLESTRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_T61STRING:
-                if ((ret->value.t61string=
-                        M_d2i_ASN1_T61STRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_IA5STRING:
-                if ((ret->value.ia5string=
-                        M_d2i_ASN1_IA5STRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_GENERALSTRING:
-                if ((ret->value.generalstring=
-                        M_d2i_ASN1_GENERALSTRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_UNIVERSALSTRING:
-                if ((ret->value.universalstring=
-                        M_d2i_ASN1_UNIVERSALSTRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_BMPSTRING:
-                if ((ret->value.bmpstring=
-                        M_d2i_ASN1_BMPSTRING(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_UTCTIME:
-                if ((ret->value.utctime=
-                        d2i_ASN1_UTCTIME(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_GENERALIZEDTIME:
-                if ((ret->value.generalizedtime=
-                        d2i_ASN1_GENERALIZEDTIME(NULL,&p,max-p)) == NULL)
-                        goto err;
-                break;
-        case V_ASN1_SET:
-        case V_ASN1_SEQUENCE:
-        case V_ASN1_OTHER:
-        default:
-                /* Sets and sequences are left complete */
-                if ((ret->value.set=ASN1_STRING_new()) == NULL) goto err;
-                ret->value.set->type=tag;
-                len+=(q-p);
-                if (!ASN1_STRING_set(ret->value.set,p,(int)len)) goto err;
-                p+=len;
-                break;
-                }
-
-        ret->type=tag;
-        if (a != NULL) (*a)=ret;
-        *pp=p;
-        return(ret);
-err:
-        if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_TYPE_free(ret);
-        return(NULL);
-        }
-
-ASN1_TYPE *ASN1_TYPE_new(void)
-        {
-        ASN1_TYPE *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,ASN1_TYPE);
-        ret->type= -1;
-        ret->value.ptr=NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_ASN1_TYPE_NEW);
-        }
-
-void ASN1_TYPE_free(ASN1_TYPE *a)
-        {
-        if (a == NULL) return;
-        ASN1_TYPE_component_free(a);
-        OPENSSL_free(a);
-        }
 
 int ASN1_TYPE_get(ASN1_TYPE *a)
         {
@@ -299,54 +71,11 @@ int ASN1_TYPE_get(ASN1_TYPE *a)
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value)
         {
         if (a->value.ptr != NULL)
-                ASN1_TYPE_component_free(a);
+                ASN1_primitive_free((ASN1_VALUE **)&a, NULL);
         a->type=type;
         a->value.ptr=value;
         }
 
-static void ASN1_TYPE_component_free(ASN1_TYPE *a)
-        {
-        if (a == NULL) return;
-
-        if (a->value.ptr != NULL)
-                {
-                switch (a->type)
-                        {
-                case V_ASN1_OBJECT:
-                        ASN1_OBJECT_free(a->value.object);
-                        break;
-                case V_ASN1_NULL:
-                        break;
-                case V_ASN1_INTEGER:
-                case V_ASN1_NEG_INTEGER:
-                case V_ASN1_ENUMERATED:
-                case V_ASN1_NEG_ENUMERATED:
-                case V_ASN1_BIT_STRING:
-                case V_ASN1_OCTET_STRING:
-                case V_ASN1_SEQUENCE:
-                case V_ASN1_SET:
-                case V_ASN1_NUMERICSTRING:
-                case V_ASN1_PRINTABLESTRING:
-                case V_ASN1_T61STRING:
-                case V_ASN1_VIDEOTEXSTRING:
-                case V_ASN1_IA5STRING:
-                case V_ASN1_UTCTIME:
-                case V_ASN1_GENERALIZEDTIME:
-                case V_ASN1_GRAPHICSTRING:
-                case V_ASN1_VISIBLESTRING:
-                case V_ASN1_GENERALSTRING:
-                case V_ASN1_UNIVERSALSTRING:
-                case V_ASN1_BMPSTRING:
-                case V_ASN1_UTF8STRING:
-                case V_ASN1_OTHER:
-                default:
-                        ASN1_STRING_free((ASN1_STRING *)a->value.ptr);
-                        break;
-                        }
-                a->type=0;
-                a->value.ptr=NULL;
-                }
-        }
 
 IMPLEMENT_STACK_OF(ASN1_TYPE)
 IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
diff --git a/src/lib/libcrypto/asn1/a_utctm.c b/src/lib/libcrypto/asn1/a_utctm.c
index d381c9e0d1..ed2d827db2 100644
--- a/src/lib/libcrypto/asn1/a_utctm.c
+++ b/src/lib/libcrypto/asn1/a_utctm.c
@@ -58,20 +58,11 @@
 
 #include <stdio.h>
 #include <time.h>
-#ifdef VMS
-#include <descrip.h>
-#include <lnmdef.h>
-#include <starlet.h>
-#endif
 #include "cryptlib.h"
+#include "o_time.h"
 #include <openssl/asn1.h>
 
-ASN1_UTCTIME *ASN1_UTCTIME_new(void)
-{ return M_ASN1_UTCTIME_new(); }
-
-void ASN1_UTCTIME_free(ASN1_UTCTIME *x)
-{ M_ASN1_UTCTIME_free(x); }
-
+#if 0
 int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
         {
 #ifndef CHARSET_EBCDIC
@@ -119,6 +110,8 @@ err:
         return(NULL);
         }
 
+#endif
+
 int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
         {
         static int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0};
@@ -182,6 +175,7 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str)
                         {
                         ASN1_STRING_set((ASN1_STRING *)s,
                                 (unsigned char *)str,t.length);
+                        s->type = V_ASN1_UTCTIME;
                         }
                 return(1);
                 }
@@ -193,59 +187,17 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
         {
         char *p;
         struct tm *ts;
-#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
-
         struct tm data;
-#endif
 
         if (s == NULL)
                 s=M_ASN1_UTCTIME_new();
         if (s == NULL)
                 return(NULL);
 
-#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
-        gmtime_r(&t,&data); /* should return &data, but doesn't on some systems, so we don't even look at the return value */
-        ts=&data;
-#else
-        ts=gmtime(&t);
-#endif
-#ifdef VMS
+        ts=OPENSSL_gmtime(&t, &data);
         if (ts == NULL)
-                {
-                static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
-                static $DESCRIPTOR(lognam,"SYS$TIMEZONE_DIFFERENTIAL");
-                char result[256];
-                unsigned int reslen = 0;
-                struct {
-                        short buflen;
-                        short code;
-                        void *bufaddr;
-                        unsigned int *reslen;
-                } itemlist[] = {
-                        { 0, LNM$_STRING, 0, 0 },
-                        { 0, 0, 0, 0 },
-                };
-                int status;
-
-                /* Get the value for SYS$TIMEZONE_DIFFERENTIAL */
-                itemlist[0].buflen = sizeof(result);
-                itemlist[0].bufaddr = result;
-                itemlist[0].reslen = &reslen;
-                status = sys$trnlnm(0, &tabnam, &lognam, 0, itemlist);
-                if (!(status & 1))
-                        return NULL;
-                result[reslen] = '\0';
-
-                /* Get the numerical value of the equivalence string */
-                status = atoi(result);
-
-                /* and use it to move time to GMT */
-                t -= status;
-
-                /* then convert the result to the time structure */
-                ts=(struct tm *)localtime(&t);
-                }
-#endif
+                return(NULL);
+
         p=(char *)s->data;
         if ((p == NULL) || (s->length < 14))
                 {
@@ -286,11 +238,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
 
         t -= offset*60; /* FIXME: may overflow in extreme cases */
 
-#if defined(THREADS) && !defined(WIN32) && !defined(__CYGWIN32__)
-        { struct tm data; gmtime_r(&t, &data); tm = &data; }
-#else
-        tm = gmtime(&t);
-#endif
+        { struct tm data; tm = OPENSSL_gmtime(&t, &data); }
         
 #define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
         year = g2(s->data);
diff --git a/src/lib/libcrypto/asn1/a_utf8.c b/src/lib/libcrypto/asn1/a_utf8.c
index 854278f136..508e11e527 100644
--- a/src/lib/libcrypto/asn1/a_utf8.c
+++ b/src/lib/libcrypto/asn1/a_utf8.c
@@ -60,33 +60,6 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
-ASN1_UTF8STRING *ASN1_UTF8STRING_new(void)
-{ return M_ASN1_UTF8STRING_new();}
-
-void ASN1_UTF8STRING_free(ASN1_UTF8STRING *x)
-{ M_ASN1_UTF8STRING_free(x);}
-
-int i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a, unsigned char **pp)
-        {
-        return(i2d_ASN1_bytes((ASN1_STRING *)a,pp,
-                V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL));
-        }
-
-ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a, unsigned char **pp,
-             long length)
-        {
-        ASN1_UTF8STRING *ret=NULL;
-
-        ret=(ASN1_UTF8STRING *)d2i_ASN1_bytes((ASN1_STRING **)a,
-                pp,length,V_ASN1_UTF8STRING,V_ASN1_UNIVERSAL);
-        if (ret == NULL)
-                {
-                ASN1err(ASN1_F_D2I_ASN1_UTF8STRING,ERR_R_NESTED_ASN1_ERROR);
-                return(NULL);
-                }
-        return(ret);
-        }
-
 
 /* UTF8 utilities */
 
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index 2a11927e5c..bf41de5146 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -71,6 +71,8 @@
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 
+#ifndef NO_ASN1_OLD
+
 int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
              char *data, EVP_PKEY *pkey)
         {
@@ -79,6 +81,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
         unsigned char *p,*buf_in=NULL;
         int ret= -1,i,inl;
 
+        EVP_MD_CTX_init(&ctx);
         i=OBJ_obj2nid(a->algorithm);
         type=EVP_get_digestbyname(OBJ_nid2sn(i));
         if (type == NULL)
@@ -97,7 +100,57 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
         p=buf_in;
 
         i2d(data,&p);
-        EVP_VerifyInit(&ctx,type);
+        EVP_VerifyInit_ex(&ctx,type, NULL);
+        EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
+
+        memset(buf_in,0,(unsigned int)inl);
+        OPENSSL_free(buf_in);
+
+        if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
+                        (unsigned int)signature->length,pkey) <= 0)
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
+        /* we don't need to zero the 'ctx' because we just checked
+         * public information */
+        /* memset(&ctx,0,sizeof(ctx)); */
+        ret=1;
+err:
+        EVP_MD_CTX_cleanup(&ctx);
+        return(ret);
+        }
+
+#endif
+
+
+int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature,
+             void *asn, EVP_PKEY *pkey)
+        {
+        EVP_MD_CTX ctx;
+        const EVP_MD *type;
+        unsigned char *buf_in=NULL;
+        int ret= -1,i,inl;
+
+        EVP_MD_CTX_init(&ctx);
+        i=OBJ_obj2nid(a->algorithm);
+        type=EVP_get_digestbyname(OBJ_nid2sn(i));
+        if (type == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+                goto err;
+                }
+
+        inl = ASN1_item_i2d(asn, &buf_in, it);
+        
+        if (buf_in == NULL)
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        EVP_VerifyInit_ex(&ctx,type, NULL);
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
         memset(buf_in,0,(unsigned int)inl);
@@ -115,5 +168,8 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
         /* memset(&ctx,0,sizeof(ctx)); */
         ret=1;
 err:
+        EVP_MD_CTX_cleanup(&ctx);
         return(ret);
         }
+
+
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index 6f956b1963..0d1713f8dd 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -60,15 +60,24 @@
 #define HEADER_ASN1_H
 
 #include <time.h>
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
+#include <openssl/e_os2.h>
 #include <openssl/bn.h>
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
 
 #include <openssl/symhacks.h>
 
+#include <openssl/e_os2.h>
+#include <openssl/ossl_typ.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -84,6 +93,7 @@ extern "C" {
 
 #define V_ASN1_APP_CHOOSE               -2      /* let the recipient choose */
 #define V_ASN1_OTHER                    -3      /* used in ASN1_TYPE */
+#define V_ASN1_ANY                      -4      /* used in ASN1 template code */
 
 #define V_ASN1_NEG                      0x100   /* negative flag */
 
@@ -136,6 +146,8 @@ extern "C" {
 #define B_ASN1_BMPSTRING        0x0800
 #define B_ASN1_UNKNOWN          0x1000
 #define B_ASN1_UTF8STRING       0x2000
+#define B_ASN1_UTCTIME          0x4000
+#define B_ASN1_GENERALIZEDTIME  0x8000
 
 /* For use with ASN1_mbstring_copy() */
 #define MBSTRING_FLAG           0x1000
@@ -193,6 +205,21 @@ typedef struct asn1_string_st
         long flags;
         } ASN1_STRING;
 
+/* ASN1_ENCODING structure: this is used to save the received
+ * encoding of an ASN1 type. This is useful to get round
+ * problems with invalid encodings which can break signatures.
+ */
+
+typedef struct ASN1_ENCODING_st
+        {
+        unsigned char *enc;     /* DER encoding */
+        long len;               /* Length of encoding */
+        int modified;            /* set to 1 if 'enc' is invalid */
+        } ASN1_ENCODING;
+
+/* Used with ASN1 LONG type: if a long is set to this it is omitted */
+#define ASN1_LONG_UNDEF 0x7fffffffL
+
 #define STABLE_FLAGS_MALLOC     0x01
 #define STABLE_NO_MASK          0x02
 #define DIRSTRING_TYPE  \
@@ -220,43 +247,116 @@ DECLARE_STACK_OF(ASN1_STRING_TABLE)
 #define ub_title                        64
 #define ub_email_address                128
 
-#ifdef NO_ASN1_TYPEDEFS
-#define ASN1_INTEGER            ASN1_STRING
-#define ASN1_ENUMERATED         ASN1_STRING
-#define ASN1_BIT_STRING         ASN1_STRING
-#define ASN1_OCTET_STRING       ASN1_STRING
-#define ASN1_PRINTABLESTRING    ASN1_STRING
-#define ASN1_T61STRING          ASN1_STRING
-#define ASN1_IA5STRING          ASN1_STRING
-#define ASN1_UTCTIME            ASN1_STRING
-#define ASN1_GENERALIZEDTIME    ASN1_STRING
-#define ASN1_TIME               ASN1_STRING
-#define ASN1_GENERALSTRING      ASN1_STRING
-#define ASN1_UNIVERSALSTRING    ASN1_STRING
-#define ASN1_BMPSTRING          ASN1_STRING
-#define ASN1_VISIBLESTRING      ASN1_STRING
-#define ASN1_UTF8STRING         ASN1_STRING
-#define ASN1_BOOLEAN            int
+/* Declarations for template structures: for full definitions
+ * see asn1t.h
+ */
+typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE;
+typedef struct ASN1_ITEM_st ASN1_ITEM;
+typedef struct ASN1_TLC_st ASN1_TLC;
+/* This is just an opaque pointer */
+typedef struct ASN1_VALUE_st ASN1_VALUE;
+
+/* Declare ASN1 functions: the implement macro in in asn1t.h */
+
+#define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type)
+
+#define DECLARE_ASN1_FUNCTIONS_name(type, name) \
+        type *name##_new(void); \
+        void name##_free(type *a); \
+        DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name)
+
+#define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \
+        type *name##_new(void); \
+        void name##_free(type *a); \
+        DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name)
+
+#define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \
+        type *d2i_##name(type **a, unsigned char **in, long len); \
+        int i2d_##name(type *a, unsigned char **out); \
+        DECLARE_ASN1_ITEM(itname)
+
+#define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \
+        type *d2i_##name(type **a, const unsigned char **in, long len); \
+        int i2d_##name(const type *a, unsigned char **out); \
+        DECLARE_ASN1_ITEM(name)
+
+#define DECLARE_ASN1_FUNCTIONS_const(name) \
+        name *name##_new(void); \
+        void name##_free(name *a);
+
+
+/* The following macros and typedefs allow an ASN1_ITEM
+ * to be embedded in a structure and referenced. Since
+ * the ASN1_ITEM pointers need to be globally accessible
+ * (possibly from shared libraries) they may exist in
+ * different forms. On platforms that support it the
+ * ASN1_ITEM structure itself will be globally exported.
+ * Other platforms will export a function that returns
+ * an ASN1_ITEM pointer.
+ *
+ * To handle both cases transparently the macros below
+ * should be used instead of hard coding an ASN1_ITEM
+ * pointer in a structure.
+ *
+ * The structure will look like this:
+ *
+ * typedef struct SOMETHING_st {
+ *      ...
+ *      ASN1_ITEM_EXP *iptr;
+ *      ...
+ * } SOMETHING; 
+ *
+ * It would be initialised as e.g.:
+ *
+ * SOMETHING somevar = {...,ASN1_ITEM_ref(X509),...};
+ *
+ * and the actual pointer extracted with:
+ *
+ * const ASN1_ITEM *it = ASN1_ITEM_ptr(somevar.iptr);
+ *
+ * Finally an ASN1_ITEM pointer can be extracted from an
+ * appropriate reference with: ASN1_ITEM_rptr(X509). This
+ * would be used when a function takes an ASN1_ITEM * argument.
+ *
+ */
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+/* ASN1_ITEM pointer exported type */
+typedef const ASN1_ITEM ASN1_ITEM_EXP;
+
+/* Macro to obtain ASN1_ITEM pointer from exported type */
+#define ASN1_ITEM_ptr(iptr) (iptr)
+
+/* Macro to include ASN1_ITEM pointer from base type */
+#define ASN1_ITEM_ref(iptr) (&(iptr##_it))
+
+#define ASN1_ITEM_rptr(ref) (&(ref##_it))
+
+#define DECLARE_ASN1_ITEM(name) \
+        OPENSSL_EXTERN const ASN1_ITEM name##_it;
+
 #else
-typedef struct asn1_string_st ASN1_INTEGER;
-typedef struct asn1_string_st ASN1_ENUMERATED;
-typedef struct asn1_string_st ASN1_BIT_STRING;
-typedef struct asn1_string_st ASN1_OCTET_STRING;
-typedef struct asn1_string_st ASN1_PRINTABLESTRING;
-typedef struct asn1_string_st ASN1_T61STRING;
-typedef struct asn1_string_st ASN1_IA5STRING;
-typedef struct asn1_string_st ASN1_GENERALSTRING;
-typedef struct asn1_string_st ASN1_UNIVERSALSTRING;
-typedef struct asn1_string_st ASN1_BMPSTRING;
-typedef struct asn1_string_st ASN1_UTCTIME;
-typedef struct asn1_string_st ASN1_TIME;
-typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
-typedef struct asn1_string_st ASN1_VISIBLESTRING;
-typedef struct asn1_string_st ASN1_UTF8STRING;
-typedef int ASN1_BOOLEAN;
-#endif
 
-typedef int ASN1_NULL;
+/* Platforms that can't easily handle shared global variables are declared
+ * as functions returning ASN1_ITEM pointers.
+ */
+
+/* ASN1_ITEM pointer exported type */
+typedef const ASN1_ITEM * ASN1_ITEM_EXP(void);
+
+/* Macro to obtain ASN1_ITEM pointer from exported type */
+#define ASN1_ITEM_ptr(iptr) (iptr())
+
+/* Macro to include ASN1_ITEM pointer from base type */
+#define ASN1_ITEM_ref(iptr) (iptr##_it)
+
+#define ASN1_ITEM_rptr(ref) (ref##_it())
+
+#define DECLARE_ASN1_ITEM(name) \
+        const ASN1_ITEM * name##_it(void);
+
+#endif
 
 /* Parameters used by ASN1_STRING_print_ex() */
 
@@ -340,6 +440,8 @@ typedef int ASN1_NULL;
 DECLARE_STACK_OF(ASN1_INTEGER)
 DECLARE_ASN1_SET_OF(ASN1_INTEGER)
 
+DECLARE_STACK_OF(ASN1_GENERALSTRING)
+
 typedef struct asn1_type_st
         {
         int type;
@@ -438,12 +540,11 @@ typedef struct BIT_STRING_BITNAME_st {
                 i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_OCTET_STRING,\
                 V_ASN1_UNIVERSAL)
 
-#define M_ASN1_PRINTABLE_new()  ASN1_STRING_type_new(V_ASN1_T61STRING)
-#define M_ASN1_PRINTABLE_free(a)        ASN1_STRING_free((ASN1_STRING *)a)
-#define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
-                pp,a->type,V_ASN1_UNIVERSAL)
-#define M_d2i_ASN1_PRINTABLE(a,pp,l) \
-                d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
+#define B_ASN1_TIME \
+                        B_ASN1_UTCTIME | \
+                        B_ASN1_GENERALIZEDTIME
+
+#define B_ASN1_PRINTABLE \
                         B_ASN1_PRINTABLESTRING| \
                         B_ASN1_T61STRING| \
                         B_ASN1_IA5STRING| \
@@ -451,7 +552,28 @@ typedef struct BIT_STRING_BITNAME_st {
                         B_ASN1_UNIVERSALSTRING|\
                         B_ASN1_BMPSTRING|\
                         B_ASN1_UTF8STRING|\
-                        B_ASN1_UNKNOWN)
+                        B_ASN1_UNKNOWN
+
+#define B_ASN1_DIRECTORYSTRING \
+                        B_ASN1_PRINTABLESTRING| \
+                        B_ASN1_TELETEXSTRING|\
+                        B_ASN1_BMPSTRING|\
+                        B_ASN1_UNIVERSALSTRING|\
+                        B_ASN1_UTF8STRING
+
+#define B_ASN1_DISPLAYTEXT \
+                        B_ASN1_IA5STRING| \
+                        B_ASN1_VISIBLESTRING| \
+                        B_ASN1_BMPSTRING|\
+                        B_ASN1_UTF8STRING
+
+#define M_ASN1_PRINTABLE_new()  ASN1_STRING_type_new(V_ASN1_T61STRING)
+#define M_ASN1_PRINTABLE_free(a)        ASN1_STRING_free((ASN1_STRING *)a)
+#define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\
+                pp,a->type,V_ASN1_UNIVERSAL)
+#define M_d2i_ASN1_PRINTABLE(a,pp,l) \
+                d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
+                        B_ASN1_PRINTABLE)
 
 #define M_DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
 #define M_DIRECTORYSTRING_free(a)       ASN1_STRING_free((ASN1_STRING *)a)
@@ -459,11 +581,7 @@ typedef struct BIT_STRING_BITNAME_st {
                                                 pp,a->type,V_ASN1_UNIVERSAL)
 #define M_d2i_DIRECTORYSTRING(a,pp,l) \
                 d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
-                        B_ASN1_PRINTABLESTRING| \
-                        B_ASN1_TELETEXSTRING|\
-                        B_ASN1_BMPSTRING|\
-                        B_ASN1_UNIVERSALSTRING|\
-                        B_ASN1_UTF8STRING)
+                        B_ASN1_DIRECTORYSTRING)
 
 #define M_DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING)
 #define M_DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a)
@@ -471,9 +589,7 @@ typedef struct BIT_STRING_BITNAME_st {
                                                 pp,a->type,V_ASN1_UNIVERSAL)
 #define M_d2i_DISPLAYTEXT(a,pp,l) \
                 d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \
-                        B_ASN1_VISIBLESTRING| \
-                        B_ASN1_BMPSTRING|\
-                        B_ASN1_UTF8STRING)
+                        B_ASN1_DISPLAYTEXT)
 
 #define M_ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\
                 ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING)
@@ -577,10 +693,8 @@ typedef struct BIT_STRING_BITNAME_st {
 #define IS_SEQUENCE     0
 #define IS_SET          1
 
-ASN1_TYPE *     ASN1_TYPE_new(void );
-void            ASN1_TYPE_free(ASN1_TYPE *a);
-int             i2d_ASN1_TYPE(ASN1_TYPE *a,unsigned char **pp);
-ASN1_TYPE *     d2i_ASN1_TYPE(ASN1_TYPE **a,unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
+
 int ASN1_TYPE_get(ASN1_TYPE *a);
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 
@@ -592,6 +706,8 @@ ASN1_OBJECT *	c2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
 ASN1_OBJECT *   d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp,
                         long length);
 
+DECLARE_ASN1_ITEM(ASN1_OBJECT)
+
 DECLARE_STACK_OF(ASN1_OBJECT)
 DECLARE_ASN1_SET_OF(ASN1_OBJECT)
 
@@ -608,12 +724,8 @@ void ASN1_STRING_length_set(ASN1_STRING *x, int n);
 int ASN1_STRING_type(ASN1_STRING *x);
 unsigned char * ASN1_STRING_data(ASN1_STRING *x);
 
-ASN1_BIT_STRING *       ASN1_BIT_STRING_new(void);
-void            ASN1_BIT_STRING_free(ASN1_BIT_STRING *a);
-int             i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
+DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING)
 int             i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp);
-ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
-                        long length);
 ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp,
                         long length);
 int             ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
@@ -621,7 +733,7 @@ int		ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d,
 int             ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value);
 int             ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n);
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
                                 BIT_STRING_BITNAME *tbl, int indent);
 #endif
@@ -632,12 +744,8 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value,
 int             i2d_ASN1_BOOLEAN(int a,unsigned char **pp);
 int             d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length);
 
-ASN1_INTEGER *  ASN1_INTEGER_new(void);
-void            ASN1_INTEGER_free(ASN1_INTEGER *a);
-int             i2d_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
+DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER)
 int             i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp);
-ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
-                        long length);
 ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp,
                         long length);
 ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
@@ -645,11 +753,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp,
 ASN1_INTEGER *  ASN1_INTEGER_dup(ASN1_INTEGER *x);
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);
 
-ASN1_ENUMERATED *       ASN1_ENUMERATED_new(void);
-void            ASN1_ENUMERATED_free(ASN1_ENUMERATED *a);
-int             i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a,unsigned char **pp);
-ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)
 
 int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
@@ -663,91 +767,34 @@ int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 
 
-ASN1_OCTET_STRING *     ASN1_OCTET_STRING_new(void);
-void            ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *a);
-int             i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *a,unsigned char **pp);
-ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **a,
-                        unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
 ASN1_OCTET_STRING *     ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *a);
 int     ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b);
 int     ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len);
 
-ASN1_VISIBLESTRING *    ASN1_VISIBLESTRING_new(void);
-void            ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *a);
-int     i2d_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING *a,unsigned char **pp);
-ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING(ASN1_VISIBLESTRING **a,
-                        unsigned char **pp,long length);
-
-ASN1_UTF8STRING *       ASN1_UTF8STRING_new(void);
-void            ASN1_UTF8STRING_free(ASN1_UTF8STRING *a);
-int             i2d_ASN1_UTF8STRING(ASN1_UTF8STRING *a,unsigned char **pp);
-ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **a,
-                        unsigned char **pp,long length);
-
-ASN1_NULL *     ASN1_NULL_new(void);
-void            ASN1_NULL_free(ASN1_NULL *a);
-int             i2d_ASN1_NULL(ASN1_NULL *a,unsigned char **pp);
-ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **a, unsigned char **pp,long length);
-
-ASN1_BMPSTRING *        ASN1_BMPSTRING_new(void);
-void            ASN1_BMPSTRING_free(ASN1_BMPSTRING *a);
-int i2d_ASN1_BMPSTRING(ASN1_BMPSTRING *a, unsigned char **pp);
-ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **a, unsigned char **pp,
-        long length);
-
+DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
+DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
 
 int UTF8_getc(const unsigned char *str, int len, unsigned long *val);
 int UTF8_putc(unsigned char *str, int len, unsigned long value);
 
-int i2d_ASN1_PRINTABLE(ASN1_STRING *a,unsigned char **pp);
-ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **a,
-        unsigned char **pp, long l);
-
-ASN1_PRINTABLESTRING *  ASN1_PRINTABLESTRING_new(void);
-void            ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *a);
-ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING **a,
-        unsigned char **pp, long l);
-int i2d_ASN1_PRINTABLESTRING(ASN1_PRINTABLESTRING *a, unsigned char **pp);
-
-ASN1_STRING *   DIRECTORYSTRING_new(void);
-void            DIRECTORYSTRING_free(ASN1_STRING *a);
-int     i2d_DIRECTORYSTRING(ASN1_STRING *a,unsigned char **pp);
-ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **a, unsigned char **pp,
-                                                                 long length);
-
-ASN1_STRING *   DISPLAYTEXT_new(void);
-void            DISPLAYTEXT_free(ASN1_STRING *a);
-int     i2d_DISPLAYTEXT(ASN1_STRING *a,unsigned char **pp);
-ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **a, unsigned char **pp, long length);
-
-ASN1_T61STRING *        ASN1_T61STRING_new(void);
-void            ASN1_T61STRING_free(ASN1_IA5STRING *a);
-ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **a,
-        unsigned char **pp, long l);
-
-ASN1_IA5STRING *        ASN1_IA5STRING_new(void);
-void            ASN1_IA5STRING_free(ASN1_IA5STRING *a);
-int i2d_ASN1_IA5STRING(ASN1_IA5STRING *a,unsigned char **pp);
-ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **a,
-        unsigned char **pp, long l);
-
-ASN1_UTCTIME *  ASN1_UTCTIME_new(void);
-void            ASN1_UTCTIME_free(ASN1_UTCTIME *a);
-int             i2d_ASN1_UTCTIME(ASN1_UTCTIME *a,unsigned char **pp);
-ASN1_UTCTIME *  d2i_ASN1_UTCTIME(ASN1_UTCTIME **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE)
 
-ASN1_GENERALIZEDTIME *  ASN1_GENERALIZEDTIME_new(void);
-void            ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *a);
-int             i2d_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME *a,unsigned char **pp);
-ASN1_GENERALIZEDTIME *  d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
+DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT)
+DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
+DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME)
+DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
+DECLARE_ASN1_FUNCTIONS(ASN1_TIME)
 
-ASN1_TIME *     ASN1_TIME_new(void);
-void            ASN1_TIME_free(ASN1_TIME *a);
-int             i2d_ASN1_TIME(ASN1_TIME *a,unsigned char **pp);
-ASN1_TIME *     d2i_ASN1_TIME(ASN1_TIME **a,unsigned char **pp, long length);
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
+int ASN1_TIME_check(ASN1_TIME *t);
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
 
 int             i2d_ASN1_SET(STACK *a, unsigned char **pp,
                         int (*func)(), int ex_tag, int ex_class, int is_set);
@@ -755,7 +802,7 @@ STACK *		d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
                         char *(*func)(), void (*free_func)(void *),
                         int ex_tag, int ex_class);
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a);
 int a2i_ASN1_INTEGER(BIO *bp,ASN1_INTEGER *bs,char *buf,int size);
 int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a);
@@ -768,7 +815,7 @@ int i2t_ASN1_OBJECT(char *buf,int buf_len,ASN1_OBJECT *a);
 
 int a2d_ASN1_OBJECT(unsigned char *out,int olen, const char *buf, int num);
 ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data,int len,
-        char *sn, char *ln);
+        const char *sn, const char *ln);
 
 int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
 long ASN1_INTEGER_get(ASN1_INTEGER *a);
@@ -787,6 +834,7 @@ int ASN1_PRINTABLE_type(unsigned char *s, int max);
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
 ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,
         long length, int Ptag, int Pclass);
+unsigned long ASN1_tag2bit(int tag);
 /* type is one or more of the B_ASN1_ values. */
 ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,unsigned char **pp,
                 long length,int type);
@@ -805,17 +853,23 @@ int ASN1_object_size(int constructed, int length, int tag);
 /* Used to implement other functions */
 char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x);
 
-#ifndef NO_FP_API
+void *ASN1_item_dup(const ASN1_ITEM *it, void *x);
+
+#ifndef OPENSSL_NO_FP_API
 char *ASN1_d2i_fp(char *(*xnew)(),char *(*d2i)(),FILE *fp,unsigned char **x);
+void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
 int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
+int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x);
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
 
 int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
+void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
 int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
+int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x);
 int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
 int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a);
 int ASN1_TIME_print(BIO *fp,ASN1_TIME *a);
@@ -834,8 +888,6 @@ void ASN1_HEADER_free(ASN1_HEADER *a);
 
 int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s);
 
-void ERR_load_ASN1_strings(void);
-
 /* Not used that much at this point, except for the first two */
 ASN1_METHOD *X509_asn1_meth(void);
 ASN1_METHOD *RSAPrivateKey_asn1_meth(void);
@@ -856,7 +908,9 @@ STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(),
 unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf,
                              int *len );
 void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)());
+void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
 ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_OCTET_STRING **oct);
+ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
 
 void ASN1_STRING_set_default_mask(unsigned long mask);
 int ASN1_STRING_set_default_mask_asc(char *p);
@@ -873,279 +927,177 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
 int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long);
 void ASN1_STRING_TABLE_cleanup(void);
 
+/* ASN1 template functions */
+
+/* Old API compatible functions */
+ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);
+void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it);
+ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it);
+int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
+
+void ASN1_add_oid_module(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_ASN1_strings(void);
 
 /* Error codes for the ASN1 functions. */
 
 /* Function codes. */
 #define ASN1_F_A2D_ASN1_OBJECT                           100
-#define ASN1_F_A2I_ASN1_ENUMERATED                       236
-#define ASN1_F_A2I_ASN1_INTEGER                          101
-#define ASN1_F_A2I_ASN1_STRING                           102
-#define ASN1_F_ACCESS_DESCRIPTION_NEW                    291
-#define ASN1_F_ASN1_COLLATE_PRIMITIVE                    103
-#define ASN1_F_ASN1_D2I_BIO                              104
-#define ASN1_F_ASN1_D2I_FP                               105
-#define ASN1_F_ASN1_DUP                                  106
-#define ASN1_F_ASN1_ENUMERATED_SET                       232
-#define ASN1_F_ASN1_ENUMERATED_TO_BN                     233
-#define ASN1_F_ASN1_GENERALIZEDTIME_NEW                  222
-#define ASN1_F_ASN1_GET_OBJECT                           107
-#define ASN1_F_ASN1_HEADER_NEW                           108
-#define ASN1_F_ASN1_I2D_BIO                              109
-#define ASN1_F_ASN1_I2D_FP                               110
-#define ASN1_F_ASN1_INTEGER_SET                          111
-#define ASN1_F_ASN1_INTEGER_TO_BN                        112
-#define ASN1_F_ASN1_MBSTRING_COPY                        282
-#define ASN1_F_ASN1_OBJECT_NEW                           113
-#define ASN1_F_ASN1_PACK_STRING                          245
-#define ASN1_F_ASN1_PBE_SET                              253
-#define ASN1_F_ASN1_SEQ_PACK                             246
-#define ASN1_F_ASN1_SEQ_UNPACK                           247
-#define ASN1_F_ASN1_SIGN                                 114
-#define ASN1_F_ASN1_STRING_NEW                           115
-#define ASN1_F_ASN1_STRING_TABLE_ADD                     283
-#define ASN1_F_ASN1_STRING_TYPE_NEW                      116
-#define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             117
-#define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 118
-#define ASN1_F_ASN1_TYPE_NEW                             119
-#define ASN1_F_ASN1_UNPACK_STRING                        248
-#define ASN1_F_ASN1_UTCTIME_NEW                          120
-#define ASN1_F_ASN1_VERIFY                               121
-#define ASN1_F_AUTHORITY_KEYID_NEW                       237
-#define ASN1_F_BASIC_CONSTRAINTS_NEW                     226
-#define ASN1_F_BN_TO_ASN1_ENUMERATED                     234
-#define ASN1_F_BN_TO_ASN1_INTEGER                        122
-#define ASN1_F_D2I_ACCESS_DESCRIPTION                    284
-#define ASN1_F_D2I_ASN1_BIT_STRING                       123
-#define ASN1_F_D2I_ASN1_BMPSTRING                        124
-#define ASN1_F_D2I_ASN1_BOOLEAN                          125
-#define ASN1_F_D2I_ASN1_BYTES                            126
-#define ASN1_F_D2I_ASN1_ENUMERATED                       235
-#define ASN1_F_D2I_ASN1_GENERALIZEDTIME                  223
-#define ASN1_F_D2I_ASN1_HEADER                           127
-#define ASN1_F_D2I_ASN1_INTEGER                          128
-#define ASN1_F_D2I_ASN1_NULL                             292
-#define ASN1_F_D2I_ASN1_OBJECT                           129
-#define ASN1_F_D2I_ASN1_OCTET_STRING                     130
-#define ASN1_F_D2I_ASN1_PRINT_TYPE                       131
-#define ASN1_F_D2I_ASN1_SET                              132
-#define ASN1_F_D2I_ASN1_TIME                             224
-#define ASN1_F_D2I_ASN1_TYPE                             133
-#define ASN1_F_D2I_ASN1_TYPE_BYTES                       134
-#define ASN1_F_D2I_ASN1_UINTEGER                         280
-#define ASN1_F_D2I_ASN1_UTCTIME                          135
-#define ASN1_F_D2I_ASN1_UTF8STRING                       266
-#define ASN1_F_D2I_ASN1_VISIBLESTRING                    267
-#define ASN1_F_D2I_AUTHORITY_KEYID                       238
-#define ASN1_F_D2I_BASIC_CONSTRAINTS                     227
-#define ASN1_F_D2I_DHPARAMS                              136
-#define ASN1_F_D2I_DIST_POINT                            276
-#define ASN1_F_D2I_DIST_POINT_NAME                       277
-#define ASN1_F_D2I_DSAPARAMS                             137
-#define ASN1_F_D2I_DSAPRIVATEKEY                         138
-#define ASN1_F_D2I_DSAPUBLICKEY                          139
-#define ASN1_F_D2I_GENERAL_NAME                          230
-#define ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE                228
-#define ASN1_F_D2I_NETSCAPE_PKEY                         140
-#define ASN1_F_D2I_NETSCAPE_RSA                          141
-#define ASN1_F_D2I_NETSCAPE_RSA_2                        142
-#define ASN1_F_D2I_NETSCAPE_SPKAC                        143
-#define ASN1_F_D2I_NETSCAPE_SPKI                         144
-#define ASN1_F_D2I_NOTICEREF                             268
-#define ASN1_F_D2I_OTHERNAME                             287
-#define ASN1_F_D2I_PBE2PARAM                             262
-#define ASN1_F_D2I_PBEPARAM                              249
-#define ASN1_F_D2I_PBKDF2PARAM                           263
-#define ASN1_F_D2I_PKCS12                                254
-#define ASN1_F_D2I_PKCS12_BAGS                           255
-#define ASN1_F_D2I_PKCS12_MAC_DATA                       256
-#define ASN1_F_D2I_PKCS12_SAFEBAG                        257
-#define ASN1_F_D2I_PKCS7                                 145
-#define ASN1_F_D2I_PKCS7_DIGEST                          146
-#define ASN1_F_D2I_PKCS7_ENCRYPT                         147
-#define ASN1_F_D2I_PKCS7_ENC_CONTENT                     148
-#define ASN1_F_D2I_PKCS7_ENVELOPE                        149
-#define ASN1_F_D2I_PKCS7_ISSUER_AND_SERIAL               150
-#define ASN1_F_D2I_PKCS7_RECIP_INFO                      151
-#define ASN1_F_D2I_PKCS7_SIGNED                          152
-#define ASN1_F_D2I_PKCS7_SIGNER_INFO                     153
-#define ASN1_F_D2I_PKCS7_SIGN_ENVELOPE                   154
-#define ASN1_F_D2I_PKCS8_PRIV_KEY_INFO                   250
-#define ASN1_F_D2I_PKEY_USAGE_PERIOD                     239
-#define ASN1_F_D2I_POLICYINFO                            269
-#define ASN1_F_D2I_POLICYQUALINFO                        270
-#define ASN1_F_D2I_PRIVATEKEY                            155
-#define ASN1_F_D2I_PUBLICKEY                             156
-#define ASN1_F_D2I_RSAPRIVATEKEY                         157
-#define ASN1_F_D2I_RSAPUBLICKEY                          158
-#define ASN1_F_D2I_SXNET                                 241
-#define ASN1_F_D2I_SXNETID                               243
-#define ASN1_F_D2I_USERNOTICE                            271
-#define ASN1_F_D2I_X509                                  159
-#define ASN1_F_D2I_X509_ALGOR                            160
-#define ASN1_F_D2I_X509_ATTRIBUTE                        161
-#define ASN1_F_D2I_X509_CERT_AUX                         285
-#define ASN1_F_D2I_X509_CINF                             162
-#define ASN1_F_D2I_X509_CRL                              163
-#define ASN1_F_D2I_X509_CRL_INFO                         164
-#define ASN1_F_D2I_X509_EXTENSION                        165
-#define ASN1_F_D2I_X509_KEY                              166
-#define ASN1_F_D2I_X509_NAME                             167
-#define ASN1_F_D2I_X509_NAME_ENTRY                       168
-#define ASN1_F_D2I_X509_PKEY                             169
-#define ASN1_F_D2I_X509_PUBKEY                           170
-#define ASN1_F_D2I_X509_REQ                              171
-#define ASN1_F_D2I_X509_REQ_INFO                         172
-#define ASN1_F_D2I_X509_REVOKED                          173
-#define ASN1_F_D2I_X509_SIG                              174
-#define ASN1_F_D2I_X509_VAL                              175
-#define ASN1_F_DIST_POINT_NAME_NEW                       278
-#define ASN1_F_DIST_POINT_NEW                            279
-#define ASN1_F_GENERAL_NAME_NEW                          231
-#define ASN1_F_I2D_ASN1_HEADER                           176
-#define ASN1_F_I2D_ASN1_TIME                             225
-#define ASN1_F_I2D_DHPARAMS                              177
-#define ASN1_F_I2D_DSAPARAMS                             178
-#define ASN1_F_I2D_DSAPRIVATEKEY                         179
-#define ASN1_F_I2D_DSAPUBLICKEY                          180
-#define ASN1_F_I2D_DSA_PUBKEY                            290
-#define ASN1_F_I2D_NETSCAPE_RSA                          181
-#define ASN1_F_I2D_PKCS7                                 182
-#define ASN1_F_I2D_PRIVATEKEY                            183
-#define ASN1_F_I2D_PUBLICKEY                             184
-#define ASN1_F_I2D_RSAPRIVATEKEY                         185
-#define ASN1_F_I2D_RSAPUBLICKEY                          186
-#define ASN1_F_I2D_RSA_PUBKEY                            289
-#define ASN1_F_I2D_X509_ATTRIBUTE                        187
-#define ASN1_F_I2T_ASN1_OBJECT                           188
-#define ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW                229
-#define ASN1_F_NETSCAPE_PKEY_NEW                         189
-#define ASN1_F_NETSCAPE_SPKAC_NEW                        190
-#define ASN1_F_NETSCAPE_SPKI_NEW                         191
-#define ASN1_F_NOTICEREF_NEW                             272
-#define ASN1_F_OTHERNAME_NEW                             288
-#define ASN1_F_PBE2PARAM_NEW                             264
-#define ASN1_F_PBEPARAM_NEW                              251
-#define ASN1_F_PBKDF2PARAM_NEW                           265
-#define ASN1_F_PKCS12_BAGS_NEW                           258
-#define ASN1_F_PKCS12_MAC_DATA_NEW                       259
-#define ASN1_F_PKCS12_NEW                                260
-#define ASN1_F_PKCS12_SAFEBAG_NEW                        261
-#define ASN1_F_PKCS5_PBE2_SET                            281
-#define ASN1_F_PKCS7_DIGEST_NEW                          192
-#define ASN1_F_PKCS7_ENCRYPT_NEW                         193
-#define ASN1_F_PKCS7_ENC_CONTENT_NEW                     194
-#define ASN1_F_PKCS7_ENVELOPE_NEW                        195
-#define ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW               196
-#define ASN1_F_PKCS7_NEW                                 197
-#define ASN1_F_PKCS7_RECIP_INFO_NEW                      198
-#define ASN1_F_PKCS7_SIGNED_NEW                          199
-#define ASN1_F_PKCS7_SIGNER_INFO_NEW                     200
-#define ASN1_F_PKCS7_SIGN_ENVELOPE_NEW                   201
-#define ASN1_F_PKCS8_PRIV_KEY_INFO_NEW                   252
-#define ASN1_F_PKEY_USAGE_PERIOD_NEW                     240
-#define ASN1_F_POLICYINFO_NEW                            273
-#define ASN1_F_POLICYQUALINFO_NEW                        274
-#define ASN1_F_SXNETID_NEW                               244
-#define ASN1_F_SXNET_NEW                                 242
-#define ASN1_F_USERNOTICE_NEW                            275
-#define ASN1_F_X509_ALGOR_NEW                            202
-#define ASN1_F_X509_ATTRIBUTE_NEW                        203
-#define ASN1_F_X509_CERT_AUX_NEW                         286
-#define ASN1_F_X509_CINF_NEW                             204
-#define ASN1_F_X509_CRL_INFO_NEW                         205
-#define ASN1_F_X509_CRL_NEW                              206
-#define ASN1_F_X509_DHPARAMS_NEW                         207
-#define ASN1_F_X509_EXTENSION_NEW                        208
-#define ASN1_F_X509_INFO_NEW                             209
-#define ASN1_F_X509_KEY_NEW                              210
-#define ASN1_F_X509_NAME_ENTRY_NEW                       211
-#define ASN1_F_X509_NAME_NEW                             212
-#define ASN1_F_X509_NEW                                  213
-#define ASN1_F_X509_PKEY_NEW                             214
-#define ASN1_F_X509_PUBKEY_NEW                           215
-#define ASN1_F_X509_REQ_INFO_NEW                         216
-#define ASN1_F_X509_REQ_NEW                              217
-#define ASN1_F_X509_REVOKED_NEW                          218
-#define ASN1_F_X509_SIG_NEW                              219
-#define ASN1_F_X509_VAL_FREE                             220
-#define ASN1_F_X509_VAL_NEW                              221
+#define ASN1_F_A2I_ASN1_ENUMERATED                       101
+#define ASN1_F_A2I_ASN1_INTEGER                          102
+#define ASN1_F_A2I_ASN1_STRING                           103
+#define ASN1_F_ASN1_CHECK_TLEN                           104
+#define ASN1_F_ASN1_COLLATE_PRIMITIVE                    105
+#define ASN1_F_ASN1_COLLECT                              106
+#define ASN1_F_ASN1_D2I_BIO                              107
+#define ASN1_F_ASN1_D2I_EX_PRIMITIVE                     108
+#define ASN1_F_ASN1_D2I_FP                               109
+#define ASN1_F_ASN1_DO_ADB                               110
+#define ASN1_F_ASN1_DUP                                  111
+#define ASN1_F_ASN1_ENUMERATED_SET                       112
+#define ASN1_F_ASN1_ENUMERATED_TO_BN                     113
+#define ASN1_F_ASN1_GET_OBJECT                           114
+#define ASN1_F_ASN1_HEADER_NEW                           115
+#define ASN1_F_ASN1_I2D_BIO                              116
+#define ASN1_F_ASN1_I2D_FP                               117
+#define ASN1_F_ASN1_INTEGER_SET                          118
+#define ASN1_F_ASN1_INTEGER_TO_BN                        119
+#define ASN1_F_ASN1_ITEM_EX_D2I                          120
+#define ASN1_F_ASN1_ITEM_NEW                             121
+#define ASN1_F_ASN1_MBSTRING_COPY                        122
+#define ASN1_F_ASN1_OBJECT_NEW                           123
+#define ASN1_F_ASN1_PACK_STRING                          124
+#define ASN1_F_ASN1_PBE_SET                              125
+#define ASN1_F_ASN1_SEQ_PACK                             126
+#define ASN1_F_ASN1_SEQ_UNPACK                           127
+#define ASN1_F_ASN1_SIGN                                 128
+#define ASN1_F_ASN1_STRING_TABLE_ADD                     129
+#define ASN1_F_ASN1_STRING_TYPE_NEW                      130
+#define ASN1_F_ASN1_TEMPLATE_D2I                         131
+#define ASN1_F_ASN1_TEMPLATE_EX_D2I                      132
+#define ASN1_F_ASN1_TEMPLATE_NEW                         133
+#define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING             134
+#define ASN1_F_ASN1_TYPE_GET_OCTETSTRING                 135
+#define ASN1_F_ASN1_UNPACK_STRING                        136
+#define ASN1_F_ASN1_VERIFY                               137
+#define ASN1_F_BN_TO_ASN1_ENUMERATED                     138
+#define ASN1_F_BN_TO_ASN1_INTEGER                        139
+#define ASN1_F_COLLECT_DATA                              140
+#define ASN1_F_D2I_ASN1_BIT_STRING                       141
+#define ASN1_F_D2I_ASN1_BOOLEAN                          142
+#define ASN1_F_D2I_ASN1_BYTES                            143
+#define ASN1_F_D2I_ASN1_GENERALIZEDTIME                  144
+#define ASN1_F_D2I_ASN1_HEADER                           145
+#define ASN1_F_D2I_ASN1_INTEGER                          146
+#define ASN1_F_D2I_ASN1_OBJECT                           147
+#define ASN1_F_D2I_ASN1_SET                              148
+#define ASN1_F_D2I_ASN1_TYPE_BYTES                       149
+#define ASN1_F_D2I_ASN1_UINTEGER                         150
+#define ASN1_F_D2I_ASN1_UTCTIME                          151
+#define ASN1_F_D2I_NETSCAPE_RSA                          152
+#define ASN1_F_D2I_NETSCAPE_RSA_2                        153
+#define ASN1_F_D2I_PRIVATEKEY                            154
+#define ASN1_F_D2I_PUBLICKEY                             155
+#define ASN1_F_D2I_X509                                  156
+#define ASN1_F_D2I_X509_CINF                             157
+#define ASN1_F_D2I_X509_NAME                             158
+#define ASN1_F_D2I_X509_PKEY                             159
+#define ASN1_F_I2D_ASN1_TIME                             160
+#define ASN1_F_I2D_DSA_PUBKEY                            161
+#define ASN1_F_I2D_NETSCAPE_RSA                          162
+#define ASN1_F_I2D_PRIVATEKEY                            163
+#define ASN1_F_I2D_PUBLICKEY                             164
+#define ASN1_F_I2D_RSA_PUBKEY                            165
+#define ASN1_F_LONG_C2I                                  166
+#define ASN1_F_OID_MODULE_INIT                           174
+#define ASN1_F_PKCS5_PBE2_SET                            167
+#define ASN1_F_X509_CINF_NEW                             168
+#define ASN1_F_X509_CRL_ADD0_REVOKED                     169
+#define ASN1_F_X509_INFO_NEW                             170
+#define ASN1_F_X509_NAME_NEW                             171
+#define ASN1_F_X509_NEW                                  172
+#define ASN1_F_X509_PKEY_NEW                             173
 
 /* Reason codes. */
-#define ASN1_R_BAD_CLASS                                 100
-#define ASN1_R_BAD_OBJECT_HEADER                         101
-#define ASN1_R_BAD_PASSWORD_READ                         102
-#define ASN1_R_BAD_PKCS7_CONTENT                         103
-#define ASN1_R_BAD_PKCS7_TYPE                            104
-#define ASN1_R_BAD_TAG                                   105
-#define ASN1_R_BAD_TYPE                                  106
-#define ASN1_R_BN_LIB                                    107
-#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH                   108
-#define ASN1_R_BUFFER_TOO_SMALL                          109
-#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER           166
-#define ASN1_R_DATA_IS_WRONG                             110
-#define ASN1_R_DECODE_ERROR                              155
+#define ASN1_R_ADDING_OBJECT                             171
+#define ASN1_R_AUX_ERROR                                 100
+#define ASN1_R_BAD_CLASS                                 101
+#define ASN1_R_BAD_OBJECT_HEADER                         102
+#define ASN1_R_BAD_PASSWORD_READ                         103
+#define ASN1_R_BAD_TAG                                   104
+#define ASN1_R_BN_LIB                                    105
+#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH                   106
+#define ASN1_R_BUFFER_TOO_SMALL                          107
+#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER           108
+#define ASN1_R_DATA_IS_WRONG                             109
+#define ASN1_R_DECODE_ERROR                              110
 #define ASN1_R_DECODING_ERROR                            111
-#define ASN1_R_ENCODE_ERROR                              156
-#define ASN1_R_ERROR_PARSING_SET_ELEMENT                 112
-#define ASN1_R_ERROR_SETTING_CIPHER_PARAMS               157
-#define ASN1_R_EXPECTING_AN_ENUMERATED                   154
-#define ASN1_R_EXPECTING_AN_INTEGER                      113
-#define ASN1_R_EXPECTING_AN_OBJECT                       114
-#define ASN1_R_EXPECTING_AN_OCTET_STRING                 115
-#define ASN1_R_EXPECTING_A_BIT_STRING                    116
+#define ASN1_R_ENCODE_ERROR                              112
+#define ASN1_R_ERROR_LOADING_SECTION                     172
+#define ASN1_R_ERROR_PARSING_SET_ELEMENT                 113
+#define ASN1_R_ERROR_SETTING_CIPHER_PARAMS               114
+#define ASN1_R_EXPECTING_AN_INTEGER                      115
+#define ASN1_R_EXPECTING_AN_OBJECT                       116
 #define ASN1_R_EXPECTING_A_BOOLEAN                       117
-#define ASN1_R_EXPECTING_A_GENERALIZEDTIME               151
-#define ASN1_R_EXPECTING_A_NULL                          164
-#define ASN1_R_EXPECTING_A_TIME                          152
-#define ASN1_R_EXPECTING_A_UTCTIME                       118
-#define ASN1_R_FIRST_NUM_TOO_LARGE                       119
-#define ASN1_R_GENERALIZEDTIME_TOO_LONG                  153
-#define ASN1_R_HEADER_TOO_LONG                           120
-#define ASN1_R_ILLEGAL_CHARACTERS                        158
-#define ASN1_R_INVALID_BMPSTRING_LENGTH                  159
-#define ASN1_R_INVALID_DIGIT                             121
-#define ASN1_R_INVALID_SEPARATOR                         122
-#define ASN1_R_INVALID_TIME_FORMAT                       123
-#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH            160
-#define ASN1_R_INVALID_UTF8STRING                        161
-#define ASN1_R_IV_TOO_LARGE                              124
-#define ASN1_R_LENGTH_ERROR                              125
-#define ASN1_R_MISSING_SECOND_NUMBER                     126
-#define ASN1_R_NON_HEX_CHARACTERS                        127
-#define ASN1_R_NOT_ENOUGH_DATA                           128
-#define ASN1_R_NULL_IS_WRONG_LENGTH                      165
-#define ASN1_R_ODD_NUMBER_OF_CHARS                       129
-#define ASN1_R_PARSING                                   130
-#define ASN1_R_PRIVATE_KEY_HEADER_MISSING                131
-#define ASN1_R_SECOND_NUMBER_TOO_LARGE                   132
-#define ASN1_R_SHORT_LINE                                133
-#define ASN1_R_STRING_TOO_LONG                           163
-#define ASN1_R_STRING_TOO_SHORT                          134
-#define ASN1_R_TAG_VALUE_TOO_HIGH                        135
-#define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 136
-#define ASN1_R_TOO_LONG                                  137
-#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY                  138
-#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY          139
-#define ASN1_R_UNKNOWN_ATTRIBUTE_TYPE                    140
-#define ASN1_R_UNKNOWN_FORMAT                            162
-#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM          141
-#define ASN1_R_UNKNOWN_OBJECT_TYPE                       142
-#define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE                   143
-#define ASN1_R_UNSUPPORTED_CIPHER                        144
-#define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM          145
-#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE               146
-#define ASN1_R_UTCTIME_TOO_LONG                          147
-#define ASN1_R_WRONG_PRINTABLE_TYPE                      148
-#define ASN1_R_WRONG_TAG                                 149
-#define ASN1_R_WRONG_TYPE                                150
+#define ASN1_R_EXPECTING_A_TIME                          118
+#define ASN1_R_EXPLICIT_LENGTH_MISMATCH                  119
+#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED              120
+#define ASN1_R_FIELD_MISSING                             121
+#define ASN1_R_FIRST_NUM_TOO_LARGE                       122
+#define ASN1_R_HEADER_TOO_LONG                           123
+#define ASN1_R_ILLEGAL_CHARACTERS                        124
+#define ASN1_R_ILLEGAL_NULL                              125
+#define ASN1_R_ILLEGAL_OPTIONAL_ANY                      126
+#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE          170
+#define ASN1_R_ILLEGAL_TAGGED_ANY                        127
+#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG                128
+#define ASN1_R_INVALID_BMPSTRING_LENGTH                  129
+#define ASN1_R_INVALID_DIGIT                             130
+#define ASN1_R_INVALID_SEPARATOR                         131
+#define ASN1_R_INVALID_TIME_FORMAT                       132
+#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH            133
+#define ASN1_R_INVALID_UTF8STRING                        134
+#define ASN1_R_IV_TOO_LARGE                              135
+#define ASN1_R_LENGTH_ERROR                              136
+#define ASN1_R_MISSING_EOC                               137
+#define ASN1_R_MISSING_SECOND_NUMBER                     138
+#define ASN1_R_MSTRING_NOT_UNIVERSAL                     139
+#define ASN1_R_MSTRING_WRONG_TAG                         140
+#define ASN1_R_NON_HEX_CHARACTERS                        141
+#define ASN1_R_NOT_ENOUGH_DATA                           142
+#define ASN1_R_NO_MATCHING_CHOICE_TYPE                   143
+#define ASN1_R_NULL_IS_WRONG_LENGTH                      144
+#define ASN1_R_ODD_NUMBER_OF_CHARS                       145
+#define ASN1_R_PRIVATE_KEY_HEADER_MISSING                146
+#define ASN1_R_SECOND_NUMBER_TOO_LARGE                   147
+#define ASN1_R_SEQUENCE_LENGTH_MISMATCH                  148
+#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED                  149
+#define ASN1_R_SHORT_LINE                                150
+#define ASN1_R_STRING_TOO_LONG                           151
+#define ASN1_R_STRING_TOO_SHORT                          152
+#define ASN1_R_TAG_VALUE_TOO_HIGH                        153
+#define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 154
+#define ASN1_R_TOO_LONG                                  155
+#define ASN1_R_TYPE_NOT_CONSTRUCTED                      156
+#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY                  157
+#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY          158
+#define ASN1_R_UNEXPECTED_EOC                            159
+#define ASN1_R_UNKNOWN_FORMAT                            160
+#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM          161
+#define ASN1_R_UNKNOWN_OBJECT_TYPE                       162
+#define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE                   163
+#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE           164
+#define ASN1_R_UNSUPPORTED_CIPHER                        165
+#define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM          166
+#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE               167
+#define ASN1_R_WRONG_TAG                                 168
+#define ASN1_R_WRONG_TYPE                                169
 
 #ifdef  __cplusplus
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index cecd555c88..c4c3d2a91d 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -63,27 +63,31 @@
 #include <openssl/asn1.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA ASN1_str_functs[]=
         {
 {ERR_PACK(0,ASN1_F_A2D_ASN1_OBJECT,0),  "a2d_ASN1_OBJECT"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_ENUMERATED,0),      "a2i_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_INTEGER,0), "a2i_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_A2I_ASN1_STRING,0),  "a2i_ASN1_STRING"},
-{ERR_PACK(0,ASN1_F_ACCESS_DESCRIPTION_NEW,0),   "ACCESS_DESCRIPTION_new"},
+{ERR_PACK(0,ASN1_F_ASN1_CHECK_TLEN,0),  "ASN1_CHECK_TLEN"},
 {ERR_PACK(0,ASN1_F_ASN1_COLLATE_PRIMITIVE,0),   "ASN1_COLLATE_PRIMITIVE"},
+{ERR_PACK(0,ASN1_F_ASN1_COLLECT,0),     "ASN1_COLLECT"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_BIO,0),     "ASN1_d2i_bio"},
+{ERR_PACK(0,ASN1_F_ASN1_D2I_EX_PRIMITIVE,0),    "ASN1_D2I_EX_PRIMITIVE"},
 {ERR_PACK(0,ASN1_F_ASN1_D2I_FP,0),      "ASN1_d2i_fp"},
+{ERR_PACK(0,ASN1_F_ASN1_DO_ADB,0),      "ASN1_DO_ADB"},
 {ERR_PACK(0,ASN1_F_ASN1_DUP,0), "ASN1_dup"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_SET,0),      "ASN1_ENUMERATED_set"},
 {ERR_PACK(0,ASN1_F_ASN1_ENUMERATED_TO_BN,0),    "ASN1_ENUMERATED_to_BN"},
-{ERR_PACK(0,ASN1_F_ASN1_GENERALIZEDTIME_NEW,0), "ASN1_GENERALIZEDTIME_new"},
 {ERR_PACK(0,ASN1_F_ASN1_GET_OBJECT,0),  "ASN1_get_object"},
 {ERR_PACK(0,ASN1_F_ASN1_HEADER_NEW,0),  "ASN1_HEADER_new"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_BIO,0),     "ASN1_i2d_bio"},
 {ERR_PACK(0,ASN1_F_ASN1_I2D_FP,0),      "ASN1_i2d_fp"},
 {ERR_PACK(0,ASN1_F_ASN1_INTEGER_SET,0), "ASN1_INTEGER_set"},
 {ERR_PACK(0,ASN1_F_ASN1_INTEGER_TO_BN,0),       "ASN1_INTEGER_to_BN"},
+{ERR_PACK(0,ASN1_F_ASN1_ITEM_EX_D2I,0), "ASN1_ITEM_EX_D2I"},
+{ERR_PACK(0,ASN1_F_ASN1_ITEM_NEW,0),    "ASN1_item_new"},
 {ERR_PACK(0,ASN1_F_ASN1_MBSTRING_COPY,0),       "ASN1_mbstring_copy"},
 {ERR_PACK(0,ASN1_F_ASN1_OBJECT_NEW,0),  "ASN1_OBJECT_new"},
 {ERR_PACK(0,ASN1_F_ASN1_PACK_STRING,0), "ASN1_pack_string"},
@@ -91,186 +95,63 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_PACK,0),    "ASN1_seq_pack"},
 {ERR_PACK(0,ASN1_F_ASN1_SEQ_UNPACK,0),  "ASN1_seq_unpack"},
 {ERR_PACK(0,ASN1_F_ASN1_SIGN,0),        "ASN1_sign"},
-{ERR_PACK(0,ASN1_F_ASN1_STRING_NEW,0),  "ASN1_STRING_new"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TABLE_ADD,0),    "ASN1_STRING_TABLE_add"},
 {ERR_PACK(0,ASN1_F_ASN1_STRING_TYPE_NEW,0),     "ASN1_STRING_type_new"},
+{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_D2I,0),        "ASN1_TEMPLATE_D2I"},
+{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_EX_D2I,0),     "ASN1_TEMPLATE_EX_D2I"},
+{ERR_PACK(0,ASN1_F_ASN1_TEMPLATE_NEW,0),        "ASN1_TEMPLATE_NEW"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING,0),    "ASN1_TYPE_get_int_octetstring"},
 {ERR_PACK(0,ASN1_F_ASN1_TYPE_GET_OCTETSTRING,0),        "ASN1_TYPE_get_octetstring"},
-{ERR_PACK(0,ASN1_F_ASN1_TYPE_NEW,0),    "ASN1_TYPE_new"},
 {ERR_PACK(0,ASN1_F_ASN1_UNPACK_STRING,0),       "ASN1_unpack_string"},
-{ERR_PACK(0,ASN1_F_ASN1_UTCTIME_NEW,0), "ASN1_UTCTIME_new"},
 {ERR_PACK(0,ASN1_F_ASN1_VERIFY,0),      "ASN1_verify"},
-{ERR_PACK(0,ASN1_F_AUTHORITY_KEYID_NEW,0),      "AUTHORITY_KEYID_new"},
-{ERR_PACK(0,ASN1_F_BASIC_CONSTRAINTS_NEW,0),    "BASIC_CONSTRAINTS_new"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_ENUMERATED,0),    "BN_to_ASN1_ENUMERATED"},
 {ERR_PACK(0,ASN1_F_BN_TO_ASN1_INTEGER,0),       "BN_to_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ACCESS_DESCRIPTION,0),   "d2i_ACCESS_DESCRIPTION"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),      "d2i_ASN1_BIT_STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_BMPSTRING,0),       "d2i_ASN1_BMPSTRING"},
+{ERR_PACK(0,ASN1_F_COLLECT_DATA,0),     "COLLECT_DATA"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_BIT_STRING,0),      "D2I_ASN1_BIT_STRING"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_BOOLEAN,0), "d2i_ASN1_BOOLEAN"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_BYTES,0),   "d2i_ASN1_bytes"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_ENUMERATED,0),      "d2i_ASN1_ENUMERATED"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0), "d2i_ASN1_GENERALIZEDTIME"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_GENERALIZEDTIME,0), "D2I_ASN1_GENERALIZEDTIME"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_HEADER,0),  "d2i_ASN1_HEADER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0), "d2i_ASN1_INTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_NULL,0),    "d2i_ASN1_NULL"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_INTEGER,0), "D2I_ASN1_INTEGER"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_OBJECT,0),  "d2i_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_OCTET_STRING,0),    "d2i_ASN1_OCTET_STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_PRINT_TYPE,0),      "D2I_ASN1_PRINT_TYPE"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_SET,0),     "d2i_ASN1_SET"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_TIME,0),    "d2i_ASN1_TIME"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE,0),    "d2i_ASN1_TYPE"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_TYPE_BYTES,0),      "d2i_ASN1_type_bytes"},
 {ERR_PACK(0,ASN1_F_D2I_ASN1_UINTEGER,0),        "d2i_ASN1_UINTEGER"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0), "d2i_ASN1_UTCTIME"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_UTF8STRING,0),      "d2i_ASN1_UTF8STRING"},
-{ERR_PACK(0,ASN1_F_D2I_ASN1_VISIBLESTRING,0),   "d2i_ASN1_VISIBLESTRING"},
-{ERR_PACK(0,ASN1_F_D2I_AUTHORITY_KEYID,0),      "d2i_AUTHORITY_KEYID"},
-{ERR_PACK(0,ASN1_F_D2I_BASIC_CONSTRAINTS,0),    "d2i_BASIC_CONSTRAINTS"},
-{ERR_PACK(0,ASN1_F_D2I_DHPARAMS,0),     "d2i_DHparams"},
-{ERR_PACK(0,ASN1_F_D2I_DIST_POINT,0),   "d2i_DIST_POINT"},
-{ERR_PACK(0,ASN1_F_D2I_DIST_POINT_NAME,0),      "d2i_DIST_POINT_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_DSAPARAMS,0),    "d2i_DSAparams"},
-{ERR_PACK(0,ASN1_F_D2I_DSAPRIVATEKEY,0),        "d2i_DSAPrivateKey"},
-{ERR_PACK(0,ASN1_F_D2I_DSAPUBLICKEY,0), "d2i_DSAPublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_GENERAL_NAME,0), "d2i_GENERAL_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE,0),       "d2i_NETSCAPE_CERT_SEQUENCE"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_PKEY,0),        "D2I_NETSCAPE_PKEY"},
+{ERR_PACK(0,ASN1_F_D2I_ASN1_UTCTIME,0), "D2I_ASN1_UTCTIME"},
 {ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA,0), "d2i_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),       "d2i_Netscape_RSA_2"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKAC,0),       "d2i_NETSCAPE_SPKAC"},
-{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_SPKI,0),        "d2i_NETSCAPE_SPKI"},
-{ERR_PACK(0,ASN1_F_D2I_NOTICEREF,0),    "d2i_NOTICEREF"},
-{ERR_PACK(0,ASN1_F_D2I_OTHERNAME,0),    "d2i_OTHERNAME"},
-{ERR_PACK(0,ASN1_F_D2I_PBE2PARAM,0),    "d2i_PBE2PARAM"},
-{ERR_PACK(0,ASN1_F_D2I_PBEPARAM,0),     "d2i_PBEPARAM"},
-{ERR_PACK(0,ASN1_F_D2I_PBKDF2PARAM,0),  "d2i_PBKDF2PARAM"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS12,0),       "d2i_PKCS12"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS12_BAGS,0),  "d2i_PKCS12_BAGS"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS12_MAC_DATA,0),      "d2i_PKCS12_MAC_DATA"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS12_SAFEBAG,0),       "d2i_PKCS12_SAFEBAG"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7,0),        "d2i_PKCS7"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_DIGEST,0), "d2i_PKCS7_DIGEST"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENCRYPT,0),        "d2i_PKCS7_ENCRYPT"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENC_CONTENT,0),    "d2i_PKCS7_ENC_CONTENT"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_ENVELOPE,0),       "d2i_PKCS7_ENVELOPE"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_ISSUER_AND_SERIAL,0),      "d2i_PKCS7_ISSUER_AND_SERIAL"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_RECIP_INFO,0),     "d2i_PKCS7_RECIP_INFO"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNED,0), "d2i_PKCS7_SIGNED"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGNER_INFO,0),    "d2i_PKCS7_SIGNER_INFO"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS7_SIGN_ENVELOPE,0),  "d2i_PKCS7_SIGN_ENVELOPE"},
-{ERR_PACK(0,ASN1_F_D2I_PKCS8_PRIV_KEY_INFO,0),  "d2i_PKCS8_PRIV_KEY_INFO"},
-{ERR_PACK(0,ASN1_F_D2I_PKEY_USAGE_PERIOD,0),    "d2i_PKEY_USAGE_PERIOD"},
-{ERR_PACK(0,ASN1_F_D2I_POLICYINFO,0),   "d2i_POLICYINFO"},
-{ERR_PACK(0,ASN1_F_D2I_POLICYQUALINFO,0),       "d2i_POLICYQUALINFO"},
+{ERR_PACK(0,ASN1_F_D2I_NETSCAPE_RSA_2,0),       "D2I_NETSCAPE_RSA_2"},
 {ERR_PACK(0,ASN1_F_D2I_PRIVATEKEY,0),   "d2i_PrivateKey"},
 {ERR_PACK(0,ASN1_F_D2I_PUBLICKEY,0),    "d2i_PublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_RSAPRIVATEKEY,0),        "d2i_RSAPrivateKey"},
-{ERR_PACK(0,ASN1_F_D2I_RSAPUBLICKEY,0), "d2i_RSAPublicKey"},
-{ERR_PACK(0,ASN1_F_D2I_SXNET,0),        "d2i_SXNET"},
-{ERR_PACK(0,ASN1_F_D2I_SXNETID,0),      "d2i_SXNETID"},
-{ERR_PACK(0,ASN1_F_D2I_USERNOTICE,0),   "d2i_USERNOTICE"},
-{ERR_PACK(0,ASN1_F_D2I_X509,0), "d2i_X509"},
-{ERR_PACK(0,ASN1_F_D2I_X509_ALGOR,0),   "d2i_X509_ALGOR"},
-{ERR_PACK(0,ASN1_F_D2I_X509_ATTRIBUTE,0),       "d2i_X509_ATTRIBUTE"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CERT_AUX,0),        "d2i_X509_CERT_AUX"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),    "d2i_X509_CINF"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CRL,0),     "d2i_X509_CRL"},
-{ERR_PACK(0,ASN1_F_D2I_X509_CRL_INFO,0),        "d2i_X509_CRL_INFO"},
-{ERR_PACK(0,ASN1_F_D2I_X509_EXTENSION,0),       "d2i_X509_EXTENSION"},
-{ERR_PACK(0,ASN1_F_D2I_X509_KEY,0),     "D2I_X509_KEY"},
-{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),    "d2i_X509_NAME"},
-{ERR_PACK(0,ASN1_F_D2I_X509_NAME_ENTRY,0),      "d2i_X509_NAME_ENTRY"},
+{ERR_PACK(0,ASN1_F_D2I_X509,0), "D2I_X509"},
+{ERR_PACK(0,ASN1_F_D2I_X509_CINF,0),    "D2I_X509_CINF"},
+{ERR_PACK(0,ASN1_F_D2I_X509_NAME,0),    "D2I_X509_NAME"},
 {ERR_PACK(0,ASN1_F_D2I_X509_PKEY,0),    "d2i_X509_PKEY"},
-{ERR_PACK(0,ASN1_F_D2I_X509_PUBKEY,0),  "d2i_X509_PUBKEY"},
-{ERR_PACK(0,ASN1_F_D2I_X509_REQ,0),     "d2i_X509_REQ"},
-{ERR_PACK(0,ASN1_F_D2I_X509_REQ_INFO,0),        "d2i_X509_REQ_INFO"},
-{ERR_PACK(0,ASN1_F_D2I_X509_REVOKED,0), "d2i_X509_REVOKED"},
-{ERR_PACK(0,ASN1_F_D2I_X509_SIG,0),     "d2i_X509_SIG"},
-{ERR_PACK(0,ASN1_F_D2I_X509_VAL,0),     "d2i_X509_VAL"},
-{ERR_PACK(0,ASN1_F_DIST_POINT_NAME_NEW,0),      "DIST_POINT_NAME_new"},
-{ERR_PACK(0,ASN1_F_DIST_POINT_NEW,0),   "DIST_POINT_new"},
-{ERR_PACK(0,ASN1_F_GENERAL_NAME_NEW,0), "GENERAL_NAME_new"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_HEADER,0),  "i2d_ASN1_HEADER"},
-{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),    "i2d_ASN1_TIME"},
-{ERR_PACK(0,ASN1_F_I2D_DHPARAMS,0),     "i2d_DHparams"},
-{ERR_PACK(0,ASN1_F_I2D_DSAPARAMS,0),    "i2d_DSAparams"},
-{ERR_PACK(0,ASN1_F_I2D_DSAPRIVATEKEY,0),        "i2d_DSAPrivateKey"},
-{ERR_PACK(0,ASN1_F_I2D_DSAPUBLICKEY,0), "i2d_DSAPublicKey"},
+{ERR_PACK(0,ASN1_F_I2D_ASN1_TIME,0),    "I2D_ASN1_TIME"},
 {ERR_PACK(0,ASN1_F_I2D_DSA_PUBKEY,0),   "i2d_DSA_PUBKEY"},
 {ERR_PACK(0,ASN1_F_I2D_NETSCAPE_RSA,0), "i2d_Netscape_RSA"},
-{ERR_PACK(0,ASN1_F_I2D_PKCS7,0),        "i2d_PKCS7"},
 {ERR_PACK(0,ASN1_F_I2D_PRIVATEKEY,0),   "i2d_PrivateKey"},
 {ERR_PACK(0,ASN1_F_I2D_PUBLICKEY,0),    "i2d_PublicKey"},
-{ERR_PACK(0,ASN1_F_I2D_RSAPRIVATEKEY,0),        "i2d_RSAPrivateKey"},
-{ERR_PACK(0,ASN1_F_I2D_RSAPUBLICKEY,0), "i2d_RSAPublicKey"},
 {ERR_PACK(0,ASN1_F_I2D_RSA_PUBKEY,0),   "i2d_RSA_PUBKEY"},
-{ERR_PACK(0,ASN1_F_I2D_X509_ATTRIBUTE,0),       "i2d_X509_ATTRIBUTE"},
-{ERR_PACK(0,ASN1_F_I2T_ASN1_OBJECT,0),  "i2t_ASN1_OBJECT"},
-{ERR_PACK(0,ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW,0),       "NETSCAPE_CERT_SEQUENCE_new"},
-{ERR_PACK(0,ASN1_F_NETSCAPE_PKEY_NEW,0),        "NETSCAPE_PKEY_NEW"},
-{ERR_PACK(0,ASN1_F_NETSCAPE_SPKAC_NEW,0),       "NETSCAPE_SPKAC_new"},
-{ERR_PACK(0,ASN1_F_NETSCAPE_SPKI_NEW,0),        "NETSCAPE_SPKI_new"},
-{ERR_PACK(0,ASN1_F_NOTICEREF_NEW,0),    "NOTICEREF_new"},
-{ERR_PACK(0,ASN1_F_OTHERNAME_NEW,0),    "OTHERNAME_new"},
-{ERR_PACK(0,ASN1_F_PBE2PARAM_NEW,0),    "PBE2PARAM_new"},
-{ERR_PACK(0,ASN1_F_PBEPARAM_NEW,0),     "PBEPARAM_new"},
-{ERR_PACK(0,ASN1_F_PBKDF2PARAM_NEW,0),  "PBKDF2PARAM_new"},
-{ERR_PACK(0,ASN1_F_PKCS12_BAGS_NEW,0),  "PKCS12_BAGS_new"},
-{ERR_PACK(0,ASN1_F_PKCS12_MAC_DATA_NEW,0),      "PKCS12_MAC_DATA_new"},
-{ERR_PACK(0,ASN1_F_PKCS12_NEW,0),       "PKCS12_new"},
-{ERR_PACK(0,ASN1_F_PKCS12_SAFEBAG_NEW,0),       "PKCS12_SAFEBAG_new"},
+{ERR_PACK(0,ASN1_F_LONG_C2I,0), "LONG_C2I"},
+{ERR_PACK(0,ASN1_F_OID_MODULE_INIT,0),  "OID_MODULE_INIT"},
 {ERR_PACK(0,ASN1_F_PKCS5_PBE2_SET,0),   "PKCS5_pbe2_set"},
-{ERR_PACK(0,ASN1_F_PKCS7_DIGEST_NEW,0), "PKCS7_DIGEST_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_ENCRYPT_NEW,0),        "PKCS7_ENCRYPT_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_ENC_CONTENT_NEW,0),    "PKCS7_ENC_CONTENT_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_ENVELOPE_NEW,0),       "PKCS7_ENVELOPE_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_ISSUER_AND_SERIAL_NEW,0),      "PKCS7_ISSUER_AND_SERIAL_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_NEW,0),        "PKCS7_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_RECIP_INFO_NEW,0),     "PKCS7_RECIP_INFO_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_SIGNED_NEW,0), "PKCS7_SIGNED_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_SIGNER_INFO_NEW,0),    "PKCS7_SIGNER_INFO_new"},
-{ERR_PACK(0,ASN1_F_PKCS7_SIGN_ENVELOPE_NEW,0),  "PKCS7_SIGN_ENVELOPE_new"},
-{ERR_PACK(0,ASN1_F_PKCS8_PRIV_KEY_INFO_NEW,0),  "PKCS8_PRIV_KEY_INFO_new"},
-{ERR_PACK(0,ASN1_F_PKEY_USAGE_PERIOD_NEW,0),    "PKEY_USAGE_PERIOD_new"},
-{ERR_PACK(0,ASN1_F_POLICYINFO_NEW,0),   "POLICYINFO_new"},
-{ERR_PACK(0,ASN1_F_POLICYQUALINFO_NEW,0),       "POLICYQUALINFO_new"},
-{ERR_PACK(0,ASN1_F_SXNETID_NEW,0),      "SXNETID_new"},
-{ERR_PACK(0,ASN1_F_SXNET_NEW,0),        "SXNET_new"},
-{ERR_PACK(0,ASN1_F_USERNOTICE_NEW,0),   "USERNOTICE_new"},
-{ERR_PACK(0,ASN1_F_X509_ALGOR_NEW,0),   "X509_ALGOR_new"},
-{ERR_PACK(0,ASN1_F_X509_ATTRIBUTE_NEW,0),       "X509_ATTRIBUTE_new"},
-{ERR_PACK(0,ASN1_F_X509_CERT_AUX_NEW,0),        "X509_CERT_AUX_new"},
-{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),    "X509_CINF_new"},
-{ERR_PACK(0,ASN1_F_X509_CRL_INFO_NEW,0),        "X509_CRL_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_CRL_NEW,0),     "X509_CRL_new"},
-{ERR_PACK(0,ASN1_F_X509_DHPARAMS_NEW,0),        "X509_DHPARAMS_NEW"},
-{ERR_PACK(0,ASN1_F_X509_EXTENSION_NEW,0),       "X509_EXTENSION_new"},
+{ERR_PACK(0,ASN1_F_X509_CINF_NEW,0),    "X509_CINF_NEW"},
+{ERR_PACK(0,ASN1_F_X509_CRL_ADD0_REVOKED,0),    "X509_CRL_add0_revoked"},
 {ERR_PACK(0,ASN1_F_X509_INFO_NEW,0),    "X509_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_KEY_NEW,0),     "X509_KEY_NEW"},
-{ERR_PACK(0,ASN1_F_X509_NAME_ENTRY_NEW,0),      "X509_NAME_ENTRY_new"},
-{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),    "X509_NAME_new"},
-{ERR_PACK(0,ASN1_F_X509_NEW,0), "X509_new"},
+{ERR_PACK(0,ASN1_F_X509_NAME_NEW,0),    "X509_NAME_NEW"},
+{ERR_PACK(0,ASN1_F_X509_NEW,0), "X509_NEW"},
 {ERR_PACK(0,ASN1_F_X509_PKEY_NEW,0),    "X509_PKEY_new"},
-{ERR_PACK(0,ASN1_F_X509_PUBKEY_NEW,0),  "X509_PUBKEY_new"},
-{ERR_PACK(0,ASN1_F_X509_REQ_INFO_NEW,0),        "X509_REQ_INFO_new"},
-{ERR_PACK(0,ASN1_F_X509_REQ_NEW,0),     "X509_REQ_new"},
-{ERR_PACK(0,ASN1_F_X509_REVOKED_NEW,0), "X509_REVOKED_new"},
-{ERR_PACK(0,ASN1_F_X509_SIG_NEW,0),     "X509_SIG_new"},
-{ERR_PACK(0,ASN1_F_X509_VAL_FREE,0),    "X509_VAL_free"},
-{ERR_PACK(0,ASN1_F_X509_VAL_NEW,0),     "X509_VAL_new"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA ASN1_str_reasons[]=
         {
+{ASN1_R_ADDING_OBJECT                    ,"adding object"},
+{ASN1_R_AUX_ERROR                        ,"aux error"},
 {ASN1_R_BAD_CLASS                        ,"bad class"},
 {ASN1_R_BAD_OBJECT_HEADER                ,"bad object header"},
 {ASN1_R_BAD_PASSWORD_READ                ,"bad password read"},
-{ASN1_R_BAD_PKCS7_CONTENT                ,"bad pkcs7 content"},
-{ASN1_R_BAD_PKCS7_TYPE                   ,"bad pkcs7 type"},
 {ASN1_R_BAD_TAG                          ,"bad tag"},
-{ASN1_R_BAD_TYPE                         ,"bad type"},
 {ASN1_R_BN_LIB                           ,"bn lib"},
 {ASN1_R_BOOLEAN_IS_WRONG_LENGTH          ,"boolean is wrong length"},
 {ASN1_R_BUFFER_TOO_SMALL                 ,"buffer too small"},
@@ -279,22 +160,24 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_DECODE_ERROR                     ,"decode error"},
 {ASN1_R_DECODING_ERROR                   ,"decoding error"},
 {ASN1_R_ENCODE_ERROR                     ,"encode error"},
+{ASN1_R_ERROR_LOADING_SECTION            ,"error loading section"},
 {ASN1_R_ERROR_PARSING_SET_ELEMENT        ,"error parsing set element"},
 {ASN1_R_ERROR_SETTING_CIPHER_PARAMS      ,"error setting cipher params"},
-{ASN1_R_EXPECTING_AN_ENUMERATED          ,"expecting an enumerated"},
 {ASN1_R_EXPECTING_AN_INTEGER             ,"expecting an integer"},
 {ASN1_R_EXPECTING_AN_OBJECT              ,"expecting an object"},
-{ASN1_R_EXPECTING_AN_OCTET_STRING        ,"expecting an octet string"},
-{ASN1_R_EXPECTING_A_BIT_STRING           ,"expecting a bit string"},
 {ASN1_R_EXPECTING_A_BOOLEAN              ,"expecting a boolean"},
-{ASN1_R_EXPECTING_A_GENERALIZEDTIME      ,"expecting a generalizedtime"},
-{ASN1_R_EXPECTING_A_NULL                 ,"expecting a null"},
 {ASN1_R_EXPECTING_A_TIME                 ,"expecting a time"},
-{ASN1_R_EXPECTING_A_UTCTIME              ,"expecting a utctime"},
+{ASN1_R_EXPLICIT_LENGTH_MISMATCH         ,"explicit length mismatch"},
+{ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED     ,"explicit tag not constructed"},
+{ASN1_R_FIELD_MISSING                    ,"field missing"},
 {ASN1_R_FIRST_NUM_TOO_LARGE              ,"first num too large"},
-{ASN1_R_GENERALIZEDTIME_TOO_LONG         ,"generalizedtime too long"},
 {ASN1_R_HEADER_TOO_LONG                  ,"header too long"},
 {ASN1_R_ILLEGAL_CHARACTERS               ,"illegal characters"},
+{ASN1_R_ILLEGAL_NULL                     ,"illegal null"},
+{ASN1_R_ILLEGAL_OPTIONAL_ANY             ,"illegal optional any"},
+{ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE ,"illegal options on item template"},
+{ASN1_R_ILLEGAL_TAGGED_ANY               ,"illegal tagged any"},
+{ASN1_R_INTEGER_TOO_LARGE_FOR_LONG       ,"integer too large for long"},
 {ASN1_R_INVALID_BMPSTRING_LENGTH         ,"invalid bmpstring length"},
 {ASN1_R_INVALID_DIGIT                    ,"invalid digit"},
 {ASN1_R_INVALID_SEPARATOR                ,"invalid separator"},
@@ -303,32 +186,37 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ASN1_R_INVALID_UTF8STRING               ,"invalid utf8string"},
 {ASN1_R_IV_TOO_LARGE                     ,"iv too large"},
 {ASN1_R_LENGTH_ERROR                     ,"length error"},
+{ASN1_R_MISSING_EOC                      ,"missing eoc"},
 {ASN1_R_MISSING_SECOND_NUMBER            ,"missing second number"},
+{ASN1_R_MSTRING_NOT_UNIVERSAL            ,"mstring not universal"},
+{ASN1_R_MSTRING_WRONG_TAG                ,"mstring wrong tag"},
 {ASN1_R_NON_HEX_CHARACTERS               ,"non hex characters"},
 {ASN1_R_NOT_ENOUGH_DATA                  ,"not enough data"},
+{ASN1_R_NO_MATCHING_CHOICE_TYPE          ,"no matching choice type"},
 {ASN1_R_NULL_IS_WRONG_LENGTH             ,"null is wrong length"},
 {ASN1_R_ODD_NUMBER_OF_CHARS              ,"odd number of chars"},
-{ASN1_R_PARSING                          ,"parsing"},
 {ASN1_R_PRIVATE_KEY_HEADER_MISSING       ,"private key header missing"},
 {ASN1_R_SECOND_NUMBER_TOO_LARGE          ,"second number too large"},
+{ASN1_R_SEQUENCE_LENGTH_MISMATCH         ,"sequence length mismatch"},
+{ASN1_R_SEQUENCE_NOT_CONSTRUCTED         ,"sequence not constructed"},
 {ASN1_R_SHORT_LINE                       ,"short line"},
 {ASN1_R_STRING_TOO_LONG                  ,"string too long"},
 {ASN1_R_STRING_TOO_SHORT                 ,"string too short"},
 {ASN1_R_TAG_VALUE_TOO_HIGH               ,"tag value too high"},
 {ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD,"the asn1 object identifier is not known for this md"},
 {ASN1_R_TOO_LONG                         ,"too long"},
+{ASN1_R_TYPE_NOT_CONSTRUCTED             ,"type not constructed"},
 {ASN1_R_UNABLE_TO_DECODE_RSA_KEY         ,"unable to decode rsa key"},
 {ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY ,"unable to decode rsa private key"},
-{ASN1_R_UNKNOWN_ATTRIBUTE_TYPE           ,"unknown attribute type"},
+{ASN1_R_UNEXPECTED_EOC                   ,"unexpected eoc"},
 {ASN1_R_UNKNOWN_FORMAT                   ,"unknown format"},
 {ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM ,"unknown message digest algorithm"},
 {ASN1_R_UNKNOWN_OBJECT_TYPE              ,"unknown object type"},
 {ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE          ,"unknown public key type"},
+{ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE  ,"unsupported any defined by type"},
 {ASN1_R_UNSUPPORTED_CIPHER               ,"unsupported cipher"},
 {ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM ,"unsupported encryption algorithm"},
 {ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE      ,"unsupported public key type"},
-{ASN1_R_UTCTIME_TOO_LONG                 ,"utctime too long"},
-{ASN1_R_WRONG_PRINTABLE_TYPE             ,"wrong printable type"},
 {ASN1_R_WRONG_TAG                        ,"wrong tag"},
 {ASN1_R_WRONG_TYPE                       ,"wrong type"},
 {0,NULL}
@@ -343,7 +231,7 @@ void ERR_load_ASN1_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_ASN1,ASN1_str_functs);
                 ERR_load_strings(ERR_LIB_ASN1,ASN1_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/asn1/asn1_lib.c b/src/lib/libcrypto/asn1/asn1_lib.c
index a8b651e54e..830ff2af3c 100644
--- a/src/lib/libcrypto/asn1/asn1_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_lib.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
 
 static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max);
 static void asn1_put_length(unsigned char **pp, int length);
@@ -301,7 +300,7 @@ int asn1_GetSequence(ASN1_CTX *c, long *length)
                 return(0);
                 }
         if (c->inf == (1|V_ASN1_CONSTRUCTED))
-                c->slen= *length;
+                c->slen= *length+ *(c->pp)-c->p;
         c->eos=0;
         return(1);
         }
diff --git a/src/lib/libcrypto/asn1/asn1_mac.h b/src/lib/libcrypto/asn1/asn1_mac.h
index af0e664b2d..a48649ceeb 100644
--- a/src/lib/libcrypto/asn1/asn1_mac.h
+++ b/src/lib/libcrypto/asn1/asn1_mac.h
@@ -70,14 +70,14 @@ extern "C" {
 #endif 
 
 #define ASN1_MAC_H_err(f,r,line) \
-        ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),ERR_file_name,(line))
+        ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line))
 
 #define M_ASN1_D2I_vars(a,type,func) \
         ASN1_CTX c; \
         type ret=NULL; \
         \
-        c.pp=pp; \
-        c.q= *pp; \
+        c.pp=(unsigned char **)pp; \
+        c.q= *(unsigned char **)pp; \
         c.error=ERR_R_NESTED_ASN1_ERROR; \
         if ((a == NULL) || ((*a) == NULL)) \
                 { if ((ret=(type)func()) == NULL) \
@@ -85,13 +85,13 @@ extern "C" {
         else    ret=(*a);
 
 #define M_ASN1_D2I_Init() \
-        c.p= *pp; \
+        c.p= *(unsigned char **)pp; \
         c.max=(length == 0)?0:(c.p+length);
 
 #define M_ASN1_D2I_Finish_2(a) \
         if (!asn1_Finish(&c)) \
                 { c.line=__LINE__; goto err; } \
-        *pp=c.p; \
+        *(unsigned char **)pp=c.p; \
         if (a != NULL) (*a)=ret; \
         return(ret);
 
@@ -99,7 +99,7 @@ extern "C" {
         M_ASN1_D2I_Finish_2(a); \
 err:\
         ASN1_MAC_H_err((e),c.error,c.line); \
-        asn1_add_error(*pp,(int)(c.q- *pp)); \
+        asn1_add_error(*(unsigned char **)pp,(int)(c.q- *pp)); \
         if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
         return(NULL)
 
@@ -196,9 +196,6 @@ err:\
         if ((a != NULL) && (sk_##type##_num(a) != 0)) \
                 M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
 
-#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \
-        if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
-
 #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
         if ((c.slen != 0) && \
                 (M_ASN1_next == \
@@ -392,9 +389,6 @@ err:\
                 if ((a != NULL) && (sk_##type##_num(a) != 0)) \
                         M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
 
-#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \
-                if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
-
 #define M_ASN1_I2D_len_IMP_SET(a,f,x) \
                 ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
 
@@ -458,15 +452,6 @@ err:\
                         ret+=ASN1_object_size(1,v,mtag); \
                         }
 
-#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
-                if (a)\
-                        { \
-                        v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
-                                                 V_ASN1_UNIVERSAL, \
-                                                 IS_SEQUENCE); \
-                        ret+=ASN1_object_size(1,v,mtag); \
-                        }
-
 /* Put Macros */
 #define M_ASN1_I2D_put(a,f)     f(a,&p)
 
@@ -551,14 +536,6 @@ err:\
                                                IS_SEQUENCE); \
                         }
 
-#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \
-                if (a) \
-                        { \
-                        ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
-                        i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
-                                               IS_SEQUENCE); \
-                        }
-
 #define M_ASN1_I2D_seq_total() \
                 r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
                 if (pp == NULL) return(r); \
diff --git a/src/lib/libcrypto/asn1/asn1t.h b/src/lib/libcrypto/asn1/asn1t.h
new file mode 100644
index 0000000000..ed372f8554
--- /dev/null
+++ b/src/lib/libcrypto/asn1/asn1t.h
@@ -0,0 +1,846 @@
+/* asn1t.h */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_ASN1T_H
+#define HEADER_ASN1T_H
+
+#include <stddef.h>
+#include <openssl/e_os2.h>
+#include <openssl/asn1.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+/* ASN1 template defines, structures and functions */
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        OPENSSL_GLOBAL const ASN1_ITEM itname##_it = {
+
+#define ASN1_ITEM_end(itname) \
+                };
+
+#else
+
+/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */
+#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr()))
+
+
+/* Macros for start and end of ASN1_ITEM definition */
+
+#define ASN1_ITEM_start(itname) \
+        const ASN1_ITEM * itname##_it(void) \
+        { \
+                static const ASN1_ITEM local_it = { \
+
+#define ASN1_ITEM_end(itname) \
+                }; \
+        return &local_it; \
+        }
+
+#endif
+
+
+/* Macros to aid ASN1 template writing */
+
+#define ASN1_ITEM_TEMPLATE(tname) \
+        const static ASN1_TEMPLATE tname##_item_tt 
+
+#define ASN1_ITEM_TEMPLATE_END(tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_PRIMITIVE,\
+                -1,\
+                &tname##_item_tt,\
+                0,\
+                NULL,\
+                0,\
+                #tname \
+        ASN1_ITEM_end(tname)
+
+
+/* This is a ASN1 type which just embeds a template */
+ 
+/* This pair helps declare a SEQUENCE. We can do:
+ *
+ *      ASN1_SEQUENCE(stname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END(stname)
+ *
+ *      This will produce an ASN1_ITEM called stname_it
+ *      for a structure called stname.
+ *
+ *      If you want the same structure but a different
+ *      name then use:
+ *
+ *      ASN1_SEQUENCE(itname) = {
+ *              ... SEQUENCE components ...
+ *      } ASN1_SEQUENCE_END_name(stname, itname)
+ *
+ *      This will create an item called itname_it using
+ *      a structure called stname.
+ */
+
+#define ASN1_SEQUENCE(tname) \
+        const static ASN1_TEMPLATE tname##_seq_tt[] 
+
+#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
+
+#define ASN1_SEQUENCE_END_name(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_SEQUENCE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE(tname) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_ref(tname, cb, lck) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_SEQUENCE_enc(tname, enc, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+        ASN1_SEQUENCE(tname)
+
+#define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname)
+
+#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+
+#define ASN1_SEQUENCE_END_ref(stname, tname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_SEQUENCE,\
+                V_ASN1_SEQUENCE,\
+                tname##_seq_tt,\
+                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+
+/* This pair helps declare a CHOICE type. We can do:
+ *
+ *      ASN1_CHOICE(chname) = {
+ *              ... CHOICE options ...
+ *      ASN1_CHOICE_END(chname)
+ *
+ *      This will produce an ASN1_ITEM called chname_it
+ *      for a structure called chname. The structure
+ *      definition must look like this:
+ *      typedef struct {
+ *              int type;
+ *              union {
+ *                      ASN1_SOMETHING *opt1;
+ *                      ASN1_SOMEOTHER *opt2;
+ *              } value;
+ *      } chname;
+ *      
+ *      the name of the selector must be 'type'.
+ *      to use an alternative selector name use the
+ *      ASN1_CHOICE_END_selector() version.
+ */
+
+#define ASN1_CHOICE(tname) \
+        const static ASN1_TEMPLATE tname##_ch_tt[] 
+
+#define ASN1_CHOICE_cb(tname, cb) \
+        const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        ASN1_CHOICE(tname)
+
+#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
+
+#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type)
+
+#define ASN1_CHOICE_END_selector(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                NULL,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+#define ASN1_CHOICE_END_cb(stname, tname, selname) \
+        ;\
+        ASN1_ITEM_start(tname) \
+                ASN1_ITYPE_CHOICE,\
+                offsetof(stname,selname) ,\
+                tname##_ch_tt,\
+                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                &tname##_aux,\
+                sizeof(stname),\
+                #stname \
+        ASN1_ITEM_end(tname)
+
+/* This helps with the template wrapper form of ASN1_ITEM */
+
+#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \
+        (flags), (tag), 0,\
+        #name, ASN1_ITEM_ref(type) }
+
+/* These help with SEQUENCE or CHOICE components */
+
+/* used to declare other types */
+
+#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \
+        (flags), (tag), offsetof(stname, field),\
+        #field, ASN1_ITEM_ref(type) }
+
+/* used when the structure is combined with the parent */
+
+#define ASN1_EX_COMBINE(flags, tag, type) { \
+        (flags)|ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) }
+
+/* implicit and explicit helper macros */
+
+#define ASN1_IMP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
+
+#define ASN1_EXP_EX(stname, field, type, tag, ex) \
+                ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
+
+/* Any defined by macros: the field used is in the table itself */
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#else
+#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, tblname##_adb }
+#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, tblname##_adb }
+#endif
+/* Plain simple type */
+#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type)
+
+/* OPTIONAL simple type */
+#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* IMPLICIT tagged simple type */
+#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0)
+
+/* IMPLICIT tagged OPTIONAL simple type */
+#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* Same as above but EXPLICIT */
+
+#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+
+/* SEQUENCE OF type */
+#define ASN1_SEQUENCE_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
+
+/* OPTIONAL SEQUENCE OF */
+#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Same as above but for SET OF */
+
+#define ASN1_SET_OF(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
+
+#define ASN1_SET_OF_OPT(stname, field, type) \
+                ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+
+/* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */
+
+#define ASN1_IMP_SET_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_EXP_SET_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+
+#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+
+#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+
+/* Macros for the ASN1_ADB structure */
+
+#define ASN1_ADB(name) \
+        const static ASN1_ADB_TABLE name##_adbtbl[] 
+
+#ifndef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ADB name##_adb = {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+        }
+
+#else
+
+#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+        ;\
+        const static ASN1_ITEM *name##_adb(void) \
+        { \
+        const static ASN1_ADB internal_adb = \
+                {\
+                flags,\
+                offsetof(name, field),\
+                app_table,\
+                name##_adbtbl,\
+                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                def,\
+                none\
+                }; \
+                return (const ASN1_ITEM *) &internal_adb; \
+        } \
+        void dummy_function(void)
+
+#endif
+
+#define ADB_ENTRY(val, template) {val, template}
+
+#define ASN1_ADB_TEMPLATE(name) \
+        const static ASN1_TEMPLATE name##_tt 
+
+/* This is the ASN1 template structure that defines
+ * a wrapper round the actual type. It determines the
+ * actual position of the field in the value structure,
+ * various flags such as OPTIONAL and the field name.
+ */
+
+struct ASN1_TEMPLATE_st {
+unsigned long flags;            /* Various flags */
+long tag;                       /* tag, not used if no tagging */
+unsigned long offset;           /* Offset of this field in structure */
+#ifndef NO_ASN1_FIELD_NAMES
+char *field_name;               /* Field name */
+#endif
+ASN1_ITEM_EXP *item;            /* Relevant ASN1_ITEM or ASN1_ADB */
+};
+
+/* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */
+
+#define ASN1_TEMPLATE_item(t) (t->item_ptr)
+#define ASN1_TEMPLATE_adb(t) (t->item_ptr)
+
+typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;
+typedef struct ASN1_ADB_st ASN1_ADB;
+
+struct ASN1_ADB_st {
+        unsigned long flags;    /* Various flags */
+        unsigned long offset;   /* Offset of selector field */
+        STACK_OF(ASN1_ADB_TABLE) **app_items; /* Application defined items */
+        const ASN1_ADB_TABLE *tbl;      /* Table of possible types */
+        long tblcount;          /* Number of entries in tbl */
+        const ASN1_TEMPLATE *default_tt;  /* Type to use if no match */
+        const ASN1_TEMPLATE *null_tt;  /* Type to use if selector is NULL */
+};
+
+struct ASN1_ADB_TABLE_st {
+        long value;             /* NID for an object or value for an int */
+        const ASN1_TEMPLATE tt;         /* item for this value */
+};
+
+/* template flags */
+
+/* Field is optional */
+#define ASN1_TFLG_OPTIONAL      (0x1)
+
+/* Field is a SET OF */
+#define ASN1_TFLG_SET_OF        (0x1 << 1)
+
+/* Field is a SEQUENCE OF */
+#define ASN1_TFLG_SEQUENCE_OF   (0x2 << 1)
+
+/* Special case: this refers to a SET OF that
+ * will be sorted into DER order when encoded *and*
+ * the corresponding STACK will be modified to match
+ * the new order.
+ */
+#define ASN1_TFLG_SET_ORDER     (0x3 << 1)
+
+/* Mask for SET OF or SEQUENCE OF */
+#define ASN1_TFLG_SK_MASK       (0x3 << 1)
+
+/* These flags mean the tag should be taken from the
+ * tag field. If EXPLICIT then the underlying type
+ * is used for the inner tag.
+ */
+
+/* IMPLICIT tagging */
+#define ASN1_TFLG_IMPTAG        (0x1 << 3)
+
+
+/* EXPLICIT tagging, inner tag from underlying type */
+#define ASN1_TFLG_EXPTAG        (0x2 << 3)
+
+#define ASN1_TFLG_TAG_MASK      (0x3 << 3)
+
+/* context specific IMPLICIT */
+#define ASN1_TFLG_IMPLICIT      ASN1_TFLG_IMPTAG|ASN1_TFLG_CONTEXT
+
+/* context specific EXPLICIT */
+#define ASN1_TFLG_EXPLICIT      ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT
+
+/* If tagging is in force these determine the
+ * type of tag to use. Otherwise the tag is
+ * determined by the underlying type. These 
+ * values reflect the actual octet format.
+ */
+
+/* Universal tag */ 
+#define ASN1_TFLG_UNIVERSAL     (0x0<<6)
+/* Application tag */ 
+#define ASN1_TFLG_APPLICATION   (0x1<<6)
+/* Context specific tag */ 
+#define ASN1_TFLG_CONTEXT       (0x2<<6)
+/* Private tag */ 
+#define ASN1_TFLG_PRIVATE       (0x3<<6)
+
+#define ASN1_TFLG_TAG_CLASS     (0x3<<6)
+
+/* These are for ANY DEFINED BY type. In this case
+ * the 'item' field points to an ASN1_ADB structure
+ * which contains a table of values to decode the
+ * relevant type
+ */
+
+#define ASN1_TFLG_ADB_MASK      (0x3<<8)
+
+#define ASN1_TFLG_ADB_OID       (0x1<<8)
+
+#define ASN1_TFLG_ADB_INT       (0x1<<9)
+
+/* This flag means a parent structure is passed
+ * instead of the field: this is useful is a
+ * SEQUENCE is being combined with a CHOICE for
+ * example. Since this means the structure and
+ * item name will differ we need to use the
+ * ASN1_CHOICE_END_name() macro for example.
+ */
+
+#define ASN1_TFLG_COMBINE       (0x1<<10)
+
+/* This is the actual ASN1 item itself */
+
+struct ASN1_ITEM_st {
+char itype;                     /* The item type, primitive, SEQUENCE, CHOICE or extern */
+long utype;                     /* underlying type */
+const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */
+long tcount;                    /* Number of templates if SEQUENCE or CHOICE */
+const void *funcs;              /* functions that handle this type */
+long size;                      /* Structure size (usually)*/
+#ifndef NO_ASN1_FIELD_NAMES
+const char *sname;              /* Structure name */
+#endif
+};
+
+/* These are values for the itype field and
+ * determine how the type is interpreted.
+ *
+ * For PRIMITIVE types the underlying type
+ * determines the behaviour if items is NULL.
+ *
+ * Otherwise templates must contain a single 
+ * template and the type is treated in the
+ * same way as the type specified in the template.
+ *
+ * For SEQUENCE types the templates field points
+ * to the members, the size field is the
+ * structure size.
+ *
+ * For CHOICE types the templates field points
+ * to each possible member (typically a union)
+ * and the 'size' field is the offset of the
+ * selector.
+ *
+ * The 'funcs' field is used for application
+ * specific functions. 
+ *
+ * For COMPAT types the funcs field gives a
+ * set of functions that handle this type, this
+ * supports the old d2i, i2d convention.
+ *
+ * The EXTERN type uses a new style d2i/i2d.
+ * The new style should be used where possible
+ * because it avoids things like the d2i IMPLICIT
+ * hack.
+ *
+ * MSTRING is a multiple string type, it is used
+ * for a CHOICE of character strings where the
+ * actual strings all occupy an ASN1_STRING
+ * structure. In this case the 'utype' field
+ * has a special meaning, it is used as a mask
+ * of acceptable types using the B_ASN1 constants.
+ *
+ */
+
+#define ASN1_ITYPE_PRIMITIVE    0x0
+
+#define ASN1_ITYPE_SEQUENCE     0x1
+
+#define ASN1_ITYPE_CHOICE       0x2
+
+#define ASN1_ITYPE_COMPAT       0x3
+
+#define ASN1_ITYPE_EXTERN       0x4
+
+#define ASN1_ITYPE_MSTRING      0x5
+
+/* Cache for ASN1 tag and length, so we
+ * don't keep re-reading it for things
+ * like CHOICE
+ */
+
+struct ASN1_TLC_st{
+        char valid;     /* Values below are valid */
+        int ret;        /* return value */
+        long plen;      /* length */
+        int ptag;       /* class value */
+        int pclass;     /* class value */
+        int hdrlen;     /* header length */
+};
+
+/* Typedefs for ASN1 function pointers */
+
+typedef ASN1_VALUE * ASN1_new_func(void);
+typedef void ASN1_free_func(ASN1_VALUE *a);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, unsigned char ** in, long length);
+typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
+
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+typedef struct ASN1_COMPAT_FUNCS_st {
+        ASN1_new_func *asn1_new;
+        ASN1_free_func *asn1_free;
+        ASN1_d2i_func *asn1_d2i;
+        ASN1_i2d_func *asn1_i2d;
+} ASN1_COMPAT_FUNCS;
+
+typedef struct ASN1_EXTERN_FUNCS_st {
+        void *app_data;
+        ASN1_ex_new_func *asn1_ex_new;
+        ASN1_ex_free_func *asn1_ex_free;
+        ASN1_ex_free_func *asn1_ex_clear;
+        ASN1_ex_d2i *asn1_ex_d2i;
+        ASN1_ex_i2d *asn1_ex_i2d;
+} ASN1_EXTERN_FUNCS;
+
+typedef struct ASN1_PRIMITIVE_FUNCS_st {
+        void *app_data;
+        unsigned long flags;
+        ASN1_ex_new_func *prim_new;
+        ASN1_ex_free_func *prim_free;
+        ASN1_ex_free_func *prim_clear;
+        ASN1_primitive_c2i *prim_c2i;
+        ASN1_primitive_i2c *prim_i2c;
+} ASN1_PRIMITIVE_FUNCS;
+
+/* This is the ASN1_AUX structure: it handles various
+ * miscellaneous requirements. For example the use of
+ * reference counts and an informational callback.
+ *
+ * The "informational callback" is called at various
+ * points during the ASN1 encoding and decoding. It can
+ * be used to provide minor customisation of the structures
+ * used. This is most useful where the supplied routines
+ * *almost* do the right thing but need some extra help
+ * at a few points. If the callback returns zero then
+ * it is assumed a fatal error has occurred and the 
+ * main operation should be abandoned.
+ *
+ * If major changes in the default behaviour are required
+ * then an external type is more appropriate.
+ */
+
+typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it);
+
+typedef struct ASN1_AUX_st {
+        void *app_data;
+        int flags;
+        int ref_offset;         /* Offset of reference value */
+        int ref_lock;           /* Lock type to use */
+        ASN1_aux_cb *asn1_cb;
+        int enc_offset;         /* Offset of ASN1_ENCODING structure */
+} ASN1_AUX;
+
+/* Flags in ASN1_AUX */
+
+/* Use a reference count */
+#define ASN1_AFLG_REFCOUNT      1
+/* Save the encoding of structure (useful for signatures) */
+#define ASN1_AFLG_ENCODING      2
+/* The Sequence length is invalid */
+#define ASN1_AFLG_BROKEN        4
+
+/* operation values for asn1_cb */
+
+#define ASN1_OP_NEW_PRE         0
+#define ASN1_OP_NEW_POST        1
+#define ASN1_OP_FREE_PRE        2
+#define ASN1_OP_FREE_POST       3
+#define ASN1_OP_D2I_PRE         4
+#define ASN1_OP_D2I_POST        5
+#define ASN1_OP_I2D_PRE         6
+#define ASN1_OP_I2D_POST        7
+
+/* Macro to implement a primitive type */
+#define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)
+#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement a multi string type */
+#define IMPLEMENT_ASN1_MSTRING(itname, mask) \
+                                ASN1_ITEM_start(itname) \
+                                        ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \
+                                ASN1_ITEM_end(itname)
+
+/* Macro to implement an ASN1_ITEM in terms of old style funcs */
+
+#define IMPLEMENT_COMPAT_ASN1(sname) IMPLEMENT_COMPAT_ASN1_type(sname, V_ASN1_SEQUENCE)
+
+#define IMPLEMENT_COMPAT_ASN1_type(sname, tag) \
+        static const ASN1_COMPAT_FUNCS sname##_ff = { \
+                (ASN1_new_func *)sname##_new, \
+                (ASN1_free_func *)sname##_free, \
+                (ASN1_d2i_func *)d2i_##sname, \
+                (ASN1_i2d_func *)i2d_##sname, \
+        }; \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_COMPAT, \
+                tag, \
+                NULL, \
+                0, \
+                &sname##_ff, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \
+        ASN1_ITEM_start(sname) \
+                ASN1_ITYPE_EXTERN, \
+                tag, \
+                NULL, \
+                0, \
+                &fptrs, \
+                0, \
+                #sname \
+        ASN1_ITEM_end(sname)
+
+/* Macro to implement standard functions in terms of ASN1_ITEM structures */
+
+#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
+                        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
+
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
+        stname *fname##_new(void) \
+        { \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        } \
+        void fname##_free(stname *a) \
+        { \
+                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+/* This includes evil casts to remove const: they will go away when full
+ * ASN1 constification is done.
+ */
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        { \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, (unsigned char **)in, len, ASN1_ITEM_rptr(itname));\
+        } \
+        int i2d_##fname(const stname *a, unsigned char **out) \
+        { \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        } 
+
+#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \
+        stname * stname##_dup(stname *x) \
+        { \
+        return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \
+        }
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \
+                IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
+
+#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
+
+/* external definitions for primitive types */
+
+DECLARE_ASN1_ITEM(ASN1_BOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_TBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_FBOOLEAN)
+DECLARE_ASN1_ITEM(ASN1_ANY)
+DECLARE_ASN1_ITEM(ASN1_SEQUENCE)
+DECLARE_ASN1_ITEM(CBIGNUM)
+DECLARE_ASN1_ITEM(BIGNUM)
+DECLARE_ASN1_ITEM(LONG)
+DECLARE_ASN1_ITEM(ZLONG)
+
+DECLARE_STACK_OF(ASN1_VALUE)
+
+/* Functions used internally by the ASN1 code */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt);
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt);
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
+
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr);
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it);
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it);
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
new file mode 100644
index 0000000000..be20db4bad
--- /dev/null
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -0,0 +1,95 @@
+/* asn_moid.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+/* Simple ASN1 OID module: add all objects in a given section */
+
+static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        int i;
+        const char *oid_section;
+        STACK_OF(CONF_VALUE) *sktmp;
+        CONF_VALUE *oval;
+        oid_section = CONF_imodule_get_value(md);
+        if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+                {
+                ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ERROR_LOADING_SECTION);
+                return 0;
+                }
+        for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+                {
+                oval = sk_CONF_VALUE_value(sktmp, i);
+                if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef)
+                        {
+                        ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT);
+                        return 0;
+                        }
+                }
+        return 1;
+}
+
+void ASN1_add_oid_module(void)
+        {
+        CONF_module_add("oid_section", oid_module_init, 0);
+        }
diff --git a/src/lib/libcrypto/asn1/asn_pack.c b/src/lib/libcrypto/asn1/asn_pack.c
index bdf5f130b3..e6051db2dc 100644
--- a/src/lib/libcrypto/asn1/asn_pack.c
+++ b/src/lib/libcrypto/asn1/asn_pack.c
@@ -60,6 +60,8 @@
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 
+#ifndef NO_ASN1_OLD
+
 /* ASN1 packing and unpacking functions */
 
 /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */
@@ -117,7 +119,7 @@ void *ASN1_unpack_string (ASN1_STRING *oct, char *(*d2i)())
 
 /* Pack an ASN1 object into an ASN1_STRING */
 
-ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
+ASN1_STRING *ASN1_pack_string(void *obj, int (*i2d)(), ASN1_STRING **oct)
 {
         unsigned char *p;
         ASN1_STRING *octmp;
@@ -143,3 +145,47 @@ ASN1_STRING *ASN1_pack_string (void *obj, int (*i2d)(), ASN1_STRING **oct)
         return octmp;
 }
 
+#endif
+
+/* ASN1_ITEM versions of the above */
+
+ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
+{
+        ASN1_STRING *octmp;
+
+        if (!oct || !*oct) {
+                if (!(octmp = ASN1_STRING_new ())) {
+                        ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                        return NULL;
+                }
+                if (oct) *oct = octmp;
+        } else octmp = *oct;
+
+        if(octmp->data) {
+                OPENSSL_free(octmp->data);
+                octmp->data = NULL;
+        }
+                
+        if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+                return NULL;
+        }
+        if (!octmp->data) {
+                ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        return octmp;
+}
+
+/* Extract an ASN1 object from an ASN1_STRING */
+
+void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)
+{
+        unsigned char *p;
+        void *ret;
+
+        p = oct->data;
+        if(!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
+                ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+        return ret;
+}
diff --git a/src/lib/libcrypto/asn1/d2i_pr.c b/src/lib/libcrypto/asn1/d2i_pr.c
index c92b8325d8..2e7d96af90 100644
--- a/src/lib/libcrypto/asn1/d2i_pr.c
+++ b/src/lib/libcrypto/asn1/d2i_pr.c
@@ -62,6 +62,12 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
              long length)
@@ -82,18 +88,20 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp,
         ret->type=EVP_PKEY_type(type);
         switch (ret->type)
                 {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         case EVP_PKEY_RSA:
-                if ((ret->pkey.rsa=d2i_RSAPrivateKey(NULL,pp,length)) == NULL)
+                if ((ret->pkey.rsa=d2i_RSAPrivateKey(NULL,
+                        (const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
                         {
                         ASN1err(ASN1_F_D2I_PRIVATEKEY,ERR_R_ASN1_LIB);
                         goto err;
                         }
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         case EVP_PKEY_DSA:
-                if ((ret->pkey.dsa=d2i_DSAPrivateKey(NULL,pp,length)) == NULL)
+                if ((ret->pkey.dsa=d2i_DSAPrivateKey(NULL,
+                        (const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
                         {
                         ASN1err(ASN1_F_D2I_PRIVATEKEY,ERR_R_ASN1_LIB);
                         goto err;
diff --git a/src/lib/libcrypto/asn1/d2i_pu.c b/src/lib/libcrypto/asn1/d2i_pu.c
index e0d203cef7..71f2eb361b 100644
--- a/src/lib/libcrypto/asn1/d2i_pu.c
+++ b/src/lib/libcrypto/asn1/d2i_pu.c
@@ -62,6 +62,12 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
              long length)
@@ -82,18 +88,20 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp,
         ret->type=EVP_PKEY_type(type);
         switch (ret->type)
                 {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         case EVP_PKEY_RSA:
-                if ((ret->pkey.rsa=d2i_RSAPublicKey(NULL,pp,length)) == NULL)
+                if ((ret->pkey.rsa=d2i_RSAPublicKey(NULL,
+                        (const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
                         {
                         ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
                         goto err;
                         }
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         case EVP_PKEY_DSA:
-                if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,pp,length)) == NULL)
+                if ((ret->pkey.dsa=d2i_DSAPublicKey(NULL,
+                        (const unsigned char **)pp,length)) == NULL) /* TMP UGLY CAST */
                         {
                         ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_ASN1_LIB);
                         goto err;
diff --git a/src/lib/libcrypto/asn1/f_int.c b/src/lib/libcrypto/asn1/f_int.c
index 6b090f6740..48cc3bfb90 100644
--- a/src/lib/libcrypto/asn1/f_int.c
+++ b/src/lib/libcrypto/asn1/f_int.c
@@ -69,10 +69,16 @@ int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a)
 
         if (a == NULL) return(0);
 
+        if (a->type & V_ASN1_NEG)
+                {
+                if (BIO_write(bp, "-", 1) != 1) goto err;
+                n = 1;
+                }
+
         if (a->length == 0)
                 {
                 if (BIO_write(bp,"00",2) != 2) goto err;
-                n=2;
+                n += 2;
                 }
         else
                 {
diff --git a/src/lib/libcrypto/asn1/i2d_pr.c b/src/lib/libcrypto/asn1/i2d_pr.c
index 71d6910204..1e951ae01d 100644
--- a/src/lib/libcrypto/asn1/i2d_pr.c
+++ b/src/lib/libcrypto/asn1/i2d_pr.c
@@ -61,17 +61,23 @@
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
         {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (a->type == EVP_PKEY_RSA)
                 {
                 return(i2d_RSAPrivateKey(a->pkey.rsa,pp));
                 }
         else
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (a->type == EVP_PKEY_DSA)
                 {
                 return(i2d_DSAPrivateKey(a->pkey.dsa,pp));
diff --git a/src/lib/libcrypto/asn1/i2d_pu.c b/src/lib/libcrypto/asn1/i2d_pu.c
index 8f73d37d03..013d19bbf4 100644
--- a/src/lib/libcrypto/asn1/i2d_pu.c
+++ b/src/lib/libcrypto/asn1/i2d_pu.c
@@ -61,16 +61,22 @@
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif
 
 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
         {
         switch (a->type)
                 {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         case EVP_PKEY_RSA:
                 return(i2d_RSAPublicKey(a->pkey.rsa,pp));
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         case EVP_PKEY_DSA:
                 return(i2d_DSAPublicKey(a->pkey.dsa,pp));
 #endif
diff --git a/src/lib/libcrypto/asn1/n_pkey.c b/src/lib/libcrypto/asn1/n_pkey.c
index 9840193538..49f80fffd2 100644
--- a/src/lib/libcrypto/asn1/n_pkey.c
+++ b/src/lib/libcrypto/asn1/n_pkey.c
@@ -56,110 +56,134 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
+#include <openssl/asn1t.h>
 #include <openssl/asn1_mac.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
 
 typedef struct netscape_pkey_st
         {
-        ASN1_INTEGER *version;
+        long version;
         X509_ALGOR *algor;
         ASN1_OCTET_STRING *private_key;
         } NETSCAPE_PKEY;
 
-static int i2d_NETSCAPE_PKEY(NETSCAPE_PKEY *a, unsigned char **pp);
-static NETSCAPE_PKEY *d2i_NETSCAPE_PKEY(NETSCAPE_PKEY **a,unsigned char **pp, long length);
-static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void);
-static void NETSCAPE_PKEY_free(NETSCAPE_PKEY *);
+typedef struct netscape_encrypted_pkey_st
+        {
+        ASN1_OCTET_STRING *os;
+        /* This is the same structure as DigestInfo so use it:
+         * although this isn't really anything to do with
+         * digests.
+         */
+        X509_SIG *enckey;
+        } NETSCAPE_ENCRYPTED_PKEY;
+
+
+ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = {
+        ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, os, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG)
+} ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY)
 
-int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)())
+ASN1_SEQUENCE(NETSCAPE_PKEY) = {
+        ASN1_SIMPLE(NETSCAPE_PKEY, version, LONG),
+        ASN1_SIMPLE(NETSCAPE_PKEY, algor, X509_ALGOR),
+        ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(NETSCAPE_PKEY)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_PKEY)
+
+static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
+             int (*cb)(), int sgckey);
+
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)())
 {
         return i2d_RSA_NET(a, pp, cb, 0);
 }
 
-int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
+int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
         {
-        int i,j,l[6];
-        NETSCAPE_PKEY *pkey;
+        int i, j, ret = 0;
+        int rsalen, pkeylen, olen;
+        NETSCAPE_PKEY *pkey = NULL;
+        NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
         unsigned char buf[256],*zz;
         unsigned char key[EVP_MAX_KEY_LENGTH];
         EVP_CIPHER_CTX ctx;
-        X509_ALGOR *alg=NULL;
-        ASN1_OCTET_STRING os,os2;
-        M_ASN1_I2D_vars(a);
 
         if (a == NULL) return(0);
 
-#ifdef WIN32
-        r=r; /* shut the damn compiler up :-) */
-#endif
-
-        os.data=os2.data=NULL;
         if ((pkey=NETSCAPE_PKEY_new()) == NULL) goto err;
-        if (!ASN1_INTEGER_set(pkey->version,0)) goto err;
+        if ((enckey=NETSCAPE_ENCRYPTED_PKEY_new()) == NULL) goto err;
+        pkey->version = 0;
 
-        if (pkey->algor->algorithm != NULL)
-                ASN1_OBJECT_free(pkey->algor->algorithm);
         pkey->algor->algorithm=OBJ_nid2obj(NID_rsaEncryption);
         if ((pkey->algor->parameter=ASN1_TYPE_new()) == NULL) goto err;
         pkey->algor->parameter->type=V_ASN1_NULL;
 
-        l[0]=i2d_RSAPrivateKey(a,NULL);
-        pkey->private_key->length=l[0];
+        rsalen = i2d_RSAPrivateKey(a, NULL);
 
-        os2.length=i2d_NETSCAPE_PKEY(pkey,NULL);
-        l[1]=i2d_ASN1_OCTET_STRING(&os2,NULL);
+        /* Fake some octet strings just for the initial length
+         * calculation.
+         */
 
-        if ((alg=X509_ALGOR_new()) == NULL) goto err;
-        if (alg->algorithm != NULL)
-                ASN1_OBJECT_free(alg->algorithm);
-        alg->algorithm=OBJ_nid2obj(NID_rc4);
-        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
-        alg->parameter->type=V_ASN1_NULL;
+        pkey->private_key->length=rsalen;
 
-        l[2]=i2d_X509_ALGOR(alg,NULL);
-        l[3]=ASN1_object_size(1,l[2]+l[1],V_ASN1_SEQUENCE);
+        pkeylen=i2d_NETSCAPE_PKEY(pkey,NULL);
 
-#ifndef CONST_STRICT
-        os.data=(unsigned char *)"private-key";
-#endif
-        os.length=11;
-        l[4]=i2d_ASN1_OCTET_STRING(&os,NULL);
+        enckey->enckey->digest->length = pkeylen;
 
-        l[5]=ASN1_object_size(1,l[4]+l[3],V_ASN1_SEQUENCE);
+        enckey->os->length = 11;        /* "private-key" */
+
+        enckey->enckey->algor->algorithm=OBJ_nid2obj(NID_rc4);
+        if ((enckey->enckey->algor->parameter=ASN1_TYPE_new()) == NULL) goto err;
+        enckey->enckey->algor->parameter->type=V_ASN1_NULL;
 
         if (pp == NULL)
                 {
-                if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
-                if (alg != NULL) X509_ALGOR_free(alg);
-                return(l[5]);
+                olen = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, NULL);
+                NETSCAPE_PKEY_free(pkey);
+                NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+                return olen;
                 }
 
-        if (pkey->private_key->data != NULL)
-                OPENSSL_free(pkey->private_key->data);
-        if ((pkey->private_key->data=(unsigned char *)OPENSSL_malloc(l[0])) == NULL)
+
+        /* Since its RC4 encrypted length is actual length */
+        if ((zz=(unsigned char *)OPENSSL_malloc(rsalen)) == NULL)
                 {
                 ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
                 goto err;
                 }
-        zz=pkey->private_key->data;
+
+        pkey->private_key->data = zz;
+        /* Write out private key encoding */
         i2d_RSAPrivateKey(a,&zz);
 
-        if ((os2.data=(unsigned char *)OPENSSL_malloc(os2.length)) == NULL)
+        if ((zz=OPENSSL_malloc(pkeylen)) == NULL)
                 {
                 ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
                 goto err;
                 }
-        zz=os2.data;
+
+        if (!ASN1_STRING_set(enckey->os, "private-key", -1)) 
+                {
+                ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        enckey->enckey->digest->data = zz;
         i2d_NETSCAPE_PKEY(pkey,&zz);
+
+        /* Wipe the private key encoding */
+        memset(pkey->private_key->data, 0, rsalen);
                 
         if (cb == NULL)
                 cb=EVP_read_pw_string;
@@ -171,109 +195,86 @@ int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
                 }
         i = strlen((char *)buf);
         /* If the key is used for SGC the algorithm is modified a little. */
-        if(sgckey){
-                EVP_MD_CTX mctx;
-                EVP_DigestInit(&mctx, EVP_md5());
-                EVP_DigestUpdate(&mctx, buf, i);
-                EVP_DigestFinal(&mctx, buf, NULL);
+        if(sgckey) {
+                EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL);
                 memcpy(buf + 16, "SGCKEYSALT", 10);
                 i = 26;
         }
-                
+
         EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
         memset(buf,0,256);
 
+        /* Encrypt private key in place */
+        zz = enckey->enckey->digest->data;
         EVP_CIPHER_CTX_init(&ctx);
-        EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL);
-        EVP_EncryptUpdate(&ctx,os2.data,&i,os2.data,os2.length);
-        EVP_EncryptFinal(&ctx,&(os2.data[i]),&j);
+        EVP_EncryptInit_ex(&ctx,EVP_rc4(),NULL,key,NULL);
+        EVP_EncryptUpdate(&ctx,zz,&i,zz,pkeylen);
+        EVP_EncryptFinal_ex(&ctx,zz + i,&j);
         EVP_CIPHER_CTX_cleanup(&ctx);
 
-        p= *pp;
-        ASN1_put_object(&p,1,l[4]+l[3],V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-        i2d_ASN1_OCTET_STRING(&os,&p);
-        ASN1_put_object(&p,1,l[2]+l[1],V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-        i2d_X509_ALGOR(alg,&p);
-        i2d_ASN1_OCTET_STRING(&os2,&p);
-        ret=l[5];
+        ret = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, pp);
 err:
-        if (os2.data != NULL) OPENSSL_free(os2.data);
-        if (alg != NULL) X509_ALGOR_free(alg);
-        if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
-        r=r;
+        NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+        NETSCAPE_PKEY_free(pkey);
         return(ret);
         }
 
 
-RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)())
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)())
 {
         return d2i_RSA_NET(a, pp, length, cb, 0);
 }
 
-RSA *d2i_RSA_NET(RSA **a, unsigned char **pp, long length, int (*cb)(), int sgckey)
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey)
         {
         RSA *ret=NULL;
-        ASN1_OCTET_STRING *os=NULL;
-        ASN1_CTX c;
+        const unsigned char *p, *kp;
+        NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
+
+        p = *pp;
 
-        c.pp=pp;
-        c.error=ASN1_R_DECODING_ERROR;
+        enckey = d2i_NETSCAPE_ENCRYPTED_PKEY(NULL, &p, length);
+        if(!enckey) {
+                ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_DECODING_ERROR);
+                return NULL;
+        }
 
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(os,d2i_ASN1_OCTET_STRING);
-        if ((os->length != 11) || (strncmp("private-key",
-                (char *)os->data,os->length) != 0))
+        if ((enckey->os->length != 11) || (strncmp("private-key",
+                (char *)enckey->os->data,11) != 0))
                 {
                 ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
-                M_ASN1_BIT_STRING_free(os);
-                goto err;
+                NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+                return NULL;
                 }
-        M_ASN1_BIT_STRING_free(os);
-        c.q=c.p;
-        if ((ret=d2i_RSA_NET_2(a,&c.p,c.slen,cb, sgckey)) == NULL) goto err;
-        /* Note: some versions of IIS key files use length values that are
-         * too small for the surrounding SEQUENCEs. This following line
-         * effectively disable length checking.
-         */
-        c.slen = 0;
-
-        M_ASN1_D2I_Finish(a,RSA_free,ASN1_F_D2I_NETSCAPE_RSA);
+        if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4)
+                {
+                ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
+                goto err;
         }
+        kp = enckey->enckey->digest->data;
+        if (cb == NULL)
+                cb=EVP_read_pw_string;
+        if ((ret=d2i_RSA_NET_2(a, enckey->enckey->digest,cb, sgckey)) == NULL) goto err;
 
-RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length,
-             int (*cb)())
-{
-        return d2i_RSA_NET_2(a, pp, length, cb, 0);
-}
+        *pp = p;
 
-RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
+        err:
+        NETSCAPE_ENCRYPTED_PKEY_free(enckey);
+        return ret;
+
+        }
+
+static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
              int (*cb)(), int sgckey)
         {
         NETSCAPE_PKEY *pkey=NULL;
         RSA *ret=NULL;
         int i,j;
-        unsigned char buf[256],*zz;
+        unsigned char buf[256];
+        const unsigned char *zz;
         unsigned char key[EVP_MAX_KEY_LENGTH];
         EVP_CIPHER_CTX ctx;
-        X509_ALGOR *alg=NULL;
-        ASN1_OCTET_STRING *os=NULL;
-        ASN1_CTX c;
 
-        c.error=ERR_R_NESTED_ASN1_ERROR;
-        c.pp=pp;
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(alg,d2i_X509_ALGOR);
-        if (OBJ_obj2nid(alg->algorithm) != NID_rc4)
-                {
-                ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
-                goto err;
-                }
-        M_ASN1_D2I_get(os,d2i_ASN1_OCTET_STRING);
-        if (cb == NULL)
-                cb=EVP_read_pw_string;
         i=cb(buf,256,"Enter Private Key password:",0);
         if (i != 0)
                 {
@@ -283,10 +284,7 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
 
         i = strlen((char *)buf);
         if(sgckey){
-                EVP_MD_CTX mctx;
-                EVP_DigestInit(&mctx, EVP_md5());
-                EVP_DigestUpdate(&mctx, buf, i);
-                EVP_DigestFinal(&mctx, buf, NULL);
+                EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL);
                 memcpy(buf + 16, "SGCKEYSALT", 10);
                 i = 26;
         }
@@ -295,9 +293,9 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
         memset(buf,0,256);
 
         EVP_CIPHER_CTX_init(&ctx);
-        EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL);
+        EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL);
         EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length);
-        EVP_DecryptFinal(&ctx,&(os->data[i]),&j);
+        EVP_DecryptFinal_ex(&ctx,&(os->data[i]),&j);
         EVP_CIPHER_CTX_cleanup(&ctx);
         os->length=i+j;
 
@@ -315,71 +313,14 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
                 ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
                 goto err;
                 }
-        if (!asn1_Finish(&c)) goto err;
-        *pp=c.p;
 err:
-        if (pkey != NULL) NETSCAPE_PKEY_free(pkey);
-        if (os != NULL) M_ASN1_BIT_STRING_free(os);
-        if (alg != NULL) X509_ALGOR_free(alg);
+        NETSCAPE_PKEY_free(pkey);
         return(ret);
         }
 
-static int i2d_NETSCAPE_PKEY(NETSCAPE_PKEY *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-
-        M_ASN1_I2D_len(a->version,      i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->private_key,  i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->version,      i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->private_key,  i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-static NETSCAPE_PKEY *d2i_NETSCAPE_PKEY(NETSCAPE_PKEY **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,NETSCAPE_PKEY *,NETSCAPE_PKEY_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->private_key,d2i_ASN1_OCTET_STRING);
-        M_ASN1_D2I_Finish(a,NETSCAPE_PKEY_free,ASN1_F_D2I_NETSCAPE_PKEY);
-        }
-
-static NETSCAPE_PKEY *NETSCAPE_PKEY_new(void)
-        {
-        NETSCAPE_PKEY *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,NETSCAPE_PKEY);
-        M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->algor,X509_ALGOR_new);
-        M_ASN1_New(ret->private_key,M_ASN1_OCTET_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_NETSCAPE_PKEY_NEW);
-        }
-
-static void NETSCAPE_PKEY_free(NETSCAPE_PKEY *a)
-        {
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free(a->version);
-        X509_ALGOR_free(a->algor);
-        M_ASN1_OCTET_STRING_free(a->private_key);
-        OPENSSL_free(a);
-        }
-
-#endif /* NO_RC4 */
+#endif /* OPENSSL_NO_RC4 */
 
-#else /* !NO_RSA */
+#else /* !OPENSSL_NO_RSA */
 
 # if PEDANTIC
 static void *dummy=&dummy;
diff --git a/src/lib/libcrypto/asn1/nsseq.c b/src/lib/libcrypto/asn1/nsseq.c
index 6e7f09ba23..50e2d4d07a 100644
--- a/src/lib/libcrypto/asn1/nsseq.c
+++ b/src/lib/libcrypto/asn1/nsseq.c
@@ -58,61 +58,25 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <openssl/asn1_mac.h>
-#include <openssl/err.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/objects.h>
 
-/* Netscape certificate sequence structure */
-
-int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp)
+static int nsseq_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        int v = 0;
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len (a->type, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
-                                             V_ASN1_SEQUENCE,v);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->type, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509,a->certs,i2d_X509,0,
-                                             V_ASN1_SEQUENCE,v);
-
-        M_ASN1_I2D_finish();
+        if(operation == ASN1_OP_NEW_POST) {
+                NETSCAPE_CERT_SEQUENCE *nsseq;
+                nsseq = (NETSCAPE_CERT_SEQUENCE *)*pval;
+                nsseq->type = OBJ_nid2obj(NID_netscape_cert_sequence);
+        }
+        return 1;
 }
 
-NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void)
-{
-        NETSCAPE_CERT_SEQUENCE *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, NETSCAPE_CERT_SEQUENCE);
-        /* Note hardcoded object type */
-        ret->type = OBJ_nid2obj(NID_netscape_cert_sequence);
-        ret->certs = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_NETSCAPE_CERT_SEQUENCE_NEW);
-}
+/* Netscape certificate sequence structure */
 
-NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a,
-             unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,NETSCAPE_CERT_SEQUENCE *,
-                                        NETSCAPE_CERT_SEQUENCE_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->type, d2i_ASN1_OBJECT);
-        M_ASN1_D2I_get_EXP_set_opt_type(X509,ret->certs,d2i_X509,X509_free,0,
-                                        V_ASN1_SEQUENCE);
-        M_ASN1_D2I_Finish(a, NETSCAPE_CERT_SEQUENCE_free,
-                          ASN1_F_D2I_NETSCAPE_CERT_SEQUENCE);
-}
+ASN1_SEQUENCE_cb(NETSCAPE_CERT_SEQUENCE, nsseq_cb) = {
+        ASN1_SIMPLE(NETSCAPE_CERT_SEQUENCE, type, ASN1_OBJECT),
+        ASN1_EXP_SEQUENCE_OF_OPT(NETSCAPE_CERT_SEQUENCE, certs, X509, 0)
+} ASN1_SEQUENCE_END_cb(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE)
 
-void NETSCAPE_CERT_SEQUENCE_free (NETSCAPE_CERT_SEQUENCE *a)
-{
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->type);
-        if(a->certs)
-            sk_X509_pop_free(a->certs, X509_free);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index b7ed538eb2..891150638e 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -58,53 +58,18 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 
 /* PKCS#5 password based encryption structure */
 
-int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len (a->salt, i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
-
-        M_ASN1_I2D_seq_total ();
-
-        M_ASN1_I2D_put (a->salt, i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_finish();
-}
-
-PBEPARAM *PBEPARAM_new(void)
-{
-        PBEPARAM *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, PBEPARAM);
-        M_ASN1_New(ret->iter,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->salt,M_ASN1_OCTET_STRING_new);
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_PBEPARAM_NEW);
-}
-
-PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,PBEPARAM *,PBEPARAM_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->salt, d2i_ASN1_OCTET_STRING);
-        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
-        M_ASN1_D2I_Finish(a, PBEPARAM_free, ASN1_F_D2I_PBEPARAM);
-}
+ASN1_SEQUENCE(PBEPARAM) = {
+        ASN1_SIMPLE(PBEPARAM, salt, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(PBEPARAM, iter, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PBEPARAM)
 
-void PBEPARAM_free (PBEPARAM *a)
-{
-        if(a==NULL) return;
-        M_ASN1_OCTET_STRING_free(a->salt);
-        M_ASN1_INTEGER_free (a->iter);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(PBEPARAM)
 
 /* Return an algorithm identifier for a PKCS#5 PBE algorithm */
 
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 6a7b578c0e..43dfe09479 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -58,108 +58,27 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 
 /* PKCS#5 v2.0 password based encryption structures */
 
-int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len (a->keyfunc, i2d_X509_ALGOR);
-        M_ASN1_I2D_len (a->encryption, i2d_X509_ALGOR);
-
-        M_ASN1_I2D_seq_total ();
-
-        M_ASN1_I2D_put (a->keyfunc, i2d_X509_ALGOR);
-        M_ASN1_I2D_put (a->encryption, i2d_X509_ALGOR);
-
-        M_ASN1_I2D_finish();
-}
-
-PBE2PARAM *PBE2PARAM_new(void)
-{
-        PBE2PARAM *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, PBE2PARAM);
-        M_ASN1_New(ret->keyfunc,X509_ALGOR_new);
-        M_ASN1_New(ret->encryption,X509_ALGOR_new);
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_PBE2PARAM_NEW);
-}
-
-PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,PBE2PARAM *,PBE2PARAM_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->keyfunc, d2i_X509_ALGOR);
-        M_ASN1_D2I_get (ret->encryption, d2i_X509_ALGOR);
-        M_ASN1_D2I_Finish(a, PBE2PARAM_free, ASN1_F_D2I_PBE2PARAM);
-}
-
-void PBE2PARAM_free (PBE2PARAM *a)
-{
-        if(a==NULL) return;
-        X509_ALGOR_free(a->keyfunc);
-        X509_ALGOR_free(a->encryption);
-        OPENSSL_free (a);
-}
-
-int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len (a->salt, i2d_ASN1_TYPE);
-        M_ASN1_I2D_len (a->iter, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len (a->keylength, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len (a->prf, i2d_X509_ALGOR);
+ASN1_SEQUENCE(PBE2PARAM) = {
+        ASN1_SIMPLE(PBE2PARAM, keyfunc, X509_ALGOR),
+        ASN1_SIMPLE(PBE2PARAM, encryption, X509_ALGOR)
+} ASN1_SEQUENCE_END(PBE2PARAM)
 
-        M_ASN1_I2D_seq_total ();
+IMPLEMENT_ASN1_FUNCTIONS(PBE2PARAM)
 
-        M_ASN1_I2D_put (a->salt, i2d_ASN1_TYPE);
-        M_ASN1_I2D_put (a->iter, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put (a->keylength, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put (a->prf, i2d_X509_ALGOR);
+ASN1_SEQUENCE(PBKDF2PARAM) = {
+        ASN1_SIMPLE(PBKDF2PARAM, salt, ASN1_ANY),
+        ASN1_SIMPLE(PBKDF2PARAM, iter, ASN1_INTEGER),
+        ASN1_OPT(PBKDF2PARAM, keylength, ASN1_INTEGER),
+        ASN1_OPT(PBKDF2PARAM, prf, X509_ALGOR)
+} ASN1_SEQUENCE_END(PBKDF2PARAM)
 
-        M_ASN1_I2D_finish();
-}
-
-PBKDF2PARAM *PBKDF2PARAM_new(void)
-{
-        PBKDF2PARAM *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, PBKDF2PARAM);
-        M_ASN1_New(ret->salt, ASN1_TYPE_new);
-        M_ASN1_New(ret->iter, M_ASN1_INTEGER_new);
-        ret->keylength = NULL;
-        ret->prf = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_PBKDF2PARAM_NEW);
-}
-
-PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp,
-             long length)
-{
-        M_ASN1_D2I_vars(a,PBKDF2PARAM *,PBKDF2PARAM_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->salt, d2i_ASN1_TYPE);
-        M_ASN1_D2I_get (ret->iter, d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get_opt (ret->keylength, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
-        M_ASN1_D2I_get_opt (ret->prf, d2i_X509_ALGOR, V_ASN1_SEQUENCE);
-        M_ASN1_D2I_Finish(a, PBKDF2PARAM_free, ASN1_F_D2I_PBKDF2PARAM);
-}
-
-void PBKDF2PARAM_free (PBKDF2PARAM *a)
-{
-        if(a==NULL) return;
-        ASN1_TYPE_free(a->salt);
-        M_ASN1_INTEGER_free(a->iter);
-        M_ASN1_INTEGER_free(a->keylength);
-        X509_ALGOR_free(a->prf);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM)
 
 /* Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm:
  * yes I know this is horrible!
@@ -198,7 +117,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
                 goto err;
 
         /* Dummy cipherinit to just setup the IV */
-        EVP_CipherInit(&ctx, cipher, NULL, iv, 0);
+        EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
         if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
                 ASN1err(ASN1_F_PKCS5_PBE2_SET,
                                         ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index fa6cbfb6f8..b634d5bc85 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -58,70 +58,27 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-int i2d_PKCS8_PRIV_KEY_INFO (PKCS8_PRIV_KEY_INFO *a, unsigned char **pp)
+/* Minor tweak to operation: zero private key data */
+static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len (a->pkeyalg, i2d_X509_ALGOR);
-        M_ASN1_I2D_len (a->pkey, i2d_ASN1_TYPE);
-        M_ASN1_I2D_len_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
-                                         i2d_X509_ATTRIBUTE, 0);
-        
-        M_ASN1_I2D_seq_total ();
-
-        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put (a->pkeyalg, i2d_X509_ALGOR);
-        M_ASN1_I2D_put (a->pkey, i2d_ASN1_TYPE);
-        M_ASN1_I2D_put_IMP_SET_opt_type (X509_ATTRIBUTE, a->attributes,
-                                         i2d_X509_ATTRIBUTE, 0);
-
-        M_ASN1_I2D_finish();
+        /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
+        if(operation == ASN1_OP_FREE_PRE) {
+                PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
+                if (key->pkey->value.octet_string)
+                memset(key->pkey->value.octet_string->data,
+                                 0, key->pkey->value.octet_string->length);
+        }
+        return 1;
 }
 
-PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void)
-{
-        PKCS8_PRIV_KEY_INFO *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, PKCS8_PRIV_KEY_INFO);
-        M_ASN1_New (ret->version, M_ASN1_INTEGER_new);
-        M_ASN1_New (ret->pkeyalg, X509_ALGOR_new);
-        M_ASN1_New (ret->pkey, ASN1_TYPE_new);
-        ret->attributes = NULL;
-        ret->broken = PKCS8_OK;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_PKCS8_PRIV_KEY_INFO_NEW);
-}
+ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
+        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
+        ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_ANY),
+        ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
+} ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 
-PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
-             unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,PKCS8_PRIV_KEY_INFO *,PKCS8_PRIV_KEY_INFO_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get (ret->pkeyalg, d2i_X509_ALGOR);
-        M_ASN1_D2I_get (ret->pkey, d2i_ASN1_TYPE);
-        M_ASN1_D2I_get_IMP_set_opt_type(X509_ATTRIBUTE, ret->attributes,
-                                        d2i_X509_ATTRIBUTE,
-                                        X509_ATTRIBUTE_free, 0);
-        M_ASN1_D2I_Finish(a, PKCS8_PRIV_KEY_INFO_free, ASN1_F_D2I_PKCS8_PRIV_KEY_INFO);
-}
-
-void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
-{
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free (a->version);
-        X509_ALGOR_free(a->pkeyalg);
-        /* Clear sensitive data */
-        if (a->pkey->value.octet_string)
-                memset (a->pkey->value.octet_string->data,
-                                 0, a->pkey->value.octet_string->length);
-        ASN1_TYPE_free (a->pkey);
-        sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index d78e4a8f88..60db305756 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -64,8 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-static void ext_print(BIO *out, X509_EXTENSION *ex);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
         {
         BIO *b;
@@ -86,11 +85,10 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 int X509_CRL_print(BIO *out, X509_CRL *x)
 {
         char buf[256];
-        unsigned char *s;
         STACK_OF(X509_REVOKED) *rev;
         X509_REVOKED *r;
         long l;
-        int i, j, n;
+        int i, n;
 
         BIO_printf(out, "Certificate Revocation List (CRL):\n");
         l = X509_CRL_get_version(x);
@@ -109,15 +107,12 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
         BIO_printf(out,"\n");
 
         n=X509_CRL_get_ext_count(x);
-        if (n > 0) {
-                BIO_printf(out,"%8sCRL extensions:\n","");
-                for (i=0; i<n; i++) ext_print(out, X509_CRL_get_ext(x, i));
-        }
-
+        X509V3_extensions_print(out, "CRL extensions",
+                                                x->crl->extensions, 0, 8);
 
         rev = X509_CRL_get_REVOKED(x);
 
-        if(sk_X509_REVOKED_num(rev))
+        if(sk_X509_REVOKED_num(rev) > 0)
             BIO_printf(out, "Revoked Certificates:\n");
         else BIO_printf(out, "No Revoked Certificates.\n");
 
@@ -128,39 +123,11 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
                 BIO_printf(out,"\n        Revocation Date: ","");
                 ASN1_TIME_print(out,r->revocationDate);
                 BIO_printf(out,"\n");
-                for(j = 0; j < X509_REVOKED_get_ext_count(r); j++)
-                                ext_print(out, X509_REVOKED_get_ext(r, j));
-        }
-
-        i=OBJ_obj2nid(x->sig_alg->algorithm);
-        BIO_printf(out,"    Signature Algorithm: %s",
-                                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
-
-        s = x->signature->data;
-        n = x->signature->length;
-        for (i=0; i<n; i++, s++)
-        {
-                if ((i%18) == 0) BIO_write(out,"\n        ",9);
-                BIO_printf(out,"%02x%s",*s, ((i+1) == n)?"":":");
+                X509V3_extensions_print(out, "CRL entry extensions",
+                                                r->extensions, 0, 8);
         }
-        BIO_write(out,"\n",1);
+        X509_signature_print(out, x->sig_alg, x->signature);
 
         return 1;
 
 }
-
-static void ext_print(BIO *out, X509_EXTENSION *ex)
-{
-        ASN1_OBJECT *obj;
-        int j;
-        BIO_printf(out,"%12s","");
-        obj=X509_EXTENSION_get_object(ex);
-        i2a_ASN1_OBJECT(out,obj);
-        j=X509_EXTENSION_get_critical(ex);
-        BIO_printf(out, ": %s\n", j ? "critical":"","");
-        if(!X509V3_EXT_print(out, ex, 0, 16)) {
-                BIO_printf(out, "%16s", "");
-                M_ASN1_OCTET_STRING_print(out,ex->value);
-        }
-        BIO_write(out,"\n",1);
-}
diff --git a/src/lib/libcrypto/asn1/t_pkey.c b/src/lib/libcrypto/asn1/t_pkey.c
index ae18da96e3..8060115202 100644
--- a/src/lib/libcrypto/asn1/t_pkey.c
+++ b/src/lib/libcrypto/asn1/t_pkey.c
@@ -60,21 +60,21 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/bn.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 
 static int print(BIO *fp,const char *str,BIGNUM *num,
                 unsigned char *buf,int off);
-#ifndef NO_RSA
-#ifndef NO_FP_API
-int RSA_print_fp(FILE *fp, RSA *x, int off)
+#ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_FP_API
+int RSA_print_fp(FILE *fp, const RSA *x, int off)
         {
         BIO *b;
         int ret;
@@ -91,7 +91,7 @@ int RSA_print_fp(FILE *fp, RSA *x, int off)
         }
 #endif
 
-int RSA_print(BIO *bp, RSA *x, int off)
+int RSA_print(BIO *bp, const RSA *x, int off)
         {
         char str[128];
         const char *s;
@@ -136,11 +136,11 @@ err:
         if (m != NULL) OPENSSL_free(m);
         return(ret);
         }
-#endif /* NO_RSA */
+#endif /* OPENSSL_NO_RSA */
 
-#ifndef NO_DSA
-#ifndef NO_FP_API
-int DSA_print_fp(FILE *fp, DSA *x, int off)
+#ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_FP_API
+int DSA_print_fp(FILE *fp, const DSA *x, int off)
         {
         BIO *b;
         int ret;
@@ -157,7 +157,7 @@ int DSA_print_fp(FILE *fp, DSA *x, int off)
         }
 #endif
 
-int DSA_print(BIO *bp, DSA *x, int off)
+int DSA_print(BIO *bp, const DSA *x, int off)
         {
         char str[128];
         unsigned char *m=NULL;
@@ -207,7 +207,7 @@ err:
         if (m != NULL) OPENSSL_free(m);
         return(ret);
         }
-#endif /* !NO_DSA */
+#endif /* !OPENSSL_NO_DSA */
 
 static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
              int off)
@@ -259,9 +259,9 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
         return(1);
         }
 
-#ifndef NO_DH
-#ifndef NO_FP_API
-int DHparams_print_fp(FILE *fp, DH *x)
+#ifndef OPENSSL_NO_DH
+#ifndef OPENSSL_NO_FP_API
+int DHparams_print_fp(FILE *fp, const DH *x)
         {
         BIO *b;
         int ret;
@@ -278,7 +278,7 @@ int DHparams_print_fp(FILE *fp, DH *x)
         }
 #endif
 
-int DHparams_print(BIO *bp, DH *x)
+int DHparams_print(BIO *bp, const DH *x)
         {
         unsigned char *m=NULL;
         int reason=ERR_R_BUF_LIB,i,ret=0;
@@ -312,9 +312,9 @@ err:
         }
 #endif
 
-#ifndef NO_DSA
-#ifndef NO_FP_API
-int DSAparams_print_fp(FILE *fp, DSA *x)
+#ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_FP_API
+int DSAparams_print_fp(FILE *fp, const DSA *x)
         {
         BIO *b;
         int ret;
@@ -331,7 +331,7 @@ int DSAparams_print_fp(FILE *fp, DSA *x)
         }
 #endif
 
-int DSAparams_print(BIO *bp, DSA *x)
+int DSAparams_print(BIO *bp, const DSA *x)
         {
         unsigned char *m=NULL;
         int reason=ERR_R_BUF_LIB,i,ret=0;
@@ -357,5 +357,5 @@ err:
         return(ret);
         }
 
-#endif /* !NO_DSA */
+#endif /* !OPENSSL_NO_DSA */
 
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index ea1af092db..848c29a2dd 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -64,7 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
         {
         BIO *b;
@@ -85,8 +85,7 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
 int X509_REQ_print(BIO *bp, X509_REQ *x)
         {
         unsigned long l;
-        int i,n;
-        char *s;
+        int i;
         const char *neg;
         X509_REQ_INFO *ri;
         EVP_PKEY *pkey;
@@ -118,7 +117,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
         if (BIO_puts(bp,str) <= 0) goto err;
 
         pkey=X509_REQ_get_pubkey(x);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (pkey != NULL && pkey->type == EVP_PKEY_RSA)
                 {
                 BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
@@ -127,7 +126,7 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
                 }
         else 
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 if (pkey != NULL && pkey->type == EVP_PKEY_DSA)
                 {
                 BIO_printf(bp,"%12sDSA Public Key:\n","");
@@ -145,13 +144,10 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
         if (BIO_puts(bp,str) <= 0) goto err;
 
         sk=x->req_info->attributes;
-        if ((sk == NULL) || (sk_X509_ATTRIBUTE_num(sk) == 0))
+        if (sk_X509_ATTRIBUTE_num(sk) == 0)
                 {
-                if (!x->req_info->req_kludge)
-                        {
-                        sprintf(str,"%12sa0:00\n","");
-                        if (BIO_puts(bp,str) <= 0) goto err;
-                        }
+                sprintf(str,"%12sa0:00\n","");
+                if (BIO_puts(bp,str) <= 0) goto err;
                 }
         else
                 {
@@ -170,7 +166,13 @@ int X509_REQ_print(BIO *bp, X509_REQ *x)
                         if (BIO_puts(bp,str) <= 0) goto err;
                         if ((j=i2a_ASN1_OBJECT(bp,a->object)) > 0)
                         {
-                        if (a->set)
+                        if (a->single)
+                                {
+                                t=a->value.single;
+                                type=t->type;
+                                bs=t->value.bit_string;
+                                }
+                        else
                                 {
                                 ii=0;
                                 count=sk_ASN1_TYPE_num(a->value.set);
@@ -179,12 +181,6 @@ get_next:
                                 type=at->type;
                                 bs=at->value.asn1_string;
                                 }
-                        else
-                                {
-                                t=a->value.single;
-                                type=t->type;
-                                bs=t->value.bit_string;
-                                }
                         }
                         for (j=25-j; j>0; j--)
                                 if (BIO_write(bp," ",1) != 1) goto err;
@@ -229,24 +225,8 @@ get_next:
                 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
         }
 
-        i=OBJ_obj2nid(x->sig_alg->algorithm);
-        sprintf(str,"%4sSignature Algorithm: %s","",
-                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
-        if (BIO_puts(bp,str) <= 0) goto err;
+        if(!X509_signature_print(bp, x->sig_alg, x->signature)) goto err;
 
-        n=x->signature->length;
-        s=(char *)x->signature->data;
-        for (i=0; i<n; i++)
-                {
-                if ((i%18) == 0)
-                        {
-                        sprintf(str,"\n%8s","");
-                        if (BIO_puts(bp,str) <= 0) goto err;
-                        }
-                sprintf(str,"%02x%s",(unsigned char)s[i],((i+1) == n)?"":":");
-                if (BIO_puts(bp,str) <= 0) goto err;
-                }
-        if (BIO_puts(bp,"\n") <= 0) goto err;
         return(1);
 err:
         X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
diff --git a/src/lib/libcrypto/asn1/t_spki.c b/src/lib/libcrypto/asn1/t_spki.c
index d708434fca..5abfbc815e 100644
--- a/src/lib/libcrypto/asn1/t_spki.c
+++ b/src/lib/libcrypto/asn1/t_spki.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/x509.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
 
 /* Print out an SPKI */
 
@@ -76,7 +76,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
         pkey = X509_PUBKEY_get(spki->spkac->pubkey);
         if(!pkey) BIO_printf(out, "  Unable to load public key\n");
         else {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 if (pkey->type == EVP_PKEY_RSA)
                         {
                         BIO_printf(out,"  RSA Public Key: (%d bit)\n",
@@ -85,7 +85,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
                         }
                 else 
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 if (pkey->type == EVP_PKEY_DSA)
                 {
                 BIO_printf(out,"  DSA Public Key:\n");
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 89ae73a6de..5de4833ed0 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -60,18 +60,23 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/bn.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int X509_print_fp(FILE *fp, X509 *x)
+        {
+        return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+        }
+
+int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, unsigned long cflag)
         {
         BIO *b;
         int ret;
@@ -82,144 +87,165 @@ int X509_print_fp(FILE *fp, X509 *x)
                 return(0);
                 }
         BIO_set_fp(b,fp,BIO_NOCLOSE);
-        ret=X509_print(b, x);
+        ret=X509_print_ex(b, x, nmflag, cflag);
         BIO_free(b);
         return(ret);
         }
 #endif
 
 int X509_print(BIO *bp, X509 *x)
+{
+        return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
+}
+
+int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
         {
         long l;
-        int ret=0,i,j,n;
-        char *m=NULL,*s;
+        int ret=0,i;
+        char *m=NULL,mlch = ' ';
+        int nmindent = 0;
         X509_CINF *ci;
         ASN1_INTEGER *bs;
         EVP_PKEY *pkey=NULL;
         const char *neg;
-        X509_EXTENSION *ex;
         ASN1_STRING *str=NULL;
 
+        if((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
+                        mlch = '\n';
+                        nmindent = 12;
+        }
+
+        if(nmflags == X509_FLAG_COMPAT)
+                nmindent = 16;
+
         ci=x->cert_info;
-        if (BIO_write(bp,"Certificate:\n",13) <= 0) goto err;
-        if (BIO_write(bp,"    Data:\n",10) <= 0) goto err;
-        l=X509_get_version(x);
-        if (BIO_printf(bp,"%8sVersion: %lu (0x%lx)\n","",l+1,l) <= 0) goto err;
-        if (BIO_write(bp,"        Serial Number:",22) <= 0) goto err;
-
-        bs=X509_get_serialNumber(x);
-        if (bs->length <= 4)
+        if(!(cflag & X509_FLAG_NO_HEADER))
                 {
-                l=ASN1_INTEGER_get(bs);
-                if (l < 0)
-                        {
-                        l= -l;
-                        neg="-";
-                        }
-                else
-                        neg="";
-                if (BIO_printf(bp," %s%lu (%s0x%lx)\n",neg,l,neg,l) <= 0)
-                        goto err;
+                if (BIO_write(bp,"Certificate:\n",13) <= 0) goto err;
+                if (BIO_write(bp,"    Data:\n",10) <= 0) goto err;
                 }
-        else
+        if(!(cflag & X509_FLAG_NO_VERSION))
+                {
+                l=X509_get_version(x);
+                if (BIO_printf(bp,"%8sVersion: %lu (0x%lx)\n","",l+1,l) <= 0) goto err;
+                }
+        if(!(cflag & X509_FLAG_NO_SERIAL))
                 {
-                neg=(bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":"";
-                if (BIO_printf(bp,"\n%12s%s","",neg) <= 0) goto err;
 
-                for (i=0; i<bs->length; i++)
+                if (BIO_write(bp,"        Serial Number:",22) <= 0) goto err;
+
+                bs=X509_get_serialNumber(x);
+                if (bs->length <= 4)
                         {
-                        if (BIO_printf(bp,"%02x%c",bs->data[i],
-                                ((i+1 == bs->length)?'\n':':')) <= 0)
+                        l=ASN1_INTEGER_get(bs);
+                        if (l < 0)
+                                {
+                                l= -l;
+                                neg="-";
+                                }
+                        else
+                                neg="";
+                        if (BIO_printf(bp," %s%lu (%s0x%lx)\n",neg,l,neg,l) <= 0)
                                 goto err;
                         }
-                }
+                else
+                        {
+                        neg=(bs->type == V_ASN1_NEG_INTEGER)?" (Negative)":"";
+                        if (BIO_printf(bp,"\n%12s%s","",neg) <= 0) goto err;
 
-        i=OBJ_obj2nid(ci->signature->algorithm);
-        if (BIO_printf(bp,"%8sSignature Algorithm: %s\n","",
-                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0)
-                goto err;
+                        for (i=0; i<bs->length; i++)
+                                {
+                                if (BIO_printf(bp,"%02x%c",bs->data[i],
+                                        ((i+1 == bs->length)?'\n':':')) <= 0)
+                                        goto err;
+                                }
+                        }
 
-        if (BIO_write(bp,"        Issuer: ",16) <= 0) goto err;
-        if (!X509_NAME_print(bp,X509_get_issuer_name(x),16)) goto err;
-        if (BIO_write(bp,"\n        Validity\n",18) <= 0) goto err;
-        if (BIO_write(bp,"            Not Before: ",24) <= 0) goto err;
-        if (!ASN1_TIME_print(bp,X509_get_notBefore(x))) goto err;
-        if (BIO_write(bp,"\n            Not After : ",25) <= 0) goto err;
-        if (!ASN1_TIME_print(bp,X509_get_notAfter(x))) goto err;
-        if (BIO_write(bp,"\n        Subject: ",18) <= 0) goto err;
-        if (!X509_NAME_print(bp,X509_get_subject_name(x),16)) goto err;
-        if (BIO_write(bp,"\n        Subject Public Key Info:\n",34) <= 0)
-                goto err;
-        i=OBJ_obj2nid(ci->key->algor->algorithm);
-        if (BIO_printf(bp,"%12sPublic Key Algorithm: %s\n","",
-                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0) goto err;
+                }
 
-        pkey=X509_get_pubkey(x);
-        if (pkey == NULL)
+        if(!(cflag & X509_FLAG_NO_SIGNAME))
                 {
-                BIO_printf(bp,"%12sUnable to load Public Key\n","");
-                ERR_print_errors(bp);
+                if (BIO_printf(bp,"%8sSignature Algorithm: ","") <= 0) 
+                        goto err;
+                if (i2a_ASN1_OBJECT(bp, ci->signature->algorithm) <= 0)
+                        goto err;
+                if (BIO_puts(bp, "\n") <= 0)
+                        goto err;
                 }
-        else
-#ifndef NO_RSA
-        if (pkey->type == EVP_PKEY_RSA)
+
+        if(!(cflag & X509_FLAG_NO_ISSUER))
                 {
-                BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
-                BN_num_bits(pkey->pkey.rsa->n));
-                RSA_print(bp,pkey->pkey.rsa,16);
+                if (BIO_printf(bp,"        Issuer:%c",mlch) <= 0) goto err;
+                if (X509_NAME_print_ex(bp,X509_get_issuer_name(x),nmindent, nmflags) < 0) goto err;
+                if (BIO_write(bp,"\n",1) <= 0) goto err;
                 }
-        else
-#endif
-#ifndef NO_DSA
-        if (pkey->type == EVP_PKEY_DSA)
+        if(!(cflag & X509_FLAG_NO_VALIDITY))
                 {
-                BIO_printf(bp,"%12sDSA Public Key:\n","");
-                DSA_print(bp,pkey->pkey.dsa,16);
+                if (BIO_write(bp,"        Validity\n",17) <= 0) goto err;
+                if (BIO_write(bp,"            Not Before: ",24) <= 0) goto err;
+                if (!ASN1_TIME_print(bp,X509_get_notBefore(x))) goto err;
+                if (BIO_write(bp,"\n            Not After : ",25) <= 0) goto err;
+                if (!ASN1_TIME_print(bp,X509_get_notAfter(x))) goto err;
+                if (BIO_write(bp,"\n",1) <= 0) goto err;
                 }
-        else
-#endif
-                BIO_printf(bp,"%12sUnknown Public Key:\n","");
-
-        EVP_PKEY_free(pkey);
-
-        n=X509_get_ext_count(x);
-        if (n > 0)
+        if(!(cflag & X509_FLAG_NO_SUBJECT))
                 {
-                BIO_printf(bp,"%8sX509v3 extensions:\n","");
-                for (i=0; i<n; i++)
+                if (BIO_printf(bp,"        Subject:%c",mlch) <= 0) goto err;
+                if (X509_NAME_print_ex(bp,X509_get_subject_name(x),nmindent, nmflags) < 0) goto err;
+                if (BIO_write(bp,"\n",1) <= 0) goto err;
+                }
+        if(!(cflag & X509_FLAG_NO_PUBKEY))
+                {
+                if (BIO_write(bp,"        Subject Public Key Info:\n",33) <= 0)
+                        goto err;
+                if (BIO_printf(bp,"%12sPublic Key Algorithm: ","") <= 0)
+                        goto err;
+                if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0)
+                        goto err;
+                if (BIO_puts(bp, "\n") <= 0)
+                        goto err;
+
+                pkey=X509_get_pubkey(x);
+                if (pkey == NULL)
                         {
-                        ASN1_OBJECT *obj;
-                        ex=X509_get_ext(x,i);
-                        if (BIO_printf(bp,"%12s","") <= 0) goto err;
-                        obj=X509_EXTENSION_get_object(ex);
-                        i2a_ASN1_OBJECT(bp,obj);
-                        j=X509_EXTENSION_get_critical(ex);
-                        if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
-                                goto err;
-                        if(!X509V3_EXT_print(bp, ex, 0, 16))
-                                {
-                                BIO_printf(bp, "%16s", "");
-                                M_ASN1_OCTET_STRING_print(bp,ex->value);
-                                }
-                        if (BIO_write(bp,"\n",1) <= 0) goto err;
+                        BIO_printf(bp,"%12sUnable to load Public Key\n","");
+                        ERR_print_errors(bp);
+                        }
+                else
+#ifndef OPENSSL_NO_RSA
+                if (pkey->type == EVP_PKEY_RSA)
+                        {
+                        BIO_printf(bp,"%12sRSA Public Key: (%d bit)\n","",
+                        BN_num_bits(pkey->pkey.rsa->n));
+                        RSA_print(bp,pkey->pkey.rsa,16);
+                        }
+                else
+#endif
+#ifndef OPENSSL_NO_DSA
+                if (pkey->type == EVP_PKEY_DSA)
+                        {
+                        BIO_printf(bp,"%12sDSA Public Key:\n","");
+                        DSA_print(bp,pkey->pkey.dsa,16);
                         }
+                else
+#endif
+                        BIO_printf(bp,"%12sUnknown Public Key:\n","");
+
+                EVP_PKEY_free(pkey);
                 }
 
-        i=OBJ_obj2nid(x->sig_alg->algorithm);
-        if (BIO_printf(bp,"%4sSignature Algorithm: %s","",
-                (i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i)) <= 0) goto err;
+        if (!(cflag & X509_FLAG_NO_EXTENSIONS))
+                X509V3_extensions_print(bp, "X509v3 extensions",
+                                        ci->extensions, cflag, 8);
 
-        n=x->signature->length;
-        s=(char *)x->signature->data;
-        for (i=0; i<n; i++)
+        if(!(cflag & X509_FLAG_NO_SIGDUMP))
                 {
-                if ((i%18) == 0)
-                        if (BIO_write(bp,"\n        ",9) <= 0) goto err;
-                if (BIO_printf(bp,"%02x%s",(unsigned char)s[i],
-                        ((i+1) == n)?"":":") <= 0) goto err;
+                if(X509_signature_print(bp, x->sig_alg, x->signature) <= 0) goto err;
+                }
+        if(!(cflag & X509_FLAG_NO_AUX))
+                {
+                if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err;
                 }
-        if (BIO_write(bp,"\n",1) != 1) goto err;
-        if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err;
         ret=1;
 err:
         if (str != NULL) ASN1_STRING_free(str);
@@ -227,6 +253,71 @@ err:
         return(ret);
         }
 
+int X509_ocspid_print (BIO *bp, X509 *x)
+        {
+        unsigned char *der=NULL ;
+        unsigned char *dertmp;
+        int derlen;
+        int i;
+        unsigned char SHA1md[SHA_DIGEST_LENGTH];
+
+        /* display the hash of the subject as it would appear
+           in OCSP requests */
+        if (BIO_printf(bp,"        Subject OCSP hash: ") <= 0)
+                goto err;
+        derlen = i2d_X509_NAME(x->cert_info->subject, NULL);
+        if ((der = dertmp = (unsigned char *)OPENSSL_malloc (derlen)) == NULL)
+                goto err;
+        i2d_X509_NAME(x->cert_info->subject, &dertmp);
+
+        EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL);
+        for (i=0; i < SHA_DIGEST_LENGTH; i++)
+                {
+                if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0) goto err;
+                }
+        OPENSSL_free (der);
+        der=NULL;
+
+        /* display the hash of the public key as it would appear
+           in OCSP requests */
+        if (BIO_printf(bp,"\n        Public key OCSP hash: ") <= 0)
+                goto err;
+
+        EVP_Digest(x->cert_info->key->public_key->data,
+                x->cert_info->key->public_key->length, SHA1md, NULL, EVP_sha1(), NULL);
+        for (i=0; i < SHA_DIGEST_LENGTH; i++)
+                {
+                if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0)
+                        goto err;
+                }
+        BIO_printf(bp,"\n");
+
+        return (1);
+err:
+        if (der != NULL) OPENSSL_free(der);
+        return(0);
+        }
+
+int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig)
+{
+        unsigned char *s;
+        int i, n;
+        if (BIO_puts(bp,"    Signature Algorithm: ") <= 0) return 0;
+        if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0) return 0;
+
+        n=sig->length;
+        s=sig->data;
+        for (i=0; i<n; i++)
+                {
+                if ((i%18) == 0)
+                        if (BIO_write(bp,"\n        ",9) <= 0) return 0;
+                        if (BIO_printf(bp,"%02x%s",s[i],
+                                ((i+1) == n)?"":":") <= 0) return 0;
+                }
+        if (BIO_write(bp,"\n",1) != 1) return 0;
+        return 1;
+}
+
 int ASN1_STRING_print(BIO *bp, ASN1_STRING *v)
         {
         int i,n;
diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
index f06af5b576..7d4a6e6084 100644
--- a/src/lib/libcrypto/asn1/t_x509a.c
+++ b/src/lib/libcrypto/asn1/t_x509a.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
 #include <openssl/x509.h>
 
 /* X509_CERT_AUX and string set routines
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
new file mode 100644
index 0000000000..0fc1f421e2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -0,0 +1,958 @@
+/* tasn_dec.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+static int asn1_check_eoc(unsigned char **in, long len);
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass);
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen);
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                        unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx);
+static int asn1_template_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx);
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long len,
+                                        const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+
+/* Table to convert tags to bit values, used for MSTRING type */
+static unsigned long tag2bit[32]={
+0,      0,      0,      B_ASN1_BIT_STRING,      /* tags  0 -  3 */
+B_ASN1_OCTET_STRING,    0,      0,              B_ASN1_UNKNOWN,/* tags  4- 7 */
+B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags  8-11 */
+B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
+0,      0,      B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING,   /* tags 16-19 */
+B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING,       /* tags 20-22 */
+B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME,                        /* tags 23-24 */ 
+B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING,  /* tags 25-27 */
+B_ASN1_UNIVERSALSTRING,B_ASN1_UNKNOWN,B_ASN1_BMPSTRING,B_ASN1_UNKNOWN, /* tags 28-31 */
+        };
+
+unsigned long ASN1_tag2bit(int tag)
+{
+        if((tag < 0) || (tag > 30)) return 0;
+        return tag2bit[tag];
+}
+
+/* Macro to initialize and invalidate the cache */
+
+#define asn1_tlc_clear(c)       if(c) (c)->valid = 0
+
+/* Decode an ASN1 item, this currently behaves just 
+ * like a standard 'd2i' function. 'in' points to 
+ * a buffer to read the data from, in future we will
+ * have more advanced versions that can input data
+ * a piece at a time and this will simply be a special
+ * case.
+ */
+
+ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it)
+{
+        ASN1_TLC c;
+        ASN1_VALUE *ptmpval = NULL;
+        if(!pval) pval = &ptmpval;
+        asn1_tlc_clear(&c);
+        if(ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+                return *pval;
+        return NULL;
+}
+
+int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt)
+{
+        ASN1_TLC c;
+        asn1_tlc_clear(&c);
+        return asn1_template_ex_d2i(pval, in, len, tt, 0, &c);
+}
+
+
+/* Decode an item, taking care of IMPLICIT tagging, if any.
+ * If 'opt' set and tag mismatch return -1 to handle OPTIONAL
+ */
+
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it,
+                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        const ASN1_TEMPLATE *tt, *errtt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        unsigned char *p, *q, imphack = 0, oclass;
+        char seq_eoc, seq_nolen, cst, isopt;
+        long tmplen;
+        int i;
+        int otag;
+        int ret = 0;
+        ASN1_VALUE *pchval, **pchptr, *ptmpval;
+        if(!pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        /* tagging or OPTIONAL is currently illegal on an item template
+                         * because the flags can't get passed down. In practice this isn't
+                         * a problem: we include the relevant flags from the item template
+                         * in the template itself.
+                         */
+                        if ((tag != -1) || opt) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+                                goto err;
+                        }
+                        return asn1_template_ex_d2i(pval, in, len, it->templates, opt, ctx);
+                }
+                return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                p = *in;
+                /* Just read in tag and class */
+                ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, &p, len, -1, 0, 1, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } 
+                /* Must be UNIVERSAL class */
+                if(oclass != V_ASN1_UNIVERSAL) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
+                        goto err;
+                } 
+                /* Check tag matches bit map */
+                if(!(ASN1_tag2bit(otag) & it->utype)) {
+                        /* If OPTIONAL, assume this is OK */
+                        if(opt) return -1;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MSTRING_WRONG_TAG);
+                        goto err;
+                } 
+                return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx);
+
+                case ASN1_ITYPE_EXTERN:
+                /* Use new style d2i */
+                ef = it->funcs;
+                return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
+
+                case ASN1_ITYPE_COMPAT:
+                /* we must resort to old style evil hackery */
+                cf = it->funcs;
+
+                /* If OPTIONAL see if it is there */
+                if(opt) {
+                        int exptag;
+                        p = *in;
+                        if(tag == -1) exptag = it->utype;
+                        else exptag = tag;
+                        /* Don't care about anything other than presence of expected tag */
+                        ret = asn1_check_tlen(NULL, NULL, NULL, NULL, NULL, &p, len, exptag, aclass, 1, ctx);
+                        if(!ret) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        if(ret == -1) return -1;
+                }
+                /* This is the old style evil hack IMPLICIT handling:
+                 * since the underlying code is expecting a tag and
+                 * class other than the one present we change the
+                 * buffer temporarily then change it back afterwards.
+                 * This doesn't and never did work for tags > 30.
+                 *
+                 * Yes this is *horrible* but it is only needed for
+                 * old style d2i which will hopefully not be around
+                 * for much longer.
+                 * FIXME: should copy the buffer then modify it so
+                 * the input buffer can be const: we should *always*
+                 * copy because the old style d2i might modify the
+                 * buffer.
+                 */
+
+                if(tag != -1) {
+                        p = *in;
+                        imphack = *p;
+                        *p = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype);
+                }
+
+                ptmpval = cf->asn1_d2i(pval, in, len);
+
+                if(tag != -1) *p = imphack;
+
+                if(ptmpval) return 1;
+                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Allocate structure */
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                /* CHOICE type, try each possibility in turn */
+                pchval = NULL;
+                p = *in;
+                for(i = 0, tt=it->templates; i < it->tcount; i++, tt++) {
+                        pchptr = asn1_get_field_ptr(pval, tt);
+                        /* We mark field as OPTIONAL so its absence
+                         * can be recognised.
+                         */
+                        ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx);
+                        /* If field not present, try the next one */
+                        if(ret == -1) continue;
+                        /* If positive return, read OK, break loop */
+                        if(ret > 0) break;
+                        /* Otherwise must be an ASN1 parsing error */
+                        errtt = tt;
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                }
+                /* Did we fall off the end without reading anything? */
+                if(i == it->tcount) {
+                        /* If OPTIONAL, this is OK */
+                        if(opt) {
+                                /* Free and zero it */
+                                ASN1_item_ex_free(pval, it);
+                                return -1;
+                        }
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_NO_MATCHING_CHOICE_TYPE);
+                        goto err;
+                }
+                asn1_set_choice_selector(pval, i, it);
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                case ASN1_ITYPE_SEQUENCE:
+                p = *in;
+                tmplen = len;
+
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                /* Get SEQUENCE length and update len, p */
+                ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, &p, len, tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+                if(aux && (aux->flags & ASN1_AFLG_BROKEN)) {
+                        len = tmplen - (p - *in);
+                        seq_nolen = 1;
+                } else seq_nolen = seq_eoc;     /* If indefinite we don't do a length check */
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);
+                        goto err;
+                }
+
+                if(!*pval) {
+                        if(!ASN1_item_ex_new(pval, it)) {
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
+                                goto auxerr;
+
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* Have we ran out of data? */
+                        if(!len) break;
+                        q = p;
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!seq_eoc) {
+                                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                seq_eoc = 0;
+                                q = p;
+                                break;
+                        }
+                        /* This determines the OPTIONAL flag value. The field cannot
+                         * be omitted if it is the last of a SEQUENCE and there is
+                         * still data to be read. This isn't strictly necessary but
+                         * it increases efficiency in some cases.
+                         */
+                        if(i == (it->tcount - 1)) isopt = 0;
+                        else isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
+                        /* attempt to read in field, allowing each to be OPTIONAL */
+                        ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx);
+                        if(!ret) {
+                                errtt = seqtt;
+                                goto err;
+                        } else if(ret == -1) {
+                                /* OPTIONAL component absent. Free and zero the field
+                                 */
+                                ASN1_template_free(pseqval, seqtt);
+                                continue;
+                        }
+                        /* Update length */
+                        len -= p - q;
+                }
+                /* Check for EOC if expecting one */
+                if(seq_eoc && !asn1_check_eoc(&p, len)) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+                /* Check all data read */
+                if(!seq_nolen && len) {
+                        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
+                        goto err;
+                }
+
+                /* If we get here we've got no more data in the SEQUENCE,
+                 * however we may not have read all fields so check all
+                 * remaining are OPTIONAL and clear any that are.
+                 */
+                for(; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) goto err;
+                        if(seqtt->flags & ASN1_TFLG_OPTIONAL) {
+                                ASN1_VALUE **pseqval;
+                                pseqval = asn1_get_field_ptr(pval, seqtt);
+                                ASN1_template_free(pseqval, seqtt);
+                        } else {
+                                errtt = seqtt;
+                                ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_FIELD_MISSING);
+                                goto err;
+                        }
+                }
+                /* Save encoding */
+                if(!asn1_enc_save(pval, *in, p - *in, it)) goto auxerr;
+                *in = p;
+                if(asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it))
+                                goto auxerr;
+                return 1;
+
+                default:
+                return 0;
+        }
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+        err:
+        ASN1_item_ex_free(pval, it);
+        if(errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname);
+        else ERR_add_error_data(2, "Type=", it->sname);
+        return 0;
+}
+
+/* Templates are handled with two separate functions. One handles any EXPLICIT tag and the other handles the
+ * rest.
+ */
+
+static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        long len;
+        unsigned char *p, *q;
+        char exp_eoc;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+
+        /* Check if EXPLICIT tag expected */
+        if(flags & ASN1_TFLG_EXPTAG) {
+                char cst;
+                /* Need to work out amount of data available to the inner content and where it
+                 * starts: so read in EXPLICIT header to get the info.
+                 */
+                ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, &p, inlen, tt->tag, aclass, opt, ctx);
+                q = p;
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!cst) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
+                        return 0;
+                }
+                /* We've found the field so it can't be OPTIONAL now */
+                ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* We read the field in OK so update length */
+                len -= p - q;
+                if(exp_eoc) {
+                        /* If NDEF we must have an EOC here */
+                        if(!asn1_check_eoc(&p, len)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                                goto err;
+                        }
+                } else {
+                        /* Otherwise we must hit the EXPLICIT tag end or its an error */
+                        if(len) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
+                                goto err;
+                        }
+                }
+        } else 
+                return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx);
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx)
+{
+        int flags, aclass;
+        int ret;
+        unsigned char *p, *q;
+        if(!val) return 0;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+
+        p = *in;
+        q = p;
+
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                int sktag, skaclass;
+                char sk_eoc;
+                /* First work out expected inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(flags & ASN1_TFLG_SET_OF) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Get the tag */
+                ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, &p, len, sktag, skaclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                } else if(ret == -1) return -1;
+                if(!*val) *val = (ASN1_VALUE *)sk_new_null();
+                else {
+                        /* We've got a valid STACK: free up any items present */
+                        STACK *sktmp = (STACK *)*val;
+                        ASN1_VALUE *vtmp;
+                        while(sk_num(sktmp) > 0) {
+                                vtmp = (ASN1_VALUE *)sk_pop(sktmp);
+                                ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));
+                        }
+                }
+                                
+                if(!*val) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                /* Read as many items as we can */
+                while(len > 0) {
+                        ASN1_VALUE *skfield;
+                        q = p;
+                        /* See if EOC found */
+                        if(asn1_check_eoc(&p, len)) {
+                                if(!sk_eoc) {
+                                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_UNEXPECTED_EOC);
+                                        goto err;
+                                }
+                                len -= p - q;
+                                sk_eoc = 0;
+                                break;
+                        }
+                        skfield = NULL;
+                        if(!ASN1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                                goto err;
+                        }
+                        len -= p - q;
+                        if(!sk_push((STACK *)*val, (char *)skfield)) {
+                                ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                }
+                if(sk_eoc) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+                        goto err;
+                }
+        } else if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        } else {
+                /* Nothing special */
+                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1, 0, opt, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ERR_R_NESTED_ASN1_ERROR);
+                        goto err;
+                } else if(ret == -1) return -1;
+        }
+
+        *in = p;
+        return 1;
+
+        err:
+        ASN1_template_free(val, tt);
+        *val = NULL;
+        return 0;
+}
+
+static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inlen, 
+                                                const ASN1_ITEM *it,
+                                                int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        int ret = 0, utype;
+        long plen;
+        char cst, inf, free_cont = 0;
+        unsigned char *p;
+        BUF_MEM buf;
+        unsigned char *cont = NULL;
+        long len; 
+        if(!pval) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL);
+                return 0; /* Should never happen */
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = tag;
+                tag = -1;
+        } else utype = it->utype;
+
+        if(utype == V_ASN1_ANY) {
+                /* If type is ANY need to figure out type from tag */
+                unsigned char oclass;
+                if(tag >= 0) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_TAGGED_ANY);
+                        return 0;
+                }
+                if(opt) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_OPTIONAL_ANY);
+                        return 0;
+                }
+                p = *in;
+                ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, &p, inlen, -1, 0, 0, ctx);
+                if(!ret) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                if(oclass != V_ASN1_UNIVERSAL) utype = V_ASN1_OTHER;
+        }
+        if(tag == -1) {
+                tag = utype;
+                aclass = V_ASN1_UNIVERSAL;
+        }
+        p = *in;
+        /* Check header */
+        ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, &p, inlen, tag, aclass, opt, ctx);
+        if(!ret) {
+                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+                return 0;
+        } else if(ret == -1) return -1;
+        /* SEQUENCE, SET and "OTHER" are left in encoded form */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
+                /* Clear context cache for type OTHER because the auto clear when
+                 * we have a exact match wont work
+                 */
+                if(utype == V_ASN1_OTHER) {
+                        asn1_tlc_clear(ctx);
+                /* SEQUENCE and SET must be constructed */
+                } else if(!cst) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_CONSTRUCTED);
+                        return 0;
+                }
+
+                cont = *in;
+                /* If indefinite length constructed find the real end */
+                if(inf) {
+                        if(!asn1_collect(NULL, &p, plen, inf, -1, -1)) goto err;
+                        len = p - cont;
+                } else {
+                        len = p - cont + plen;
+                        p += plen;
+                        buf.data = NULL;
+                }
+        } else if(cst) {
+                buf.length = 0;
+                buf.max = 0;
+                buf.data = NULL;
+                /* Should really check the internal tags are correct but
+                 * some things may get this wrong. The relevant specs
+                 * say that constructed string types should be OCTET STRINGs
+                 * internally irrespective of the type. So instead just check
+                 * for UNIVERSAL class and ignore the tag.
+                 */
+                if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
+                len = buf.length;
+                /* Append a final null to string */
+                if(!BUF_MEM_grow(&buf, len + 1)) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                }
+                buf.data[len] = 0;
+                cont = (unsigned char *)buf.data;
+                free_cont = 1;
+        } else {
+                cont = p;
+                len = plen;
+                p += plen;
+        }
+
+        /* We now have content length and type: translate into a structure */
+        if(!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) goto err;
+
+        *in = p;
+        ret = 1;
+        err:
+        if(free_cont && buf.data) OPENSSL_free(buf.data);
+        return ret;
+}
+
+/* Translate ASN1 content octets into a structure */
+
+int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        ASN1_STRING *stmp;
+        ASN1_TYPE *typ = NULL;
+        int ret = 0;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        ASN1_INTEGER **tint;
+        pf = it->funcs;
+        if(pf && pf->prim_c2i) return pf->prim_c2i(pval, cont, len, utype, free_cont, it);
+        /* If ANY type clear type and set pointer to internal value */
+        if(it->utype == V_ASN1_ANY) {
+                if(!*pval) {
+                        typ = ASN1_TYPE_new();
+                        *pval = (ASN1_VALUE *)typ;
+                } else typ = (ASN1_TYPE *)*pval;
+                if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        }
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                if(!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_NULL:
+                if(len) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_NULL_IS_WRONG_LENGTH);
+                        goto err;
+                }
+                *pval = (ASN1_VALUE *)1;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                if(len != 1) {
+                        ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
+                        goto err;
+                } else {
+                        ASN1_BOOLEAN *tbool;
+                        tbool = (ASN1_BOOLEAN *)pval;
+                        *tbool = *cont;
+                }
+                break;
+
+                case V_ASN1_BIT_STRING:
+                if(!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) goto err;
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                tint = (ASN1_INTEGER **)pval;
+                if(!c2i_ASN1_INTEGER(tint, &cont, len)) goto err;
+                /* Fixup type to match the expected form */
+                (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_OTHER:
+                case V_ASN1_SET:
+                case V_ASN1_SEQUENCE:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                if(!*pval) {
+                        stmp = ASN1_STRING_type_new(utype);
+                        if(!stmp) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
+                        *pval = (ASN1_VALUE *)stmp;
+                } else {
+                        stmp = (ASN1_STRING *)*pval;
+                        stmp->type = utype;
+                }
+                /* If we've already allocated a buffer use it */
+                if(*free_cont) {
+                        if(stmp->data) OPENSSL_free(stmp->data);
+                        stmp->data = cont;
+                        stmp->length = len;
+                        *free_cont = 0;
+                } else {
+                        if(!ASN1_STRING_set(stmp, cont, len)) {
+                                ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
+                                ASN1_STRING_free(stmp); 
+                                *pval = NULL;
+                                goto err;
+                        }
+                }
+                break;
+        }
+        /* If ASN1_ANY and NULL type fix up value */
+        if(typ && utype==V_ASN1_NULL) typ->value.ptr = NULL;
+
+        ret = 1;
+        err:
+        if(!ret) ASN1_TYPE_free(typ);
+        return ret;
+}
+
+/* This function collects the asn1 data from a constructred string
+ * type into a buffer. The values of 'in' and 'len' should refer
+ * to the contents of the constructed type and 'inf' should be set
+ * if it is indefinite length. If 'buf' is NULL then we just want
+ * to find the end of the current structure: useful for indefinite
+ * length constructed stuff.
+ */
+
+static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass)
+{
+        unsigned char *p, *q;
+        long plen;
+        char cst, ininf;
+        p = *in;
+        inf &= 1;
+        /* If no buffer and not indefinite length constructed just pass over the encoded data */
+        if(!buf && !inf) {
+                *in += len;
+                return 1;
+        }
+        while(len > 0) {
+                q = p;
+                /* Check for EOC */
+                if(asn1_check_eoc(&p, len)) {
+                        /* EOC is illegal outside indefinite length constructed form */
+                        if(!inf) {
+                                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_UNEXPECTED_EOC);
+                                return 0;
+                        }
+                        inf = 0;
+                        break;
+                }
+                if(!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, len, tag, aclass, 0, NULL)) {
+                        ASN1err(ASN1_F_ASN1_COLLECT, ERR_R_NESTED_ASN1_ERROR);
+                        return 0;
+                }
+                /* If indefinite length constructed update max length */
+                if(cst) {
+                        if(!asn1_collect(buf, &p, plen, ininf, tag, aclass)) return 0;
+                } else {
+                        if(!collect_data(buf, &p, plen)) return 0;
+                }
+                len -= p - q;
+        }
+        if(inf) {
+                ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_MISSING_EOC);
+                return 0;
+        }
+        *in = p;
+        return 1;
+}
+
+static int collect_data(BUF_MEM *buf, unsigned char **p, long plen)
+{
+                int len;
+                if(buf) {
+                        len = buf->length;
+                        if(!BUF_MEM_grow(buf, len + plen)) {
+                                ASN1err(ASN1_F_COLLECT_DATA, ERR_R_MALLOC_FAILURE);
+                                return 0;
+                        }
+                        memcpy(buf->data + len, *p, plen);
+                }
+                *p += plen;
+                return 1;
+}
+
+/* Check for ASN1 EOC and swallow it if found */
+
+static int asn1_check_eoc(unsigned char **in, long len)
+{
+        unsigned char *p;
+        if(len < 2) return 0;
+        p = *in;
+        if(!p[0] && !p[1]) {
+                *in += 2;
+                return 1;
+        }
+        return 0;
+}
+
+/* Check an ASN1 tag and length: a bit like ASN1_get_object
+ * but it sets the length for indefinite length constructed
+ * form, we don't know the exact length but we can set an
+ * upper bound to the amount of data available minus the
+ * header length just read.
+ */
+
+static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst,
+                unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx)
+{
+        int i;
+        int ptag, pclass;
+        long plen;
+        unsigned char *p, *q;
+        p = *in;
+        q = p;
+
+        if(ctx && ctx->valid) {
+                i = ctx->ret;
+                plen = ctx->plen;
+                pclass = ctx->pclass;
+                ptag = ctx->ptag;
+                p += ctx->hdrlen;
+        } else {
+                i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);
+                if(ctx) {
+                        ctx->ret = i;
+                        ctx->plen = plen;
+                        ctx->pclass = pclass;
+                        ctx->ptag = ptag;
+                        ctx->hdrlen = p - q;
+                        ctx->valid = 1;
+                        /* If definite length, length + header can't exceed total
+                         * amount of data available.
+                         */
+                        if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
+                                asn1_tlc_clear(ctx);
+                                return 0;
+                        }
+                }
+        }
+
+        if(i & 0x80) {
+                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_BAD_OBJECT_HEADER);
+                asn1_tlc_clear(ctx);
+                return 0;
+        }
+        if(exptag >= 0) {
+                if((exptag != ptag) || (expclass != pclass)) {
+                        /* If type is OPTIONAL, not an error, but indicate missing
+                         * type.
+                         */
+                        if(opt) return -1;
+                        asn1_tlc_clear(ctx);
+                        ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
+                        return 0;
+                }
+                /* We have a tag and class match, so assume we are going to do something with it */
+                asn1_tlc_clear(ctx);
+        }
+
+        if(i & 1) plen = len - (p - q);
+
+        if(inf) *inf = i & 1;
+
+        if(cst) *cst = i & V_ASN1_CONSTRUCTED;
+
+        if(olen) *olen = plen;
+        if(oclass) *oclass = pclass;
+        if(otag) *otag = ptag;
+
+        *in = p;
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
new file mode 100644
index 0000000000..f6c8ddef0a
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -0,0 +1,497 @@
+/* tasn_enc.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *seq, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int isset);
+
+/* Encode an ASN1 item, this is compatible with the
+ * standard 'i2d' function. 'out' points to 
+ * a buffer to output the data to, in future we will
+ * have more advanced versions that can output data
+ * a piece at a time and this will simply be a special
+ * case.
+ *
+ * The new i2d has one additional feature. If the output
+ * buffer is NULL (i.e. *out == NULL) then a buffer is
+ * allocated and populated with the encoding.
+ */
+
+
+int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it)
+{
+        if(out && !*out) {
+                unsigned char *p, *buf;
+                int len;
+                len = ASN1_item_ex_i2d(&val, NULL, it, -1, 0);
+                if(len <= 0) return len;
+                buf = OPENSSL_malloc(len);
+                if(!buf) return -1;
+                p = buf;
+                ASN1_item_ex_i2d(&val, &p, it, -1, 0);
+                *out = buf;
+                return len;
+        }
+                
+        return ASN1_item_ex_i2d(&val, out, it, -1, 0);
+}
+
+/* Encode an item, taking care of IMPLICIT tagging (if any).
+ * This function performs the normal item handling: it can be
+ * used in external types.
+ */
+
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        unsigned char *p = NULL;
+        int i, seqcontlen, seqlen;
+        ASN1_STRING *strtmp;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_i2d(pval, out, it->templates);
+                return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                strtmp = (ASN1_STRING *)*pval;
+                return asn1_i2d_ex_primitive(pval, out, it, -1, 0);
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                i = asn1_get_choice_selector(pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        const ASN1_TEMPLATE *chtt;
+                        chtt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, chtt);
+                        return ASN1_template_i2d(pchval, out, chtt);
+                } 
+                /* Fixme: error condition if selector out of range */
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                /* If new style i2d it does all the work */
+                ef = it->funcs;
+                return ef->asn1_ex_i2d(pval, out, it, tag, aclass);
+
+                case ASN1_ITYPE_COMPAT:
+                /* old style hackery... */
+                cf = it->funcs;
+                if(out) p = *out;
+                i = cf->asn1_i2d(*pval, out);
+                /* Fixup for IMPLICIT tag: note this messes up for tags > 30,
+                 * but so did the old code. Tags > 30 are very rare anyway.
+                 */
+                if(out && (tag != -1))
+                        *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED);
+                return i;
+                
+                case ASN1_ITYPE_SEQUENCE:
+                i = asn1_enc_restore(&seqcontlen, out, pval, it);
+                /* An error occurred */
+                if(i < 0) return 0;
+                /* We have a valid cached encoding... */
+                if(i > 0) return seqcontlen;
+                /* Otherwise carry on */
+                seqcontlen = 0;
+                /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+                if(tag == -1) {
+                        tag = V_ASN1_SEQUENCE;
+                        aclass = V_ASN1_UNIVERSAL;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it))
+                                return 0;
+                /* First work out sequence content length */
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        /* FIXME: special handling of indefinite length encoding */
+                        seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt);
+                }
+                seqlen = ASN1_object_size(1, seqcontlen, tag);
+                if(!out) return seqlen;
+                /* Output SEQUENCE header */
+                ASN1_put_object(out, 1, seqcontlen, tag, aclass);
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        const ASN1_TEMPLATE *seqtt;
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 1);
+                        if(!seqtt) return 0;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        /* FIXME: check for errors in enhanced version */
+                        ASN1_template_i2d(pseqval, out, seqtt);
+                }
+                if(asn1_cb  && !asn1_cb(ASN1_OP_I2D_POST, pval, it))
+                                return 0;
+                return seqlen;
+
+                default:
+                return 0;
+        }
+        return 0;
+}
+
+int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt)
+{
+        int i, ret, flags, aclass;
+        flags = tt->flags;
+        aclass = flags & ASN1_TFLG_TAG_CLASS;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                /* SET OF, SEQUENCE OF */
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                int isset, sktag, skaclass;
+                int skcontlen, sklen;
+                ASN1_VALUE *skitem;
+                if(!*pval) return 0;
+                if(flags & ASN1_TFLG_SET_OF) {
+                        isset = 1;
+                        /* 2 means we reorder */
+                        if(flags & ASN1_TFLG_SEQUENCE_OF) isset = 2;
+                } else isset = 0;
+                /* First work out inner tag value */
+                if(flags & ASN1_TFLG_IMPTAG) {
+                        sktag = tt->tag;
+                        skaclass = aclass;
+                } else {
+                        skaclass = V_ASN1_UNIVERSAL;
+                        if(isset) sktag = V_ASN1_SET;
+                        else sktag = V_ASN1_SEQUENCE;
+                }
+                /* Now work out length of items */
+                skcontlen = 0;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        skcontlen += ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                sklen = ASN1_object_size(1, skcontlen, sktag);
+                /* If EXPLICIT need length of surrounding tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ret = ASN1_object_size(1, sklen, tt->tag);
+                else ret = sklen;
+
+                if(!out) return ret;
+
+                /* Now encode this lot... */
+                /* EXPLICIT tag */
+                if(flags & ASN1_TFLG_EXPTAG)
+                        ASN1_put_object(out, 1, sklen, tt->tag, aclass);
+                /* SET or SEQUENCE and IMPLICIT tag */
+                ASN1_put_object(out, 1, skcontlen, sktag, skaclass);
+                /* And finally the stuff itself */
+                asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset);
+
+                return ret;
+        }
+                        
+        if(flags & ASN1_TFLG_EXPTAG) {
+                /* EXPLICIT tagging */
+                /* Find length of tagged item */
+                i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);
+                if(!i) return 0;
+                /* Find length of EXPLICIT tag */
+                ret = ASN1_object_size(1, i, tt->tag);
+                if(out) {
+                        /* Output tag and item */
+                        ASN1_put_object(out, 1, i, tt->tag, aclass);
+                        ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+                }
+                return ret;
+        }
+        if(flags & ASN1_TFLG_IMPTAG) {
+                /* IMPLICIT tagging */
+                return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), tt->tag, aclass);
+        }
+        /* Nothing special: treat as normal */
+        return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0);
+}
+
+/* Temporary structure used to hold DER encoding of items for SET OF */
+
+typedef struct {
+        unsigned char *data;
+        int length;
+        ASN1_VALUE *field;
+} DER_ENC;
+
+static int der_cmp(const void *a, const void *b)
+{
+        const DER_ENC *d1 = a, *d2 = b;
+        int cmplen, i;
+        cmplen = (d1->length < d2->length) ? d1->length : d2->length;
+        i = memcmp(d1->data, d2->data, cmplen);
+        if(i) return i;
+        return d1->length - d2->length;
+}
+
+/* Output the content octets of SET OF or SEQUENCE OF */
+
+static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort)
+{
+        int i;
+        ASN1_VALUE *skitem;
+        unsigned char *tmpdat = NULL, *p = NULL;
+        DER_ENC *derlst = NULL, *tder;
+        if(do_sort) {
+                /* Don't need to sort less than 2 items */
+                if(sk_ASN1_VALUE_num(sk) < 2) do_sort = 0;
+                else {
+                        derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*derlst));
+                        tmpdat = OPENSSL_malloc(skcontlen);
+                        if(!derlst || !tmpdat) return 0;
+                }
+        }
+        /* If not sorting just output each item */
+        if(!do_sort) {
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        skitem = sk_ASN1_VALUE_value(sk, i);
+                        ASN1_item_i2d(skitem, out, item);
+                }
+                return 1;
+        }
+        p = tmpdat;
+        /* Doing sort: build up a list of each member's DER encoding */
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                skitem = sk_ASN1_VALUE_value(sk, i);
+                tder->data = p;
+                tder->length = ASN1_item_i2d(skitem, &p, item);
+                tder->field = skitem;
+        }
+        /* Now sort them */
+        qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp);
+        /* Output sorted DER encoding */        
+        p = *out;
+        for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
+                memcpy(p, tder->data, tder->length);
+                p += tder->length;
+        }
+        *out = p;
+        /* If do_sort is 2 then reorder the STACK */
+        if(do_sort == 2) {
+                for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++)
+                        sk_ASN1_VALUE_set(sk, i, tder->field);
+        }
+        OPENSSL_free(derlst);
+        OPENSSL_free(tmpdat);
+        return 1;
+}
+
+static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        int len;
+        int utype;
+        int usetag;
+
+        utype = it->utype;
+
+        /* Get length of content octets and maybe find
+         * out the underlying type.
+         */
+
+        len = asn1_ex_i2c(pval, NULL, &utype, it);
+
+        /* If SEQUENCE, SET or OTHER then header is
+         * included in pseudo content octets so don't
+         * include tag+length. We need to check here
+         * because the call to asn1_ex_i2c() could change
+         * utype.
+         */
+        if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
+           (utype == V_ASN1_OTHER))
+                usetag = 0;
+        else usetag = 1;
+
+        /* -1 means omit type */
+
+        if(len == -1) return 0;
+
+        /* If not implicitly tagged get tag from underlying type */
+        if(tag == -1) tag = utype;
+
+        /* Output tag+length followed by content octets */
+        if(out) {
+                if(usetag) ASN1_put_object(out, 0, len, tag, aclass);
+                asn1_ex_i2c(pval, *out, &utype, it);
+                *out += len;
+        }
+
+        if(usetag) return ASN1_object_size(0, len, tag);
+        return len;
+}
+
+/* Produce content octets from a structure */
+
+int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ITEM *it)
+{
+        ASN1_BOOLEAN *tbool = NULL;
+        ASN1_STRING *strtmp;
+        ASN1_OBJECT *otmp;
+        int utype;
+        unsigned char *cont, c;
+        int len;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_i2c) return pf->prim_i2c(pval, cout, putype, it);
+
+        /* Should type be omitted? */
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {
+                if(!*pval) return -1;
+        }
+
+        if(it->itype == ASN1_ITYPE_MSTRING) {
+                /* If MSTRING type set the underlying type */
+                strtmp = (ASN1_STRING *)*pval;
+                utype = strtmp->type;
+                *putype = utype;
+        } else if(it->utype == V_ASN1_ANY) {
+                /* If ANY set type and pointer to value */
+                ASN1_TYPE *typ;
+                typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                *putype = utype;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+        } else utype = *putype;
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                otmp = (ASN1_OBJECT *)*pval;
+                cont = otmp->data;
+                len = otmp->length;
+                break;
+
+                case V_ASN1_NULL:
+                cont = NULL;
+                len = 0;
+                break;
+
+                case V_ASN1_BOOLEAN:
+                tbool = (ASN1_BOOLEAN *)pval;
+                if(*tbool == -1) return -1;
+                /* Default handling if value == size field then omit */
+                if(*tbool && (it->size > 0)) return -1;
+                if(!*tbool && !it->size) return -1;
+                c = (unsigned char)*tbool;
+                cont = &c;
+                len = 1;
+                break;
+
+                case V_ASN1_BIT_STRING:
+                return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_INTEGER:
+                case V_ASN1_NEG_INTEGER:
+                case V_ASN1_ENUMERATED:
+                case V_ASN1_NEG_ENUMERATED:
+                /* These are all have the same content format
+                 * as ASN1_INTEGER
+                 */
+                return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
+                break;
+
+                case V_ASN1_OCTET_STRING:
+                case V_ASN1_NUMERICSTRING:
+                case V_ASN1_PRINTABLESTRING:
+                case V_ASN1_T61STRING:
+                case V_ASN1_VIDEOTEXSTRING:
+                case V_ASN1_IA5STRING:
+                case V_ASN1_UTCTIME:
+                case V_ASN1_GENERALIZEDTIME:
+                case V_ASN1_GRAPHICSTRING:
+                case V_ASN1_VISIBLESTRING:
+                case V_ASN1_GENERALSTRING:
+                case V_ASN1_UNIVERSALSTRING:
+                case V_ASN1_BMPSTRING:
+                case V_ASN1_UTF8STRING:
+                case V_ASN1_SEQUENCE:
+                case V_ASN1_SET:
+                default:
+                /* All based on ASN1_STRING and handled the same */
+                strtmp = (ASN1_STRING *)*pval;
+                cont = strtmp->data;
+                len = strtmp->length;
+
+                break;
+
+        }
+        if(cout && len) memcpy(cout, cont, len);
+        return len;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
new file mode 100644
index 0000000000..c7610776f2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -0,0 +1,226 @@
+/* tasn_fre.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+
+/* Free up an ASN1 structure */
+
+void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(&val, it, 0);
+}
+
+void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        asn1_item_combine_free(pval, it, 0);
+}
+
+static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL, *seqtt;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        int i;
+        if(!pval) return;
+        if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) ASN1_template_free(pval, it->templates);
+                else ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                ASN1_primitive_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }
+                i = asn1_get_choice_selector(pval, it);
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                if((i >= 0) && (i < it->tcount)) {
+                        ASN1_VALUE **pchval;
+                        tt = it->templates + i;
+                        pchval = asn1_get_field_ptr(pval, tt);
+                        ASN1_template_free(pchval, tt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_free) cf->asn1_free(*pval);
+                break;
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_free) ef->asn1_ex_free(pval, it);
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_do_lock(pval, -1, it) > 0) return;
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_FREE_PRE, pval, it);
+                        if(i == 2) return;
+                }               
+                asn1_enc_free(pval, it);
+                /* If we free up as normal we will invalidate any
+                 * ANY DEFINED BY field and we wont be able to 
+                 * determine the type of the field it defines. So
+                 * free up in reverse order.
+                 */
+                tt = it->templates + it->tcount - 1;
+                for(i = 0; i < it->tcount; tt--, i++) {
+                        ASN1_VALUE **pseqval;
+                        seqtt = asn1_do_adb(pval, tt, 0);
+                        if(!seqtt) continue;
+                        pseqval = asn1_get_field_ptr(pval, seqtt);
+                        ASN1_template_free(pseqval, seqtt);
+                }
+                if(asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it);
+                if(!combine) {
+                        OPENSSL_free(*pval);
+                        *pval = NULL;
+                }
+                break;
+        }
+}
+
+void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        int i;
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
+                for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+                        ASN1_VALUE *vtmp;
+                        vtmp = sk_ASN1_VALUE_value(sk, i);
+                        asn1_item_combine_free(&vtmp, ASN1_ITEM_ptr(tt->item), 0);
+                }
+                sk_ASN1_VALUE_free(sk);
+                *pval = NULL;
+        } else asn1_item_combine_free(pval, ASN1_ITEM_ptr(tt->item),
+                                                tt->flags & ASN1_TFLG_COMBINE);
+}
+
+void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        if(it) {
+                const ASN1_PRIMITIVE_FUNCS *pf;
+                pf = it->funcs;
+                if(pf && pf->prim_free) {
+                        pf->prim_free(pval, it);
+                        return;
+                }
+        }
+        /* Special case: if 'it' is NULL free contents of ASN1_TYPE */
+        if(!it) {
+                ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
+                utype = typ->type;
+                pval = (ASN1_VALUE **)&typ->value.ptr;
+                if(!*pval) return;
+        } else if(it->itype == ASN1_ITYPE_MSTRING) {
+                utype = -1;
+                if(!*pval) return;
+        } else {
+                utype = it->utype;
+                if((utype != V_ASN1_BOOLEAN) && !*pval) return;
+        }
+
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                ASN1_OBJECT_free((ASN1_OBJECT *)*pval);
+                break;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return;
+
+                case V_ASN1_NULL:
+                break;
+
+                case V_ASN1_ANY:
+                ASN1_primitive_free(pval, NULL);
+                OPENSSL_free(*pval);
+                break;
+
+                default:
+                ASN1_STRING_free((ASN1_STRING *)*pval);
+                *pval = NULL;
+                break;
+        }
+        *pval = NULL;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
new file mode 100644
index 0000000000..e33861f864
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -0,0 +1,348 @@
+/* tasn_new.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <string.h>
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine);
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it)
+{
+        ASN1_VALUE *ret = NULL;
+        if(ASN1_item_ex_new(&ret, it) > 0) return ret;
+        return NULL;
+}
+
+/* Allocate an ASN1 structure */
+
+int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        return asn1_item_ex_combine_new(pval, it, 0);
+}
+
+static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine)
+{
+        const ASN1_TEMPLATE *tt = NULL;
+        const ASN1_COMPAT_FUNCS *cf;
+        const ASN1_EXTERN_FUNCS *ef;
+        const ASN1_AUX *aux = it->funcs;
+        ASN1_aux_cb *asn1_cb;
+        ASN1_VALUE **pseqval;
+        int i;
+        if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb;
+        else asn1_cb = 0;
+
+        if(!combine) *pval = NULL;
+
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_push_info(it->sname);
+#endif
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_new) {
+                        if(!ef->asn1_ex_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                cf = it->funcs;
+                if(cf && cf->asn1_new) {
+                        *pval = cf->asn1_new();
+                        if(!*pval) goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) {
+                        if(!ASN1_template_new(pval, it->templates))
+                                goto memerr;
+                } else {
+                        if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                }
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                if(!ASN1_primitive_new(pval, it))
+                                goto memerr;
+                break;
+
+                case ASN1_ITYPE_CHOICE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                }
+                asn1_set_choice_selector(pval, -1, it);
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+
+                case ASN1_ITYPE_SEQUENCE:
+                if(asn1_cb) {
+                        i = asn1_cb(ASN1_OP_NEW_PRE, pval, it);
+                        if(!i) goto auxerr;
+                        if(i==2) {
+#ifdef CRYPTO_MDEBUG
+                                if(it->sname) CRYPTO_pop_info();
+#endif
+                                return 1;
+                        }
+                }
+                if(!combine) {
+                        *pval = OPENSSL_malloc(it->size);
+                        if(!*pval) goto memerr;
+                        memset(*pval, 0, it->size);
+                        asn1_do_lock(pval, 0, it);
+                        asn1_enc_init(pval, it);
+                }
+                for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
+                        pseqval = asn1_get_field_ptr(pval, tt);
+                        if(!ASN1_template_new(pseqval, tt)) goto memerr;
+                }
+                if(asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it))
+                                goto auxerr;
+                break;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 1;
+
+        memerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ERR_R_MALLOC_FAILURE);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+        auxerr:
+        ASN1err(ASN1_F_ASN1_ITEM_NEW, ASN1_R_AUX_ERROR);
+        ASN1_item_ex_free(pval, it);
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return 0;
+
+}
+
+static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_EXTERN_FUNCS *ef;
+
+        switch(it->itype) {
+
+                case ASN1_ITYPE_EXTERN:
+                ef = it->funcs;
+                if(ef && ef->asn1_ex_clear) 
+                        ef->asn1_ex_clear(pval, it);
+                else *pval = NULL;
+                break;
+
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates) 
+                        asn1_template_clear(pval, it->templates);
+                else
+                        asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                asn1_primitive_clear(pval, it);
+                break;
+
+                case ASN1_ITYPE_COMPAT:
+                case ASN1_ITYPE_CHOICE:
+                case ASN1_ITYPE_SEQUENCE:
+                *pval = NULL;
+                break;
+        }
+}
+
+
+int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);
+        int ret;
+        if(tt->flags & ASN1_TFLG_OPTIONAL) {
+                asn1_template_clear(pval, tt);
+                return 1;
+        }
+        /* If ANY DEFINED BY nothing to do */
+
+        if(tt->flags & ASN1_TFLG_ADB_MASK) {
+                *pval = NULL;
+                return 1;
+        }
+#ifdef CRYPTO_MDEBUG
+        if(tt->field_name) CRYPTO_push_info(tt->field_name);
+#endif
+        /* If SET OF or SEQUENCE OF, its a STACK */
+        if(tt->flags & ASN1_TFLG_SK_MASK) {
+                STACK_OF(ASN1_VALUE) *skval;
+                skval = sk_ASN1_VALUE_new_null();
+                if(!skval) {
+                        ASN1err(ASN1_F_ASN1_TEMPLATE_NEW, ERR_R_MALLOC_FAILURE);
+                        ret = 0;
+                        goto done;
+                }
+                *pval = (ASN1_VALUE *)skval;
+                ret = 1;
+                goto done;
+        }
+        /* Otherwise pass it back to the item routine */
+        ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
+        done:
+#ifdef CRYPTO_MDEBUG
+        if(it->sname) CRYPTO_pop_info();
+#endif
+        return ret;
+}
+
+static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        /* If ADB or STACK just NULL the field */
+        if(tt->flags & (ASN1_TFLG_ADB_MASK|ASN1_TFLG_SK_MASK)) 
+                *pval = NULL;
+        else
+                asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));
+}
+
+
+/* NB: could probably combine most of the real XXX_new() behaviour and junk all the old
+ * functions.
+ */
+
+int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_TYPE *typ;
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf && pf->prim_new) return pf->prim_new(pval, it);
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        switch(utype) {
+                case V_ASN1_OBJECT:
+                *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
+                return 1;
+
+                case V_ASN1_BOOLEAN:
+                *(ASN1_BOOLEAN *)pval = it->size;
+                return 1;
+
+                case V_ASN1_NULL:
+                *pval = (ASN1_VALUE *)1;
+                return 1;
+
+                case V_ASN1_ANY:
+                typ = OPENSSL_malloc(sizeof(ASN1_TYPE));
+                if(!typ) return 0;
+                typ->value.ptr = NULL;
+                typ->type = -1;
+                *pval = (ASN1_VALUE *)typ;
+                break;
+
+                default:
+                *pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
+                break;
+        }
+        if(*pval) return 1;
+        return 0;
+}
+
+void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int utype;
+        const ASN1_PRIMITIVE_FUNCS *pf;
+        pf = it->funcs;
+        if(pf) {
+                if(pf->prim_clear)
+                        pf->prim_clear(pval, it);
+                else 
+                        *pval = NULL;
+                return;
+        }
+        if(!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = -1;
+        else utype = it->utype;
+        if(utype == V_ASN1_BOOLEAN)
+                *(ASN1_BOOLEAN *)pval = it->size;
+        else *pval = NULL;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
new file mode 100644
index 0000000000..fab67ae5ac
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -0,0 +1,198 @@
+/* tasn_prn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/nasn.h>
+
+/* Print routines. Print out a whole structure from a template.
+ */
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name);
+
+int ASN1_item_print(BIO *out, void *fld, int indent, const ASN1_ITEM *it)
+{
+        return asn1_item_print_nm(out, fld, indent, it, it->sname);
+}
+
+static int asn1_item_print_nm(BIO *out, void *fld, int indent, const ASN1_ITEM *it, const char *name)
+{
+        ASN1_STRING *str;
+        const ASN1_TEMPLATE *tt;
+        void *tmpfld;
+        int i;
+        if(!fld) {
+                BIO_printf(out, "%*s%s ABSENT\n", indent, "", name);
+                return 1;
+        }
+        switch(it->itype) {
+
+                case ASN1_ITYPE_PRIMITIVE:
+                if(it->templates)
+                        return ASN1_template_print(out, fld, indent, it->templates);
+                return asn1_primitive_print(out, fld, it->utype, indent, name);
+                break;
+
+                case ASN1_ITYPE_MSTRING:
+                str = fld;
+                return asn1_primitive_print(out, fld, str->type, indent, name);
+
+                case ASN1_ITYPE_EXTERN:
+                BIO_printf(out, "%*s%s:EXTERNAL TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+                case ASN1_ITYPE_COMPAT:
+                BIO_printf(out, "%*s%s:COMPATIBLE TYPE %s %s\n", indent, "", name, it->sname, fld ? "" : "ABSENT");
+                return 1;
+
+
+                case ASN1_ITYPE_CHOICE:
+                /* CHOICE type, get selector */
+                i = asn1_get_choice_selector(fld, it);
+                /* This should never happen... */
+                if((i < 0) || (i >= it->tcount)) {
+                        BIO_printf(out, "%s selector [%d] out of range\n", it->sname, i);
+                        return 1;
+                }
+                tt = it->templates + i;
+                tmpfld = asn1_get_field(fld, tt);
+                return ASN1_template_print(out, tmpfld, indent, tt);
+
+                case ASN1_ITYPE_SEQUENCE:
+                BIO_printf(out, "%*s%s {\n", indent, "", name);
+                /* Get each field entry */
+                for(i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+                        tmpfld = asn1_get_field(fld, tt);
+                        ASN1_template_print(out, tmpfld, indent + 2, tt);
+                }
+                BIO_printf(out, "%*s}\n", indent, "");
+                return 1;
+
+                default:
+                return 0;
+        }
+}
+
+int ASN1_template_print(BIO *out, void *fld, int indent, const ASN1_TEMPLATE *tt)
+{
+        int i, flags;
+#if 0
+        if(!fld) return 0; 
+#endif
+        flags = tt->flags;
+        if(flags & ASN1_TFLG_SK_MASK) {
+                char *tname;
+                void *skitem;
+                /* SET OF, SEQUENCE OF */
+                if(flags & ASN1_TFLG_SET_OF) tname = "SET";
+                else tname = "SEQUENCE";
+                if(fld) {
+                        BIO_printf(out, "%*s%s OF %s {\n", indent, "", tname, tt->field_name);
+                        for(i = 0; i < sk_num(fld); i++) {
+                                skitem = sk_value(fld, i);
+                                asn1_item_print_nm(out, skitem, indent + 2, tt->item, "");
+                        }
+                        BIO_printf(out, "%*s}\n", indent, "");
+                } else 
+                        BIO_printf(out, "%*s%s OF %s ABSENT\n", indent, "", tname, tt->field_name);
+                return 1;
+        }
+        return asn1_item_print_nm(out, fld, indent, tt->item, tt->field_name);
+}
+
+static int asn1_primitive_print(BIO *out, void *fld, long utype, int indent, const char *name)
+{
+        ASN1_STRING *str = fld;
+        if(fld) {
+                if(utype == V_ASN1_BOOLEAN) {
+                        int *bool = fld;
+if(*bool == -1) printf("BOOL MISSING\n");
+                        BIO_printf(out, "%*s%s:%s", indent, "", "BOOLEAN", *bool ? "TRUE" : "FALSE");
+                } else if((utype == V_ASN1_INTEGER) 
+                          || (utype == V_ASN1_ENUMERATED)) {
+                        char *s, *nm;
+                        s = i2s_ASN1_INTEGER(NULL, fld);
+                        if(utype == V_ASN1_INTEGER) nm = "INTEGER";
+                        else nm = "ENUMERATED";
+                        BIO_printf(out, "%*s%s:%s", indent, "", nm, s);
+                        OPENSSL_free(s);
+                } else if(utype == V_ASN1_NULL) {
+                        BIO_printf(out, "%*s%s", indent, "", "NULL");
+                } else if(utype == V_ASN1_UTCTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "UTCTIME");
+                        ASN1_UTCTIME_print(out, str);
+                } else if(utype == V_ASN1_GENERALIZEDTIME) {
+                        BIO_printf(out, "%*s%s:%s:", indent, "", name, "GENERALIZEDTIME");
+                        ASN1_GENERALIZEDTIME_print(out, str);
+                } else if(utype == V_ASN1_OBJECT) {
+                        char objbuf[80], *ln;
+                        ln = OBJ_nid2ln(OBJ_obj2nid(fld));
+                        if(!ln) ln = "";
+                        OBJ_obj2txt(objbuf, 80, fld, 1);
+                        BIO_printf(out, "%*s%s:%s (%s)", indent, "", "OBJECT", ln, objbuf);
+                } else {
+                        BIO_printf(out, "%*s%s:", indent, "", name);
+                        ASN1_STRING_print_ex(out, str, ASN1_STRFLGS_DUMP_UNKNOWN|ASN1_STRFLGS_SHOW_TYPE);
+                }
+                BIO_printf(out, "\n");
+        } else BIO_printf(out, "%*s%s [ABSENT]\n", indent, "", name);
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/tasn_typ.c b/src/lib/libcrypto/asn1/tasn_typ.c
new file mode 100644
index 0000000000..804d2eeba2
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_typ.c
@@ -0,0 +1,133 @@
+/* tasn_typ.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <stdio.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+
+/* Declarations for string types */
+
+
+IMPLEMENT_ASN1_TYPE(ASN1_INTEGER)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_NULL)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL)
+
+IMPLEMENT_ASN1_TYPE(ASN1_OBJECT)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_T61STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
+
+IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING)
+IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING)
+
+IMPLEMENT_ASN1_TYPE(ASN1_ANY)
+
+/* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */
+IMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE)
+
+IMPLEMENT_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
+
+/* Multistring types */
+
+IMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE)
+
+IMPLEMENT_ASN1_MSTRING(DISPLAYTEXT, B_ASN1_DISPLAYTEXT)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT)
+
+IMPLEMENT_ASN1_MSTRING(DIRECTORYSTRING, B_ASN1_DIRECTORYSTRING)
+IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
+
+/* Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE */
+IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1)
+IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0)
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
new file mode 100644
index 0000000000..8996ce8c13
--- /dev/null
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -0,0 +1,253 @@
+/* tasn_utl.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stddef.h>
+#include <string.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/objects.h>
+#include <openssl/err.h>
+
+/* Utility functions for manipulating fields and offsets */
+
+/* Add 'offset' to 'addr' */
+#define offset2ptr(addr, offset) (void *)(((char *) addr) + offset)
+
+/* Given an ASN1_ITEM CHOICE type return
+ * the selector value
+ */
+
+int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        int *sel = offset2ptr(*pval, it->utype);
+        return *sel;
+}
+
+/* Given an ASN1_ITEM CHOICE type set
+ * the selector value, return old value.
+ */
+
+int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it)
+{       
+        int *sel, ret;
+        sel = offset2ptr(*pval, it->utype);
+        ret = *sel;
+        *sel = value;
+        return ret;
+}
+
+/* Do reference counting. The value 'op' decides what to do. 
+ * if it is +1 then the count is incremented. If op is 0 count is
+ * set to 1. If op is -1 count is decremented and the return value
+ * is the current refrence count or 0 if no reference count exists.
+ */
+
+int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        int *lck, ret;
+        if(it->itype != ASN1_ITYPE_SEQUENCE) return 0;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) return 0;
+        lck = offset2ptr(*pval, aux->ref_offset);
+        if(op == 0) {
+                *lck = 1;
+                return 1;
+        }
+        ret = CRYPTO_add(lck, op, aux->ref_lock);
+#ifdef REF_PRINT
+        fprintf(stderr, "%s: Reference Count: %d\n", it->sname, *lck);
+#endif
+#ifdef REF_CHECK
+        if(ret < 0) 
+                fprintf(stderr, "%s, bad reference count\n", it->sname);
+#endif
+        return ret;
+}
+
+static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        const ASN1_AUX *aux;
+        if(!pval || !*pval) return NULL;
+        aux = it->funcs;
+        if(!aux || !(aux->flags & ASN1_AFLG_ENCODING)) return NULL;
+        return offset2ptr(*pval, aux->enc_offset);
+}
+
+void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(enc) {
+                if(enc->enc) OPENSSL_free(enc->enc);
+                enc->enc = NULL;
+                enc->len = 0;
+                enc->modified = 1;
+        }
+}
+
+int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc) return 1;
+
+        if(enc->enc) OPENSSL_free(enc->enc);
+        enc->enc = OPENSSL_malloc(inlen);
+        if(!enc->enc) return 0;
+        memcpy(enc->enc, in, inlen);
+        enc->len = inlen;
+        enc->modified = 0;
+
+        return 1;
+}
+                
+int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        ASN1_ENCODING *enc;
+        enc = asn1_get_enc_ptr(pval, it);
+        if(!enc || enc->modified) return 0;
+        if(out) {
+                memcpy(*out, enc->enc, enc->len);
+                *out += enc->len;
+        }
+        if(len) *len = enc->len;
+        return 1;
+}
+
+/* Given an ASN1_TEMPLATE get a pointer to a field */
+ASN1_VALUE ** asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
+{
+        ASN1_VALUE **pvaltmp;
+        if(tt->flags & ASN1_TFLG_COMBINE) return pval;
+        pvaltmp = offset2ptr(*pval, tt->offset);
+        /* NOTE for BOOLEAN types the field is just a plain
+         * int so we can't return int **, so settle for
+         * (int *).
+         */
+        return pvaltmp;
+}
+
+/* Handle ANY DEFINED BY template, find the selector, look up
+ * the relevant ASN1_TEMPLATE in the table and return it.
+ */
+
+const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr)
+{
+        const ASN1_ADB *adb;
+        const ASN1_ADB_TABLE *atbl;
+        long selector;
+        ASN1_VALUE **sfld;
+        int i;
+        if(!(tt->flags & ASN1_TFLG_ADB_MASK)) return tt;
+
+        /* Else ANY DEFINED BY ... get the table */
+        adb = ASN1_ADB_ptr(tt->item);
+
+        /* Get the selector field */
+        sfld = offset2ptr(*pval, adb->offset);
+
+        /* Check if NULL */
+        if(!sfld) {
+                if(!adb->null_tt) goto err;
+                return adb->null_tt;
+        }
+
+        /* Convert type to a long:
+         * NB: don't check for NID_undef here because it
+         * might be a legitimate value in the table
+         */
+        if(tt->flags & ASN1_TFLG_ADB_OID) 
+                selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);
+        else 
+                selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld);
+
+        /* Try to find matching entry in table
+         * Maybe should check application types first to
+         * allow application override? Might also be useful
+         * to have a flag which indicates table is sorted and
+         * we can do a binary search. For now stick to a
+         * linear search.
+         */
+
+        for(atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++)
+                if(atbl->value == selector) return &atbl->tt;
+
+        /* FIXME: need to search application table too */
+
+        /* No match, return default type */
+        if(!adb->default_tt) goto err;          
+        return adb->default_tt;
+        
+        err:
+        /* FIXME: should log the value or OID of unsupported type */
+        if(nullerr) ASN1err(ASN1_F_ASN1_DO_ADB, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
+        return NULL;
+}
diff --git a/src/lib/libcrypto/asn1/x_algor.c b/src/lib/libcrypto/asn1/x_algor.c
index 853a8dfeef..00b9ea54a1 100644
--- a/src/lib/libcrypto/asn1/x_algor.c
+++ b/src/lib/libcrypto/asn1/x_algor.c
@@ -1,118 +1,73 @@
-/* crypto/asn1/x_algor.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/* x_algor.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
 
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <stddef.h>
 #include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 
-int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->algorithm,i2d_ASN1_OBJECT);
-        if (a->parameter != NULL)
-                { M_ASN1_I2D_len(a->parameter,i2d_ASN1_TYPE); }
-
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->algorithm,i2d_ASN1_OBJECT);
-        if (a->parameter != NULL)
-                { M_ASN1_I2D_put(a->parameter,i2d_ASN1_TYPE); }
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_ALGOR *,X509_ALGOR_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->algorithm,d2i_ASN1_OBJECT);
-        if (!M_ASN1_D2I_end_sequence())
-                { M_ASN1_D2I_get(ret->parameter,d2i_ASN1_TYPE); }
-        else
-                {
-                ASN1_TYPE_free(ret->parameter);
-                ret->parameter=NULL;
-                }
-        M_ASN1_D2I_Finish(a,X509_ALGOR_free,ASN1_F_D2I_X509_ALGOR);
-        }
-
-X509_ALGOR *X509_ALGOR_new(void)
-        {
-        X509_ALGOR *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_ALGOR);
-        ret->algorithm=OBJ_nid2obj(NID_undef);
-        ret->parameter=NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_ALGOR_NEW);
-        }
+ASN1_SEQUENCE(X509_ALGOR) = {
+        ASN1_SIMPLE(X509_ALGOR, algorithm, ASN1_OBJECT),
+        ASN1_OPT(X509_ALGOR, parameter, ASN1_ANY)
+} ASN1_SEQUENCE_END(X509_ALGOR)
 
-void X509_ALGOR_free(X509_ALGOR *a)
-        {
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->algorithm);
-        ASN1_TYPE_free(a->parameter);
-        OPENSSL_free(a);
-        }
+IMPLEMENT_ASN1_FUNCTIONS(X509_ALGOR)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_ALGOR)
 
 IMPLEMENT_STACK_OF(X509_ALGOR)
 IMPLEMENT_ASN1_SET_OF(X509_ALGOR)
diff --git a/src/lib/libcrypto/asn1/x_attrib.c b/src/lib/libcrypto/asn1/x_attrib.c
index 14e5ea27aa..1e3713f18f 100644
--- a/src/lib/libcrypto/asn1/x_attrib.c
+++ b/src/lib/libcrypto/asn1/x_attrib.c
@@ -59,64 +59,42 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/objects.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-/* sequence */
-int i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a, unsigned char **pp)
-        {
-        int k=0;
-        int r=0,ret=0;
-        unsigned char **p=NULL;
-
-        if (a == NULL) return(0);
-
-        p=NULL;
-        for (;;)
-                {
-                if (k)
-                        {
-                        r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
-                        if (pp == NULL) return(r);
-                        p=pp;
-                        ASN1_put_object(p,1,ret,V_ASN1_SEQUENCE,
-                                V_ASN1_UNIVERSAL);
-                        }
-
-                ret+=i2d_ASN1_OBJECT(a->object,p);
-                if (a->set)
-                        ret+=i2d_ASN1_SET_OF_ASN1_TYPE(a->value.set,p,i2d_ASN1_TYPE,
-                                V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-                else
-                        ret+=i2d_ASN1_TYPE(a->value.single,p);
-                if (k++) return(r);
-                }
-        }
-
-X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,X509_ATTRIBUTE *,X509_ATTRIBUTE_new);
+/* X509_ATTRIBUTE: this has the following form:
+ *
+ * typedef struct x509_attributes_st
+ *      {
+ *      ASN1_OBJECT *object;
+ *      int single;
+ *      union   {
+ *              char            *ptr;
+ *              STACK_OF(ASN1_TYPE) *set;
+ *              ASN1_TYPE       *single;
+ *              } value;
+ *      } X509_ATTRIBUTE;
+ *
+ * this needs some extra thought because the CHOICE type is
+ * merged with the main structure and because the value can
+ * be anything at all we *must* try the SET OF first because
+ * the ASN1_ANY type will swallow anything including the whole
+ * SET OF structure.
+ */
 
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
+ASN1_CHOICE(X509_ATTRIBUTE_SET) = {
+        ASN1_SET_OF(X509_ATTRIBUTE, value.set, ASN1_ANY),
+        ASN1_SIMPLE(X509_ATTRIBUTE, value.single, ASN1_ANY)
+} ASN1_CHOICE_END_selector(X509_ATTRIBUTE, X509_ATTRIBUTE_SET, single)
 
-        if ((c.slen != 0) &&
-                (M_ASN1_next == (V_ASN1_CONSTRUCTED|V_ASN1_UNIVERSAL|V_ASN1_SET)))
-                {
-                ret->set=1;
-                M_ASN1_D2I_get_set_type(ASN1_TYPE,ret->value.set,d2i_ASN1_TYPE,
-                                        ASN1_TYPE_free);
-                }
-        else
-                {
-                ret->set=0;
-                M_ASN1_D2I_get(ret->value.single,d2i_ASN1_TYPE);
-                }
+ASN1_SEQUENCE(X509_ATTRIBUTE) = {
+        ASN1_SIMPLE(X509_ATTRIBUTE, object, ASN1_OBJECT),
+        /* CHOICE type merged with parent */
+        ASN1_EX_COMBINE(0, 0, X509_ATTRIBUTE_SET)
+} ASN1_SEQUENCE_END(X509_ATTRIBUTE)
 
-        M_ASN1_D2I_Finish(a,X509_ATTRIBUTE_free,ASN1_F_D2I_X509_ATTRIBUTE);
-        }
+IMPLEMENT_ASN1_FUNCTIONS(X509_ATTRIBUTE)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_ATTRIBUTE)
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
         {
@@ -126,7 +104,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
         if ((ret=X509_ATTRIBUTE_new()) == NULL)
                 return(NULL);
         ret->object=OBJ_nid2obj(nid);
-        ret->set=1;
+        ret->single=0;
         if ((ret->value.set=sk_ASN1_TYPE_new_null()) == NULL) goto err;
         if ((val=ASN1_TYPE_new()) == NULL) goto err;
         if (!sk_ASN1_TYPE_push(ret->value.set,val)) goto err;
@@ -138,28 +116,3 @@ err:
         if (val != NULL) ASN1_TYPE_free(val);
         return(NULL);
         }
-
-X509_ATTRIBUTE *X509_ATTRIBUTE_new(void)
-        {
-        X509_ATTRIBUTE *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_ATTRIBUTE);
-        ret->object=OBJ_nid2obj(NID_undef);
-        ret->set=0;
-        ret->value.ptr=NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_ATTRIBUTE_NEW);
-        }
-        
-void X509_ATTRIBUTE_free(X509_ATTRIBUTE *a)
-        {
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->object);
-        if (a->set)
-                sk_ASN1_TYPE_pop_free(a->value.set,ASN1_TYPE_free);
-        else
-                ASN1_TYPE_free(a->value.single);
-        OPENSSL_free(a);
-        }
-
diff --git a/src/lib/libcrypto/asn1/x_bignum.c b/src/lib/libcrypto/asn1/x_bignum.c
new file mode 100644
index 0000000000..848c7a0877
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_bignum.c
@@ -0,0 +1,137 @@
+/* x_bignum.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER as a
+ * BIGNUM directly. Currently it ignores the sign which isn't a problem since all
+ * BIGNUMs used are non negative and anything that looks negative is normally due
+ * to an encoding error.
+ */
+
+#define BN_SENSITIVE    1
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS bignum_pf = {
+        NULL, 0,
+        bn_new,
+        bn_free,
+        0,
+        bn_c2i,
+        bn_i2c
+};
+
+ASN1_ITEM_start(BIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, 0, "BIGNUM"
+ASN1_ITEM_end(BIGNUM)
+
+ASN1_ITEM_start(CBIGNUM)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &bignum_pf, BN_SENSITIVE, "BIGNUM"
+ASN1_ITEM_end(CBIGNUM)
+
+static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *pval = (ASN1_VALUE *)BN_new();
+        if(*pval) return 1;
+        else return 0;
+}
+
+static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(!*pval) return;
+        if(it->size & BN_SENSITIVE) BN_clear_free((BIGNUM *)*pval);
+        else BN_free((BIGNUM *)*pval);
+        *pval = NULL;
+}
+
+static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        int pad;
+        if(!*pval) return -1;
+        bn = (BIGNUM *)*pval;
+        /* If MSB set in an octet we need a padding byte */
+        if(BN_num_bits(bn) & 0x7) pad = 0;
+        else pad = 1;
+        if(cont) {
+                if(pad) *cont++ = 0;
+                BN_bn2bin(bn, cont);
+        }
+        return pad + BN_num_bytes(bn);
+}
+
+static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        BIGNUM *bn;
+        if(!*pval) bn_new(pval, it);
+        bn  = (BIGNUM *)*pval;
+        if(!BN_bin2bn(cont, len, bn)) {
+                bn_free(pval, it);
+                return 0;
+        }
+        return 1;
+}
+
+
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 51518cdf35..11fce96825 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -58,275 +58,76 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                                 const X509_REVOKED * const *b);
 static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
                                 const X509_REVOKED * const *b);
-int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME);
-        M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
-                                         i2d_X509_EXTENSION);
-
-        M_ASN1_I2D_seq_total();
 
-        M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME);
-        M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
-                                         i2d_X509_EXTENSION);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,X509_REVOKED *,X509_REVOKED_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_TIME);
-        M_ASN1_D2I_get_seq_opt_type(X509_EXTENSION,ret->extensions,
-                                    d2i_X509_EXTENSION,X509_EXTENSION_free);
-        M_ASN1_D2I_Finish(a,X509_REVOKED_free,ASN1_F_D2I_X509_REVOKED);
-        }
-
-int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp)
-        {
-        int v1=0;
-        long l=0;
+ASN1_SEQUENCE(X509_REVOKED) = {
+        ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REVOKED,revocationDate, ASN1_TIME),
+        ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
+} ASN1_SEQUENCE_END(X509_REVOKED)
+
+/* The X509_CRL_INFO structure needs a bit of customisation. This is actually
+ * mirroring the old behaviour: its purpose is to allow the use of
+ * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately
+ * this will zap the original order and the signature so we keep a copy
+ * of the original positions and reorder appropriately before encoding.
+ *
+ * Might want to see if there's a better way of doing this later...
+ */
+static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
+        int i;
         int (*old_cmp)(const X509_REVOKED * const *,
                         const X509_REVOKED * const *);
-        M_ASN1_I2D_vars(a);
-        
-        old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
-        sk_X509_REVOKED_sort(a->revoked);
-        sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
-
-        if ((a->version != NULL) && ((l=ASN1_INTEGER_get(a->version)) != 0))
-                {
-                M_ASN1_I2D_len(a->version,i2d_ASN1_INTEGER);
-                }
-        M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->issuer,i2d_X509_NAME);
-        M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_TIME);
-        if (a->nextUpdate != NULL)
-                { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); }
-        M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
-                                         i2d_X509_REVOKED);
-        M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
-                                             i2d_X509_EXTENSION,0,
-                                             V_ASN1_SEQUENCE,v1);
-
-        M_ASN1_I2D_seq_total();
-
-        if ((a->version != NULL) && (l != 0))
-                {
-                M_ASN1_I2D_put(a->version,i2d_ASN1_INTEGER);
-                }
-        M_ASN1_I2D_put(a->sig_alg,i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->issuer,i2d_X509_NAME);
-        M_ASN1_I2D_put(a->lastUpdate,i2d_ASN1_TIME);
-        if (a->nextUpdate != NULL)
-                { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); }
-        M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked,
-                                         i2d_X509_REVOKED);
-        M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions,
-                                             i2d_X509_EXTENSION,0,
-                                             V_ASN1_SEQUENCE,v1);
 
-        M_ASN1_I2D_finish();
-        }
-
-X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a, unsigned char **pp,
-             long length)
-        {
-        int i,ver=0;
-        M_ASN1_D2I_vars(a,X509_CRL_INFO *,X509_CRL_INFO_new);
-
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get_opt(ret->version,d2i_ASN1_INTEGER,V_ASN1_INTEGER);
-        if (ret->version != NULL)
-                ver=ret->version->data[0];
-        
-        if ((ver == 0) && (ret->version != NULL))
-                {
-                M_ASN1_INTEGER_free(ret->version);
-                ret->version=NULL;
-                }
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
-        M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_TIME);
-        /* Manually handle the OPTIONAL ASN1_TIME stuff */
-        /* First try UTCTime */
-        M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_UTCTIME, V_ASN1_UTCTIME);
-        /* If that doesn't work try GeneralizedTime */
-        if(!ret->nextUpdate) 
-                M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_GENERALIZEDTIME,
-                                                        V_ASN1_GENERALIZEDTIME);
-        if (ret->revoked != NULL)
-                {
-                while (sk_X509_REVOKED_num(ret->revoked))
-                        X509_REVOKED_free(sk_X509_REVOKED_pop(ret->revoked));
-                }
-        M_ASN1_D2I_get_seq_opt_type(X509_REVOKED,ret->revoked,d2i_X509_REVOKED,
-                                    X509_REVOKED_free);
-
-        if (ret->revoked != NULL)
-                {
-                for (i=0; i<sk_X509_REVOKED_num(ret->revoked); i++)
-                        {
-                        sk_X509_REVOKED_value(ret->revoked,i)->sequence=i;
-                        }
-                }
-
-        if (ret->extensions != NULL)
-                {
-                while (sk_X509_EXTENSION_num(ret->extensions))
-                        X509_EXTENSION_free(
-                        sk_X509_EXTENSION_pop(ret->extensions));
-                }
-                
-        M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
-                                        d2i_X509_EXTENSION,
-                                        X509_EXTENSION_free,0,
-                                        V_ASN1_SEQUENCE);
-
-        M_ASN1_D2I_Finish(a,X509_CRL_INFO_free,ASN1_F_D2I_X509_CRL_INFO);
-        }
-
-int i2d_X509_CRL(X509_CRL *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->crl,i2d_X509_CRL_INFO);
-        M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->crl,i2d_X509_CRL_INFO);
-        M_ASN1_I2D_put(a->sig_alg,i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_CRL *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_CRL *,X509_CRL_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->crl,d2i_X509_CRL_INFO);
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-
-        M_ASN1_D2I_Finish(a,X509_CRL_free,ASN1_F_D2I_X509_CRL);
-        }
-
-
-X509_REVOKED *X509_REVOKED_new(void)
-        {
-        X509_REVOKED *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_REVOKED);
-        M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->revocationDate,M_ASN1_UTCTIME_new);
-        ret->extensions=NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REVOKED_NEW);
-        }
-
-X509_CRL_INFO *X509_CRL_INFO_new(void)
-        {
-        X509_CRL_INFO *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_CRL_INFO);
-        ret->version=NULL;
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->issuer,X509_NAME_new);
-        M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new);
-        ret->nextUpdate=NULL;
-        M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null);
-        ret->extensions = NULL;
-        sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW);
-        }
-
-X509_CRL *X509_CRL_new(void)
-        {
-        X509_CRL *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_CRL);
-        ret->references=1;
-        M_ASN1_New(ret->crl,X509_CRL_INFO_new);
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_CRL_NEW);
-        }
-
-void X509_REVOKED_free(X509_REVOKED *a)
-        {
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free(a->serialNumber);
-        M_ASN1_UTCTIME_free(a->revocationDate);
-        sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
-        OPENSSL_free(a);
-        }
-
-void X509_CRL_INFO_free(X509_CRL_INFO *a)
-        {
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free(a->version);
-        X509_ALGOR_free(a->sig_alg);
-        X509_NAME_free(a->issuer);
-        M_ASN1_UTCTIME_free(a->lastUpdate);
-        if (a->nextUpdate)
-                M_ASN1_UTCTIME_free(a->nextUpdate);
-        sk_X509_REVOKED_pop_free(a->revoked,X509_REVOKED_free);
-        sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
-        OPENSSL_free(a);
-        }
-
-void X509_CRL_free(X509_CRL *a)
-        {
-        int i;
-
-        if (a == NULL) return;
-
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_CRL);
-#ifdef REF_PRINT
-        REF_PRINT("X509_CRL",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"X509_CRL_free, bad reference count\n");
-                abort();
-                }
-#endif
-
-        X509_CRL_INFO_free(a->crl);
-        X509_ALGOR_free(a->sig_alg);
-        M_ASN1_BIT_STRING_free(a->signature);
-        OPENSSL_free(a);
+        if(!a || !a->revoked) return 1;
+        switch(operation) {
+
+                /* Save original order */
+                case ASN1_OP_D2I_POST:
+                for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
+                        sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
+                sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
+                break;
+
+                /* Restore original order */
+                case ASN1_OP_I2D_PRE:
+                old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
+                sk_X509_REVOKED_sort(a->revoked);
+                sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
+                break;
         }
+        return 1;
+}
+
+
+ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
+        ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
+        ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME),
+        ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
+        ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
+        ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO)
+
+ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
+        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
+        ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
+IMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO)
+IMPLEMENT_ASN1_FUNCTIONS(X509_CRL)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)
 
 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
                         const X509_REVOKED * const *b)
@@ -342,6 +143,19 @@ static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
         return((*a)->sequence-(*b)->sequence);
         }
 
+int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
+{
+        X509_CRL_INFO *inf;
+        inf = crl->crl;
+        if(!inf->revoked)
+                inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
+        if(!inf->revoked || !sk_X509_REVOKED_push(inf->revoked, rev)) {
+                ASN1err(ASN1_F_X509_CRL_ADD0_REVOKED, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        return 1;
+}
+
 IMPLEMENT_STACK_OF(X509_REVOKED)
 IMPLEMENT_ASN1_SET_OF(X509_REVOKED)
 IMPLEMENT_STACK_OF(X509_CRL)
diff --git a/src/lib/libcrypto/asn1/x_exten.c b/src/lib/libcrypto/asn1/x_exten.c
index fbfd963b40..702421b6c8 100644
--- a/src/lib/libcrypto/asn1/x_exten.c
+++ b/src/lib/libcrypto/asn1/x_exten.c
@@ -1,139 +1,71 @@
-/* crypto/asn1/x_exten.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
+/* x_exten.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
  *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
  * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
 
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/objects.h>
-#include <openssl/asn1_mac.h>
+#include <stddef.h>
 #include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 
-int i2d_X509_EXTENSION(X509_EXTENSION *a, unsigned char **pp)
-        {
-        int k=0;
-        int r=0,ret=0;
-        unsigned char **p=NULL;
-
-        if (a == NULL) return(0);
-
-        p=NULL;
-        for (;;)
-                {
-                if (k)
-                        {
-                        r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
-                        if (pp == NULL) return(r);
-                        p=pp;
-                        ASN1_put_object(p,1,ret,V_ASN1_SEQUENCE,
-                                V_ASN1_UNIVERSAL);
-                        }
-
-                ret+=i2d_ASN1_OBJECT(a->object,p);
-                if ((a->critical) || a->netscape_hack)
-                        ret+=i2d_ASN1_BOOLEAN(a->critical,p);
-                ret+=i2d_ASN1_OCTET_STRING(a->value,p);
-                if (k++) return(r);
-                }
-        }
-
-X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a, unsigned char **pp,
-             long length)
-        {
-        int i;
-        M_ASN1_D2I_vars(a,X509_EXTENSION *,X509_EXTENSION_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
-
-        ret->netscape_hack=0;
-        if ((c.slen != 0) &&
-                (M_ASN1_next == (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN)))
-                {
-                c.q=c.p;
-                if (d2i_ASN1_BOOLEAN(&i,&c.p,c.slen) < 0) goto err;
-                ret->critical=i;
-                c.slen-=(c.p-c.q);
-                if (ret->critical == 0) ret->netscape_hack=1;
-                }
-        M_ASN1_D2I_get(ret->value,d2i_ASN1_OCTET_STRING);
-
-        M_ASN1_D2I_Finish(a,X509_EXTENSION_free,ASN1_F_D2I_X509_EXTENSION);
-        }
-
-X509_EXTENSION *X509_EXTENSION_new(void)
-        {
-        X509_EXTENSION *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_EXTENSION);
-        ret->object=OBJ_nid2obj(NID_undef);
-        M_ASN1_New(ret->value,M_ASN1_OCTET_STRING_new);
-        ret->critical=0;
-        ret->netscape_hack=0;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_EXTENSION_NEW);
-        }
-        
-void X509_EXTENSION_free(X509_EXTENSION *a)
-        {
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->object);
-        M_ASN1_OCTET_STRING_free(a->value);
-        OPENSSL_free(a);
-        }
+ASN1_SEQUENCE(X509_EXTENSION) = {
+        ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),
+        ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),
+        ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(X509_EXTENSION)
 
+IMPLEMENT_ASN1_FUNCTIONS(X509_EXTENSION)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_EXTENSION)
diff --git a/src/lib/libcrypto/asn1/x_info.c b/src/lib/libcrypto/asn1/x_info.c
index 5e62fc2f6f..d44f6cdb01 100644
--- a/src/lib/libcrypto/asn1/x_info.c
+++ b/src/lib/libcrypto/asn1/x_info.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1.h>
 #include <openssl/x509.h>
 
 X509_INFO *X509_INFO_new(void)
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
new file mode 100644
index 0000000000..c5f25956cb
--- /dev/null
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -0,0 +1,169 @@
+/* x_long.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+
+/* Custom primitive type for long handling. This converts between an ASN1_INTEGER
+ * and a long directly.
+ */
+
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+
+static ASN1_PRIMITIVE_FUNCS long_pf = {
+        NULL, 0,
+        long_new,
+        long_free,
+        long_free,      /* Clear should set to initial value */
+        long_c2i,
+        long_i2c
+};
+
+ASN1_ITEM_start(LONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, ASN1_LONG_UNDEF, "LONG"
+ASN1_ITEM_end(LONG)
+
+ASN1_ITEM_start(ZLONG)
+        ASN1_ITYPE_PRIMITIVE, V_ASN1_INTEGER, NULL, 0, &long_pf, 0, "ZLONG"
+ASN1_ITEM_end(ZLONG)
+
+static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+        return 1;
+}
+
+static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        *(long *)pval = it->size;
+}
+
+static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it)
+{
+        long ltmp;
+        unsigned long utmp;
+        int clen, pad, i;
+        /* this exists to bypass broken gcc optimization */
+        char *cp = (char *)pval;
+
+        /* use memcpy, because we may not be long aligned */
+        memcpy(&ltmp, cp, sizeof(long));
+
+        if(ltmp == it->size) return -1;
+        /* Convert the long to positive: we subtract one if negative so
+         * we can cleanly handle the padding if only the MSB of the leading
+         * octet is set. 
+         */
+        if(ltmp < 0) utmp = -ltmp - 1;
+        else utmp = ltmp;
+        clen = BN_num_bits_word(utmp);
+        /* If MSB of leading octet set we need to pad */
+        if(!(clen & 0x7)) pad = 1;
+        else pad = 0;
+
+        /* Convert number of bits to number of octets */
+        clen = (clen + 7) >> 3;
+
+        if(cont) {
+                if(pad) *cont++ = (ltmp < 0) ? 0xff : 0;
+                for(i = clen - 1; i >= 0; i--) {
+                        cont[i] = (unsigned char)(utmp & 0xff);
+                        if(ltmp < 0) cont[i] ^= 0xff;
+                        utmp >>= 8;
+                }
+        }
+        return clen + pad;
+}
+
+static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
+{
+        int neg, i;
+        long ltmp;
+        unsigned long utmp = 0;
+        char *cp = (char *)pval;
+        if(len > sizeof(long)) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        /* Is it negative? */
+        if(len && (cont[0] & 0x80)) neg = 1;
+        else neg = 0;
+        utmp = 0;
+        for(i = 0; i < len; i++) {
+                utmp <<= 8;
+                if(neg) utmp |= cont[i] ^ 0xff;
+                else utmp |= cont[i];
+        }
+        ltmp = (long)utmp;
+        if(neg) {
+                ltmp++;
+                ltmp = -ltmp;
+        }
+        if(ltmp == it->size) {
+                ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
+                return 0;
+        }
+        memcpy(cp, &ltmp, sizeof(long));
+        return 1;
+}
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index 1885d699ef..caece0f158 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -58,212 +58,203 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/objects.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-static int i2d_X509_NAME_entries(X509_NAME *a);
-int i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
+static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it,
+                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
 
-        M_ASN1_I2D_len(a->object,i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len(a->value,i2d_ASN1_PRINTABLE);
+static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it);
+static void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it);
 
-        M_ASN1_I2D_seq_total();
+static int x509_name_encode(X509_NAME *a);
 
-        M_ASN1_I2D_put(a->object,i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put(a->value,i2d_ASN1_PRINTABLE);
+ASN1_SEQUENCE(X509_NAME_ENTRY) = {
+        ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT),
+        ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE)
+} ASN1_SEQUENCE_END(X509_NAME_ENTRY)
 
-        M_ASN1_I2D_finish();
-        }
+IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
 
-X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,X509_NAME_ENTRY *,X509_NAME_ENTRY_new);
+/* For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY }
+ * so declare two template wrappers for this
+ */
 
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->object,d2i_ASN1_OBJECT);
-        M_ASN1_D2I_get(ret->value,d2i_ASN1_PRINTABLE);
-        ret->set=0;
-        M_ASN1_D2I_Finish(a,X509_NAME_ENTRY_free,ASN1_F_D2I_X509_NAME_ENTRY);
-        }
+ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) =
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY)
+ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)
 
-int i2d_X509_NAME(X509_NAME *a, unsigned char **pp)
-        {
-        int ret;
+ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) =
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)
+ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
 
-        if (a == NULL) return(0);
-        if (a->modified)
-                {
-                ret=i2d_X509_NAME_entries(a);
-                if (ret < 0) return(ret);
-                }
-
-        ret=a->bytes->length;
-        if (pp != NULL)
-                {
-                memcpy(*pp,a->bytes->data,ret);
-                *pp+=ret;
-                }
-        return(ret);
-        }
-
-static int i2d_X509_NAME_entries(X509_NAME *a)
-        {
-        X509_NAME_ENTRY *ne,*fe=NULL;
-        STACK_OF(X509_NAME_ENTRY) *sk;
-        BUF_MEM *buf=NULL;
-        int set=0,r,ret=0;
-        int i;
-        unsigned char *p;
-        int size=0;
+/* Normally that's where it would end: we'd have two nested STACK structures
+ * representing the ASN1. Unfortunately X509_NAME uses a completely different
+ * form and caches encodings so we have to process the internal form and convert
+ * to the external form.
+ */
 
-        sk=a->entries;
-        for (i=0; i<sk_X509_NAME_ENTRY_num(sk); i++)
-                {
-                ne=sk_X509_NAME_ENTRY_value(sk,i);
-                if (fe == NULL)
-                        {
-                        fe=ne;
-                        size=0;
-                        }
+const ASN1_EXTERN_FUNCS x509_name_ff = {
+        NULL,
+        x509_name_ex_new,
+        x509_name_ex_free,
+        0,      /* Default clear behaviour is OK */
+        x509_name_ex_d2i,
+        x509_name_ex_i2d
+};
+
+IMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff) 
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_NAME)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME)
+
+static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
+{
+        X509_NAME *ret = NULL;
+        ret = OPENSSL_malloc(sizeof(X509_NAME));
+        if(!ret) goto memerr;
+        if ((ret->entries=sk_X509_NAME_ENTRY_new_null()) == NULL)
+                goto memerr;
+        if((ret->bytes = BUF_MEM_new()) == NULL) goto memerr;
+        ret->modified=1;
+        *val = (ASN1_VALUE *)ret;
+        return 1;
 
-                if (ne->set != set)
-                        {
-                        ret+=ASN1_object_size(1,size,V_ASN1_SET);
-                        fe->size=size;
-                        fe=ne;
-                        size=0;
-                        set=ne->set;
-                        }
-                size+=i2d_X509_NAME_ENTRY(ne,NULL);
-                }
-        if (fe != NULL)
+ memerr:
+        ASN1err(ASN1_F_X509_NAME_NEW, ERR_R_MALLOC_FAILURE);
+        if (ret)
                 {
-                /* SET OF needed only if entries is non empty */
-                ret+=ASN1_object_size(1,size,V_ASN1_SET);
-                fe->size=size;
+                if (ret->entries)
+                        sk_X509_NAME_ENTRY_free(ret->entries);
+                OPENSSL_free(ret);
                 }
+        return 0;
+}
 
-        r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE);
-
-        buf=a->bytes;
-        if (!BUF_MEM_grow(buf,r)) goto err;
-        p=(unsigned char *)buf->data;
-
-        ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-
-        set= -1;
-        for (i=0; i<sk_X509_NAME_ENTRY_num(sk); i++)
-                {
-                ne=sk_X509_NAME_ENTRY_value(sk,i);
-                if (set != ne->set)
-                        {
-                        set=ne->set;
-                        ASN1_put_object(&p,1,ne->size,
-                                V_ASN1_SET,V_ASN1_UNIVERSAL);
-                        }
-                i2d_X509_NAME_ENTRY(ne,&p);
-                }
-        a->modified=0;
-        return(r);
-err:
-        return(-1);
-        }
+static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        X509_NAME *a;
+        if(!pval || !*pval)
+            return;
+        a = (X509_NAME *)*pval;
 
-X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length)
-        {
-        int set=0,i;
-        int idx=0;
-        unsigned char *orig;
-        M_ASN1_D2I_vars(a,X509_NAME *,X509_NAME_new);
+        BUF_MEM_free(a->bytes);
+        sk_X509_NAME_ENTRY_pop_free(a->entries,X509_NAME_ENTRY_free);
+        OPENSSL_free(a);
+        *pval = NULL;
+}
 
-        orig= *pp;
-        if (sk_X509_NAME_ENTRY_num(ret->entries) > 0)
-                {
-                while (sk_X509_NAME_ENTRY_num(ret->entries) > 0)
-                        X509_NAME_ENTRY_free(
-                                       sk_X509_NAME_ENTRY_pop(ret->entries));
-                }
+/* Used with sk_pop_free() to free up the internal representation.
+ * NB: we only free the STACK and not its contents because it is
+ * already present in the X509_NAME structure.
+ */
 
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        for (;;)
-                {
-                if (M_ASN1_D2I_end_sequence()) break;
-                M_ASN1_D2I_get_set_type(X509_NAME_ENTRY,ret->entries,
-                                        d2i_X509_NAME_ENTRY,
-                                        X509_NAME_ENTRY_free);
-                for (; idx < sk_X509_NAME_ENTRY_num(ret->entries); idx++)
-                        {
-                        sk_X509_NAME_ENTRY_value(ret->entries,idx)->set=set;
-                        }
-                set++;
+static void sk_internal_free(void *a)
+{
+        sk_free(a);
+}
+
+static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it,
+                                        int tag, int aclass, char opt, ASN1_TLC *ctx)
+{
+        unsigned char *p = *in, *q;
+        STACK *intname = NULL;
+        int i, j, ret;
+        X509_NAME *nm = NULL;
+        STACK_OF(X509_NAME_ENTRY) *entries;
+        X509_NAME_ENTRY *entry;
+        q = p;
+
+        /* Get internal representation of Name */
+        ret = ASN1_item_ex_d2i((ASN1_VALUE **)&intname, &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
+                                                                tag, aclass, opt, ctx);
+        
+        if(ret <= 0) return ret;
+
+        if(*val) x509_name_ex_free(val, NULL);
+        if(!x509_name_ex_new((ASN1_VALUE **)&nm, NULL)) goto err;
+        /* We've decoded it: now cache encoding */
+        if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
+        memcpy(nm->bytes->data, q, p - q);
+
+        /* Convert internal representation to X509_NAME structure */
+        for(i = 0; i < sk_num(intname); i++) {
+                entries = (STACK_OF(X509_NAME_ENTRY) *)sk_value(intname, i);
+                for(j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
+                        entry = sk_X509_NAME_ENTRY_value(entries, j);
+                        entry->set = i;
+                        if(!sk_X509_NAME_ENTRY_push(nm->entries, entry))
+                                goto err;
                 }
-
-        i=(int)(c.p-orig);
-        if (!BUF_MEM_grow(ret->bytes,i)) goto err;
-        memcpy(ret->bytes->data,orig,i);
-        ret->bytes->length=i;
-        ret->modified=0;
-
-        M_ASN1_D2I_Finish(a,X509_NAME_free,ASN1_F_D2I_X509_NAME);
+                sk_X509_NAME_ENTRY_free(entries);
         }
-
-X509_NAME *X509_NAME_new(void)
-        {
-        X509_NAME *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_NAME);
-        if ((ret->entries=sk_X509_NAME_ENTRY_new_null()) == NULL)
-                { c.line=__LINE__; goto err2; }
-        M_ASN1_New(ret->bytes,BUF_MEM_new);
-        ret->modified=1;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_NAME_NEW);
+        sk_free(intname);
+        nm->modified = 0;
+        *val = (ASN1_VALUE *)nm;
+        *in = p;
+        return ret;
+        err:
+        ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_NESTED_ASN1_ERROR);
+        return 0;
+}
+
+static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass)
+{
+        int ret;
+        X509_NAME *a = (X509_NAME *)*val;
+        if(a->modified) {
+                ret = x509_name_encode((X509_NAME *)a);
+                if(ret < 0) return ret;
         }
-
-X509_NAME_ENTRY *X509_NAME_ENTRY_new(void)
-        {
-        X509_NAME_ENTRY *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_NAME_ENTRY);
-/*      M_ASN1_New(ret->object,ASN1_OBJECT_new);*/
-        ret->object=NULL;
-        ret->set=0;
-        M_ASN1_New(ret->value,ASN1_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_NAME_ENTRY_NEW);
+        ret = a->bytes->length;
+        if(out != NULL) {
+                memcpy(*out,a->bytes->data,ret);
+                *out+=ret;
         }
+        return ret;
+}
 
-void X509_NAME_free(X509_NAME *a)
-        {
-        if(a == NULL)
-            return;
-
-        BUF_MEM_free(a->bytes);
-        sk_X509_NAME_ENTRY_pop_free(a->entries,X509_NAME_ENTRY_free);
-        OPENSSL_free(a);
+static int x509_name_encode(X509_NAME *a)
+{
+        STACK *intname = NULL;
+        int len;
+        unsigned char *p;
+        STACK_OF(X509_NAME_ENTRY) *entries = NULL;
+        X509_NAME_ENTRY *entry;
+        int i, set = -1;
+        intname = sk_new_null();
+        if(!intname) goto memerr;
+        for(i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
+                entry = sk_X509_NAME_ENTRY_value(a->entries, i);
+                if(entry->set != set) {
+                        entries = sk_X509_NAME_ENTRY_new_null();
+                        if(!entries) goto memerr;
+                        if(!sk_push(intname, (char *)entries)) goto memerr;
+                        set = entry->set;
+                }
+                if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
         }
+        len = ASN1_item_ex_i2d((ASN1_VALUE **)&intname, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
+        p=(unsigned char *)a->bytes->data;
+        ASN1_item_ex_i2d((ASN1_VALUE **)&intname, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
+        sk_pop_free(intname, sk_internal_free);
+        a->modified = 0;
+        return len;
+        memerr:
+        sk_pop_free(intname, sk_internal_free);
+        ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_MALLOC_FAILURE);
+        return -1;
+}
 
-void X509_NAME_ENTRY_free(X509_NAME_ENTRY *a)
-        {
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->object);
-        M_ASN1_BIT_STRING_free(a->value);
-        OPENSSL_free(a);
-        }
 
 int X509_NAME_set(X509_NAME **xn, X509_NAME *name)
         {
         X509_NAME *in;
 
-        if (*xn == NULL) return(0);
+        if (!xn || !name) return(0);
 
         if (*xn != name)
                 {
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 4397a404b5..55630294b6 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -58,62 +58,25 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-int i2d_X509_PUBKEY(X509_PUBKEY *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->public_key,   i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->public_key,   i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,X509_PUBKEY *,X509_PUBKEY_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->public_key,d2i_ASN1_BIT_STRING);
-        if (ret->pkey != NULL)
-                {
-                EVP_PKEY_free(ret->pkey);
-                ret->pkey=NULL;
-                }
-        M_ASN1_D2I_Finish(a,X509_PUBKEY_free,ASN1_F_D2I_X509_PUBKEY);
+/* Minor tweak to operation: free up EVP_PKEY */
+static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
+                EVP_PKEY_free(pubkey->pkey);
         }
+        return 1;
+}
 
-X509_PUBKEY *X509_PUBKEY_new(void)
-        {
-        X509_PUBKEY *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_PUBKEY);
-        M_ASN1_New(ret->algor,X509_ALGOR_new);
-        M_ASN1_New(ret->public_key,M_ASN1_BIT_STRING_new);
-        ret->pkey=NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_PUBKEY_NEW);
-        }
+ASN1_SEQUENCE_cb(X509_PUBKEY, pubkey_cb) = {
+        ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR),
+        ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_cb(X509_PUBKEY, X509_PUBKEY)
 
-void X509_PUBKEY_free(X509_PUBKEY *a)
-        {
-        if (a == NULL) return;
-        X509_ALGOR_free(a->algor);
-        M_ASN1_BIT_STRING_free(a->public_key);
-        if (a->pkey != NULL) EVP_PKEY_free(a->pkey);
-        OPENSSL_free(a);
-        }
+IMPLEMENT_ASN1_FUNCTIONS(X509_PUBKEY)
 
 int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
         {
@@ -146,7 +109,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
                         }
                 }
         else
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 if (pkey->type == EVP_PKEY_DSA)
                 {
                 unsigned char *pp;
@@ -206,7 +169,8 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
         long j;
         int type;
         unsigned char *p;
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
+        const unsigned char *cp;
         X509_ALGOR *a;
 #endif
 
@@ -230,16 +194,16 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
                 }
         ret->save_parameters=0;
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         a=key->algor;
         if (ret->type == EVP_PKEY_DSA)
                 {
                 if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE))
                         {
                         ret->pkey.dsa->write_params=0;
-                        p=a->parameter->value.sequence->data;
+                        cp=p=a->parameter->value.sequence->data;
                         j=a->parameter->value.sequence->length;
-                        if (!d2i_DSAparams(&ret->pkey.dsa,&p,(long)j))
+                        if (!d2i_DSAparams(&ret->pkey.dsa,&cp,(long)j))
                                 goto err;
                         }
                 ret->save_parameters=1;
@@ -289,7 +253,7 @@ int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp)
 /* The following are equivalents but which return RSA and DSA
  * keys
  */
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp,
              long length)
 {
@@ -327,7 +291,7 @@ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp)
 }
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp,
              long length)
 {
diff --git a/src/lib/libcrypto/asn1/x_req.c b/src/lib/libcrypto/asn1/x_req.c
index 6dddd4f653..b3f18ebc12 100644
--- a/src/lib/libcrypto/asn1/x_req.c
+++ b/src/lib/libcrypto/asn1/x_req.c
@@ -58,200 +58,55 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        if(a->asn1) {
-                if(pp) {
-                        memcpy(*pp, a->asn1, a->length);
-                        *pp += a->length;
-                }
-                return a->length;
-        }
-
-        M_ASN1_I2D_len(a->version,              i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len(a->subject,              i2d_X509_NAME);
-        M_ASN1_I2D_len(a->pubkey,               i2d_X509_PUBKEY);
-
-        /* this is a *nasty* hack reported to be required to
-         * allow some CA Software to accept the cert request.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge) 
-                {
-                M_ASN1_I2D_len_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_len_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
-                                            i2d_X509_ATTRIBUTE,0);
-                }
-        
-        M_ASN1_I2D_seq_total();
-        M_ASN1_I2D_put(a->version,              i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put(a->subject,              i2d_X509_NAME);
-        M_ASN1_I2D_put(a->pubkey,               i2d_X509_PUBKEY);
+/* X509_REQ_INFO is handled in an unusual way to get round
+ * invalid encodings. Some broken certificate requests don't
+ * encode the attributes field if it is empty. This is in
+ * violation of PKCS#10 but we need to tolerate it. We do
+ * this by making the attributes field OPTIONAL then using
+ * the callback to initialise it to an empty STACK. 
+ *
+ * This means that the field will be correctly encoded unless
+ * we NULL out the field.
+ *
+ * As a result we no longer need the req_kludge field because
+ * the information is now contained in the attributes field:
+ * 1. If it is NULL then it's the invalid omission.
+ * 2. If it is empty it is the correct encoding.
+ * 3. If it is not empty then some attributes are present.
+ *
+ */
 
-        /* this is a *nasty* hack reported to be required by some CA's.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
-         */
-        if (a->req_kludge)
-                {
-                M_ASN1_I2D_put_IMP_SET_opt_type(X509_ATTRIBUTE,a->attributes,
-                                                i2d_X509_ATTRIBUTE,0);
-                }
-        else
-                {
-                M_ASN1_I2D_put_IMP_SET_type(X509_ATTRIBUTE,a->attributes,
-                                            i2d_X509_ATTRIBUTE,0);
-                }
+static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
 
-        M_ASN1_I2D_finish();
+        if(operation == ASN1_OP_NEW_POST) {
+                rinf->attributes = sk_X509_ATTRIBUTE_new_null();
+                if(!rinf->attributes) return 0;
         }
-
-X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,X509_REQ_INFO *,X509_REQ_INFO_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->version,d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
-        M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
-
-        /* this is a *nasty* hack to allow for some CA's that
-         * have been reported as requiring it.
-         * It is not following the PKCS standards ...
-         * PKCS#10 pg 5
-         * attributes [0] IMPLICIT Attributes
-         * NOTE: no OPTIONAL ... so it *must* be there
+        return 1;
+}
+
+ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
+        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
+        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
+        /* This isn't really OPTIONAL but it gets round invalid
+         * encodings
          */
-        if (asn1_Finish(&c))
-                ret->req_kludge=1;
-        else
-                {
-                M_ASN1_D2I_get_IMP_set_type(X509_ATTRIBUTE,ret->attributes,
-                                            d2i_X509_ATTRIBUTE,
-                                            X509_ATTRIBUTE_free,0);
-                }
-
-        M_ASN1_D2I_Finish(a,X509_REQ_INFO_free,ASN1_F_D2I_X509_REQ_INFO);
-        }
-
-X509_REQ_INFO *X509_REQ_INFO_new(void)
-        {
-        X509_REQ_INFO *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_REQ_INFO);
-        M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->subject,X509_NAME_new);
-        M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
-        M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
-        ret->req_kludge=0;
-        ret->asn1 = NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
-        }
-        
-void X509_REQ_INFO_free(X509_REQ_INFO *a)
-        {
-        if (a == NULL) return;
-        if(a->asn1) OPENSSL_free(a->asn1);
-        M_ASN1_INTEGER_free(a->version);
-        X509_NAME_free(a->subject);
-        X509_PUBKEY_free(a->pubkey);
-        sk_X509_ATTRIBUTE_pop_free(a->attributes,X509_ATTRIBUTE_free);
-        OPENSSL_free(a);
-        }
+        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
+} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
 
-int i2d_X509_REQ(X509_REQ *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-        M_ASN1_I2D_len(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_len(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->req_info,     i2d_X509_REQ_INFO);
-        M_ASN1_I2D_put(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_REQ *,X509_REQ_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
-
-        /* Keep a copy of the original encoding for signature checking */
-        ret->req_info->length = c.p - c.q;
-        if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
-                c.line=__LINE__;
-                c.error = ERR_R_MALLOC_FAILURE;
-                goto err;
-        }
-
-        memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
-
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-        M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
-        }
-
-X509_REQ *X509_REQ_new(void)
-        {
-        X509_REQ *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_REQ);
-        ret->references=1;
-        M_ASN1_New(ret->req_info,X509_REQ_INFO_new);
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_REQ_NEW);
-        }
-
-void X509_REQ_free(X509_REQ *a)
-        {
-        int i;
-
-        if (a == NULL) return;
-
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509_REQ);
-#ifdef REF_PRINT
-        REF_PRINT("X509_REQ",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"X509_REQ_free, bad reference count\n");
-                abort();
-                }
-#endif
-
-        X509_REQ_INFO_free(a->req_info);
-        X509_ALGOR_free(a->sig_alg);
-        M_ASN1_BIT_STRING_free(a->signature);
-        OPENSSL_free(a);
-        }
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
 
+ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
+        ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
+        ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
 
+IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
diff --git a/src/lib/libcrypto/asn1/x_sig.c b/src/lib/libcrypto/asn1/x_sig.c
index d79f147647..42efa86c1c 100644
--- a/src/lib/libcrypto/asn1/x_sig.c
+++ b/src/lib/libcrypto/asn1/x_sig.c
@@ -58,53 +58,12 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-int i2d_X509_SIG(X509_SIG *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->digest,       i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->algor,        i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->digest,       i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_SIG *,X509_SIG_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->algor,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->digest,d2i_ASN1_OCTET_STRING);
-        M_ASN1_D2I_Finish(a,X509_SIG_free,ASN1_F_D2I_X509_SIG);
-        }
-
-X509_SIG *X509_SIG_new(void)
-        {
-        X509_SIG *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_SIG);
-        M_ASN1_New(ret->algor,X509_ALGOR_new);
-        M_ASN1_New(ret->digest,M_ASN1_OCTET_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_SIG_NEW);
-        }
-
-void X509_SIG_free(X509_SIG *a)
-        {
-        if (a == NULL) return;
-        X509_ALGOR_free(a->algor);
-        M_ASN1_OCTET_STRING_free(a->digest);
-        OPENSSL_free(a);
-        }
-
+ASN1_SEQUENCE(X509_SIG) = {
+        ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),
+        ASN1_SIMPLE(X509_SIG, digest, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(X509_SIG)
 
+IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
diff --git a/src/lib/libcrypto/asn1/x_spki.c b/src/lib/libcrypto/asn1/x_spki.c
index 4f01888f7d..2aece077c5 100644
--- a/src/lib/libcrypto/asn1/x_spki.c
+++ b/src/lib/libcrypto/asn1/x_spki.c
@@ -63,104 +63,19 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/x509.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 
-int i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
+ASN1_SEQUENCE(NETSCAPE_SPKAC) = {
+        ASN1_SIMPLE(NETSCAPE_SPKAC, pubkey, X509_PUBKEY),
+        ASN1_SIMPLE(NETSCAPE_SPKAC, challenge, ASN1_IA5STRING)
+} ASN1_SEQUENCE_END(NETSCAPE_SPKAC)
 
-        M_ASN1_I2D_len(a->pubkey,       i2d_X509_PUBKEY);
-        M_ASN1_I2D_len(a->challenge,    i2d_ASN1_IA5STRING);
+IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
 
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->pubkey,       i2d_X509_PUBKEY);
-        M_ASN1_I2D_put(a->challenge,    i2d_ASN1_IA5STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,NETSCAPE_SPKAC *,NETSCAPE_SPKAC_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->pubkey,d2i_X509_PUBKEY);
-        M_ASN1_D2I_get(ret->challenge,d2i_ASN1_IA5STRING);
-        M_ASN1_D2I_Finish(a,NETSCAPE_SPKAC_free,ASN1_F_D2I_NETSCAPE_SPKAC);
-        }
-
-NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void)
-        {
-        NETSCAPE_SPKAC *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,NETSCAPE_SPKAC);
-        M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
-        M_ASN1_New(ret->challenge,M_ASN1_IA5STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKAC_NEW);
-        }
-
-void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a)
-        {
-        if (a == NULL) return;
-        X509_PUBKEY_free(a->pubkey);
-        M_ASN1_IA5STRING_free(a->challenge);
-        OPENSSL_free(a);
-        }
-
-int i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->spkac,        i2d_NETSCAPE_SPKAC);
-        M_ASN1_I2D_len(a->sig_algor,    i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->spkac,        i2d_NETSCAPE_SPKAC);
-        M_ASN1_I2D_put(a->sig_algor,    i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, unsigned char **pp,
-             long length)
-        {
-        M_ASN1_D2I_vars(a,NETSCAPE_SPKI *,NETSCAPE_SPKI_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->spkac,d2i_NETSCAPE_SPKAC);
-        M_ASN1_D2I_get(ret->sig_algor,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-        M_ASN1_D2I_Finish(a,NETSCAPE_SPKI_free,ASN1_F_D2I_NETSCAPE_SPKI);
-        }
-
-NETSCAPE_SPKI *NETSCAPE_SPKI_new(void)
-        {
-        NETSCAPE_SPKI *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,NETSCAPE_SPKI);
-        M_ASN1_New(ret->spkac,NETSCAPE_SPKAC_new);
-        M_ASN1_New(ret->sig_algor,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_NETSCAPE_SPKI_NEW);
-        }
-
-void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a)
-        {
-        if (a == NULL) return;
-        NETSCAPE_SPKAC_free(a->spkac);
-        X509_ALGOR_free(a->sig_algor);
-        M_ASN1_BIT_STRING_free(a->signature);
-        OPENSSL_free(a);
-        }
+ASN1_SEQUENCE(NETSCAPE_SPKI) = {
+        ASN1_SIMPLE(NETSCAPE_SPKI, spkac, NETSCAPE_SPKAC),
+        ASN1_SIMPLE(NETSCAPE_SPKI, sig_algor, X509_ALGOR),
+        ASN1_SIMPLE(NETSCAPE_SPKI, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(NETSCAPE_SPKI)
 
+IMPLEMENT_ASN1_FUNCTIONS(NETSCAPE_SPKI)
diff --git a/src/lib/libcrypto/asn1/x_val.c b/src/lib/libcrypto/asn1/x_val.c
index 0f8f020b57..dc17c67758 100644
--- a/src/lib/libcrypto/asn1/x_val.c
+++ b/src/lib/libcrypto/asn1/x_val.c
@@ -58,52 +58,12 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-int i2d_X509_VAL(X509_VAL *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->notBefore,i2d_ASN1_TIME);
-        M_ASN1_I2D_len(a->notAfter,i2d_ASN1_TIME);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->notBefore,i2d_ASN1_TIME);
-        M_ASN1_I2D_put(a->notAfter,i2d_ASN1_TIME);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509_VAL *d2i_X509_VAL(X509_VAL **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509_VAL *,X509_VAL_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_TIME);
-        M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_TIME);
-        M_ASN1_D2I_Finish(a,X509_VAL_free,ASN1_F_D2I_X509_VAL);
-        }
-
-X509_VAL *X509_VAL_new(void)
-        {
-        X509_VAL *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509_VAL);
-        M_ASN1_New(ret->notBefore,M_ASN1_TIME_new);
-        M_ASN1_New(ret->notAfter,M_ASN1_TIME_new);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_VAL_NEW);
-        }
-
-void X509_VAL_free(X509_VAL *a)
-        {
-        if (a == NULL) return;
-        M_ASN1_TIME_free(a->notBefore);
-        M_ASN1_TIME_free(a->notAfter);
-        OPENSSL_free(a);
-        }
+ASN1_SEQUENCE(X509_VAL) = {
+        ASN1_SIMPLE(X509_VAL, notBefore, ASN1_TIME),
+        ASN1_SIMPLE(X509_VAL, notAfter, ASN1_TIME)
+} ASN1_SEQUENCE_END(X509_VAL)
 
+IMPLEMENT_ASN1_FUNCTIONS(X509_VAL)
diff --git a/src/lib/libcrypto/asn1/x_x509.c b/src/lib/libcrypto/asn1/x_x509.c
index 61ba856b17..b50167ce43 100644
--- a/src/lib/libcrypto/asn1/x_x509.c
+++ b/src/lib/libcrypto/asn1/x_x509.c
@@ -59,12 +59,71 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-static int x509_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
+ASN1_SEQUENCE(X509_CINF) = {
+        ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
+        ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
+        ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
+        ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),
+        ASN1_SIMPLE(X509_CINF, validity, X509_VAL),
+        ASN1_SIMPLE(X509_CINF, subject, X509_NAME),
+        ASN1_SIMPLE(X509_CINF, key, X509_PUBKEY),
+        ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
+        ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),
+        ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3)
+} ASN1_SEQUENCE_END(X509_CINF)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
+/* X509 top level structure needs a bit of customisation */
+
+static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        X509 *ret = (X509 *)*pval;
+
+        switch(operation) {
+
+                case ASN1_OP_NEW_POST:
+                ret->valid=0;
+                ret->name = NULL;
+                ret->ex_flags = 0;
+                ret->ex_pathlen = -1;
+                ret->skid = NULL;
+                ret->akid = NULL;
+                ret->aux = NULL;
+                CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+                break;
+
+                case ASN1_OP_D2I_POST:
+                if (ret->name != NULL) OPENSSL_free(ret->name);
+                ret->name=X509_NAME_oneline(ret->cert_info->subject,NULL,0);
+                break;
+
+                case ASN1_OP_FREE_POST:
+                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+                X509_CERT_AUX_free(ret->aux);
+                ASN1_OCTET_STRING_free(ret->skid);
+                AUTHORITY_KEYID_free(ret->akid);
+
+                if (ret->name != NULL) OPENSSL_free(ret->name);
+                break;
+
+        }
+
+        return 1;
+
+}
+
+ASN1_SEQUENCE_ref(X509, x509_cb, CRYPTO_LOCK_X509) = {
+        ASN1_SIMPLE(X509, cert_info, X509_CINF),
+        ASN1_SIMPLE(X509, sig_alg, X509_ALGOR),
+        ASN1_SIMPLE(X509, signature, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END_ref(X509, X509)
+
+IMPLEMENT_ASN1_FUNCTIONS(X509)
+IMPLEMENT_ASN1_DUP_FUNCTION(X509)
 
 static ASN1_METHOD meth={
         (int (*)())  i2d_X509,
@@ -77,97 +136,11 @@ ASN1_METHOD *X509_asn1_meth(void)
         return(&meth);
         }
 
-int i2d_X509(X509 *a, unsigned char **pp)
-        {
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->cert_info,    i2d_X509_CINF);
-        M_ASN1_I2D_len(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_len(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->cert_info,    i2d_X509_CINF);
-        M_ASN1_I2D_put(a->sig_alg,      i2d_X509_ALGOR);
-        M_ASN1_I2D_put(a->signature,    i2d_ASN1_BIT_STRING);
-
-        M_ASN1_I2D_finish();
-        }
-
-X509 *d2i_X509(X509 **a, unsigned char **pp, long length)
-        {
-        M_ASN1_D2I_vars(a,X509 *,X509_new);
-
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->cert_info,d2i_X509_CINF);
-        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
-        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
-        if (ret->name != NULL) OPENSSL_free(ret->name);
-        ret->name=X509_NAME_oneline(ret->cert_info->subject,NULL,0);
-
-        M_ASN1_D2I_Finish(a,X509_free,ASN1_F_D2I_X509);
-        }
-
-X509 *X509_new(void)
-        {
-        X509 *ret=NULL;
-        ASN1_CTX c;
-
-        M_ASN1_New_Malloc(ret,X509);
-        ret->valid=0;
-        ret->references=1;
-        ret->name = NULL;
-        ret->ex_flags = 0;
-        ret->ex_pathlen = -1;
-        ret->skid = NULL;
-        ret->akid = NULL;
-        ret->aux = NULL;
-        M_ASN1_New(ret->cert_info,X509_CINF_new);
-        M_ASN1_New(ret->sig_alg,X509_ALGOR_new);
-        M_ASN1_New(ret->signature,M_ASN1_BIT_STRING_new);
-        CRYPTO_new_ex_data(x509_meth, ret, &ret->ex_data);
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_NEW);
-        }
-
-void X509_free(X509 *a)
-        {
-        int i;
-
-        if (a == NULL) return;
-
-        i=CRYPTO_add(&a->references,-1,CRYPTO_LOCK_X509);
-#ifdef REF_PRINT
-        REF_PRINT("X509",a);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"X509_free, bad reference count\n");
-                abort();
-                }
-#endif
-
-        CRYPTO_free_ex_data(x509_meth,a,&a->ex_data);
-        X509_CINF_free(a->cert_info);
-        X509_ALGOR_free(a->sig_alg);
-        M_ASN1_BIT_STRING_free(a->signature);
-        X509_CERT_AUX_free(a->aux);
-        ASN1_OCTET_STRING_free(a->skid);
-        AUTHORITY_KEYID_free(a->akid);
-
-        if (a->name != NULL) OPENSSL_free(a->name);
-        OPENSSL_free(a);
-        }
-
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-        x509_meth_num++;
-        return(CRYPTO_get_ex_new_index(x509_meth_num-1,
-                &x509_meth,argl,argp,new_func,dup_func,free_func));
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, argl, argp,
+                                new_func, dup_func, free_func);
         }
 
 int X509_set_ex_data(X509 *r, int idx, void *arg)
diff --git a/src/lib/libcrypto/asn1/x_x509a.c b/src/lib/libcrypto/asn1/x_x509a.c
index ebcce87bf2..f244768b7e 100644
--- a/src/lib/libcrypto/asn1/x_x509a.c
+++ b/src/lib/libcrypto/asn1/x_x509a.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
 /* X509_CERT_AUX routines. These are used to encode additional
@@ -71,72 +71,15 @@
 
 static X509_CERT_AUX *aux_get(X509 *x);
 
-X509_CERT_AUX *d2i_X509_CERT_AUX(X509_CERT_AUX **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a, X509_CERT_AUX *, X509_CERT_AUX_new);
-        
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-
-        M_ASN1_D2I_get_seq_opt_type(ASN1_OBJECT, ret->trust,
-                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free);
-        M_ASN1_D2I_get_IMP_set_opt_type(ASN1_OBJECT, ret->reject,
-                                        d2i_ASN1_OBJECT, ASN1_OBJECT_free, 0);
-        M_ASN1_D2I_get_opt(ret->alias, d2i_ASN1_UTF8STRING, V_ASN1_UTF8STRING);
-        M_ASN1_D2I_get_opt(ret->keyid, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
-        M_ASN1_D2I_get_IMP_set_opt_type(X509_ALGOR, ret->other,
-                                        d2i_X509_ALGOR, X509_ALGOR_free, 1);
-
-        M_ASN1_D2I_Finish(a, X509_CERT_AUX_free, ASN1_F_D2I_X509_CERT_AUX);
-}
-
-X509_CERT_AUX *X509_CERT_AUX_new()
-{
-        X509_CERT_AUX *ret = NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, X509_CERT_AUX);
-        ret->trust = NULL;
-        ret->reject = NULL;
-        ret->alias = NULL;
-        ret->keyid = NULL;
-        ret->other = NULL;
-        return(ret);
-        M_ASN1_New_Error(ASN1_F_X509_CERT_AUX_NEW);
-}
-
-void X509_CERT_AUX_free(X509_CERT_AUX *a)
-{
-        if(a == NULL) return;
-        sk_ASN1_OBJECT_pop_free(a->trust, ASN1_OBJECT_free);
-        sk_ASN1_OBJECT_pop_free(a->reject, ASN1_OBJECT_free);
-        ASN1_UTF8STRING_free(a->alias);
-        ASN1_OCTET_STRING_free(a->keyid);
-        sk_X509_ALGOR_pop_free(a->other, X509_ALGOR_free);
-        OPENSSL_free(a);
-}
-
-int i2d_X509_CERT_AUX(X509_CERT_AUX *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
-
-        M_ASN1_I2D_len(a->alias, i2d_ASN1_UTF8STRING);
-        M_ASN1_I2D_len(a->keyid, i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
+ASN1_SEQUENCE(X509_CERT_AUX) = {
+        ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),
+        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),
+        ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),
+        ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),
+        ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1)
+} ASN1_SEQUENCE_END(X509_CERT_AUX)
 
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put_SEQUENCE_opt_type(ASN1_OBJECT, a->trust, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(ASN1_OBJECT, a->reject, i2d_ASN1_OBJECT, 0);
-
-        M_ASN1_I2D_put(a->alias, i2d_ASN1_UTF8STRING);
-        M_ASN1_I2D_put(a->keyid, i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(X509_ALGOR, a->other, i2d_X509_ALGOR, 1);
-
-        M_ASN1_I2D_finish();
-}
+IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX)
 
 static X509_CERT_AUX *aux_get(X509 *x)
 {
diff --git a/src/lib/libcrypto/bf/Makefile.ssl b/src/lib/libcrypto/bf/Makefile.ssl
index 9205ee7901..b045f54686 100644
--- a/src/lib/libcrypto/bf/Makefile.ssl
+++ b/src/lib/libcrypto/bf/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -44,8 +45,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -107,13 +107,14 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bf_cfb64.o: ../../include/openssl/blowfish.h
-bf_cfb64.o: ../../include/openssl/opensslconf.h bf_locl.h
-bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_ecb.o: ../../include/openssl/opensslv.h bf_locl.h
-bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_enc.o: bf_locl.h
-bf_ofb64.o: ../../include/openssl/blowfish.h
-bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h
-bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/opensslconf.h
-bf_skey.o: bf_locl.h bf_pi.h
+bf_cfb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
+bf_cfb64.o: ../../include/openssl/opensslconf.h bf_cfb64.c bf_locl.h
+bf_ecb.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
+bf_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bf_ecb.o: bf_ecb.c bf_locl.h
+bf_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
+bf_enc.o: ../../include/openssl/opensslconf.h bf_enc.c bf_locl.h
+bf_ofb64.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
+bf_ofb64.o: ../../include/openssl/opensslconf.h bf_locl.h bf_ofb64.c
+bf_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/e_os2.h
+bf_skey.o: ../../include/openssl/opensslconf.h bf_locl.h bf_pi.h bf_skey.c
diff --git a/src/lib/libcrypto/bf/bf_opts.c b/src/lib/libcrypto/bf/bf_opts.c
index bbe32b28c9..171dada2ca 100644
--- a/src/lib/libcrypto/bf/bf_opts.c
+++ b/src/lib/libcrypto/bf/bf_opts.c
@@ -59,7 +59,7 @@
 /* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
  * This is for machines with 64k code segment size restrictions. */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -322,7 +322,7 @@ int main(int argc, char **argv)
                 break;
                 }
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 4d6a232fe0..3673cdee6e 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -69,7 +69,7 @@ void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
         const unsigned char *d,*end;
 
 
-        memcpy((char *)key,(char *)&bf_init,sizeof(BF_KEY));
+        memcpy(key,&bf_init,sizeof(BF_KEY));
         p=key->P;
 
         if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4;
diff --git a/src/lib/libcrypto/bf/bfspeed.c b/src/lib/libcrypto/bf/bfspeed.c
index ecc9dff4e4..f346af64f3 100644
--- a/src/lib/libcrypto/bf/bfspeed.c
+++ b/src/lib/libcrypto/bf/bfspeed.c
@@ -59,7 +59,7 @@
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -268,7 +268,7 @@ int main(int argc, char **argv)
         printf("Blowfish raw ecb bytes per sec = %12.3f (%9.3fuS)\n",b,8.0e6/b);
         printf("Blowfish cbc     bytes per sec = %12.3f (%9.3fuS)\n",c,8.0e6/c);
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/bf/bftest.c b/src/lib/libcrypto/bf/bftest.c
index cf67cadefd..09895f2542 100644
--- a/src/lib/libcrypto/bf/bftest.c
+++ b/src/lib/libcrypto/bf/bftest.c
@@ -63,7 +63,7 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_BF
+#ifdef OPENSSL_NO_BF
 int main(int argc, char *argv[])
 {
     printf("No BF support\n");
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index 78acfd63b4..cd49e85ab2 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -59,11 +59,13 @@
 #ifndef HEADER_BLOWFISH_H
 #define HEADER_BLOWFISH_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef NO_BF
+#ifdef OPENSSL_NO_BF
 #error BF is disabled.
 #endif
 
@@ -77,9 +79,9 @@ extern "C" {
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
 
-#if defined(WIN16) || defined(__LP32__)
+#if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define BF_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define BF_LONG unsigned long
 #define BF_LONG_LOG2 3
 /*
diff --git a/src/lib/libcrypto/bio/Makefile.ssl b/src/lib/libcrypto/bio/Makefile.ssl
index 567d3fb870..de5631a105 100644
--- a/src/lib/libcrypto/bio/Makefile.ssl
+++ b/src/lib/libcrypto/bio/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    bio
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -49,8 +50,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -89,156 +89,128 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-b_dump.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-b_dump.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_dump.o: ../../e_os.h ../../include/openssl/bio.h
+b_dump.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_dump.o: ../cryptlib.h
-b_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+b_dump.o: ../cryptlib.h b_dump.c
+b_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-b_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-b_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h
-b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+b_print.o: ../cryptlib.h b_print.c
+b_sock.o: ../../e_os.h ../../include/openssl/bio.h
+b_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 b_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 b_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_sock.o: ../cryptlib.h
-bf_buff.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bf_buff.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bf_buff.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bf_buff.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bf_buff.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bf_buff.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bf_buff.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bf_buff.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bf_buff.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bf_buff.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bf_buff.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bf_buff.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bf_buff.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bf_buff.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bf_buff.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bf_buff.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bf_nbio.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bf_nbio.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bf_nbio.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bf_nbio.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bf_nbio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bf_nbio.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bf_nbio.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bf_nbio.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bf_nbio.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bf_nbio.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bf_nbio.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bf_nbio.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-bf_nbio.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-bf_nbio.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-bf_nbio.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+b_sock.o: ../cryptlib.h b_sock.c
+bf_buff.o: ../../e_os.h ../../include/openssl/bio.h
+bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bf_buff.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bf_buff.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bf_buff.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bf_buff.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bf_buff.o: ../cryptlib.h bf_buff.c
+bf_nbio.o: ../../e_os.h ../../include/openssl/bio.h
+bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bf_nbio.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bf_nbio.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bf_nbio.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bf_nbio.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 bf_nbio.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bf_nbio.o: ../cryptlib.h
-bf_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bf_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bf_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bf_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bf_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bf_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bf_null.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bf_null.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bf_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bf_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bf_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bf_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bf_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bf_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bf_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bf_null.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bio_cb.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bio_cb.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bf_nbio.o: ../cryptlib.h bf_nbio.c
+bf_null.o: ../../e_os.h ../../include/openssl/bio.h
+bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bf_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bf_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bf_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bf_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bf_null.o: ../cryptlib.h bf_null.c
+bio_cb.o: ../../e_os.h ../../include/openssl/bio.h
+bio_cb.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_cb.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bio_cb.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bio_cb.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_cb.o: ../cryptlib.h
+bio_cb.o: ../cryptlib.h bio_cb.c
 bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-bio_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bio_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bio_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bio_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bio_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_err.o: bio_err.c
+bio_lib.o: ../../e_os.h ../../include/openssl/bio.h
+bio_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bio_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bio_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_lib.o: ../cryptlib.h
-bss_acpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_acpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_lib.o: ../cryptlib.h bio_lib.c
+bss_acpt.o: ../../e_os.h ../../include/openssl/bio.h
+bss_acpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_acpt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_acpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_acpt.o: ../cryptlib.h
-bss_bio.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-bss_bio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bss_acpt.o: ../cryptlib.h bss_acpt.c
+bss_bio.o: ../../e_os.h ../../include/openssl/bio.h
+bss_bio.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bss_bio.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 bss_bio.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 bss_bio.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bss_bio.o: ../../include/openssl/symhacks.h
-bss_conn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_conn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_bio.o: ../../include/openssl/symhacks.h bss_bio.c
+bss_conn.o: ../../e_os.h ../../include/openssl/bio.h
+bss_conn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_conn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_conn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_conn.o: ../cryptlib.h
-bss_fd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_fd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_conn.o: ../cryptlib.h bss_conn.c
+bss_fd.o: ../../e_os.h ../../include/openssl/bio.h
+bss_fd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_fd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_fd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_fd.o: ../cryptlib.h bss_sock.c
-bss_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_fd.o: ../cryptlib.h bss_fd.c
+bss_file.o: ../../e_os.h ../../include/openssl/bio.h
+bss_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_file.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_file.o: ../cryptlib.h
-bss_log.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_log.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_file.o: ../cryptlib.h bss_file.c
+bss_log.o: ../../e_os.h ../../include/openssl/bio.h
+bss_log.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_log.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_log.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_log.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_log.o: ../cryptlib.h
-bss_mem.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_mem.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_log.o: ../cryptlib.h bss_log.c
+bss_mem.o: ../../e_os.h ../../include/openssl/bio.h
+bss_mem.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_mem.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_mem.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_mem.o: ../cryptlib.h
-bss_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_mem.o: ../cryptlib.h bss_mem.c
+bss_null.o: ../../e_os.h ../../include/openssl/bio.h
+bss_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_null.o: ../cryptlib.h
-bss_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-bss_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_null.o: ../cryptlib.h bss_null.c
+bss_sock.o: ../../e_os.h ../../include/openssl/bio.h
+bss_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bss_sock.o: ../cryptlib.h
+bss_sock.o: ../cryptlib.h bss_sock.c
diff --git a/src/lib/libcrypto/bio/b_print.c b/src/lib/libcrypto/bio/b_print.c
index 91a049406e..b7e268f092 100644
--- a/src/lib/libcrypto/bio/b_print.c
+++ b/src/lib/libcrypto/bio/b_print.c
@@ -109,7 +109,7 @@
 #endif
 
 #if HAVE_LONG_LONG
-# if defined(WIN32) && !defined(__GNUC__)
+# if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
 # define LLONG _int64
 # else
 # define LLONG long long
@@ -569,7 +569,7 @@ pow10(int exp)
 }
 
 static long
-round(LDOUBLE value)
+roundv(LDOUBLE value)
 {
     long intpart;
     intpart = (long) value;
@@ -621,7 +621,7 @@ fmtfp(
 
     /* we "cheat" by converting the fractional part to integer by
        multiplying by a factor of 10 */
-    fracpart = round((pow10(max)) * (ufvalue - intpart));
+    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
 
     if (fracpart >= pow10(max)) {
         intpart++;
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 62cc3f1a0c..dcaef68ea7 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -65,21 +65,21 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
 #else
 #define SOCKET_PROTOCOL IPPROTO_TCP
 #endif
 
 #ifdef SO_MAXCONN
-#define MAX_LISTEN  SOMAXCONN
-#elif defined(SO_MAXCONN)
 #define MAX_LISTEN  SO_MAXCONN
+#elif defined(SOMAXCONN)
+#define MAX_LISTEN  SOMAXCONN
 #else
 #define MAX_LISTEN  32
 #endif
 
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
 static int wsa_init_done=0;
 #endif
 
@@ -95,8 +95,10 @@ static struct ghbn_cache_st
         } ghbn_cache[GHBN_NUM];
 
 static int get_ip(const char *str,unsigned char *ip);
+#if 0
 static void ghbn_free(struct hostent *a);
 static struct hostent *ghbn_dup(struct hostent *a);
+#endif
 int BIO_get_host_ip(const char *str, unsigned char *ip)
         {
         int i;
@@ -266,6 +268,7 @@ long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
         return(1);
         }
 
+#if 0
 static struct hostent *ghbn_dup(struct hostent *a)
         {
         struct hostent *ret;
@@ -343,20 +346,27 @@ static void ghbn_free(struct hostent *a)
         OPENSSL_free(a);
         }
 
+#endif
+
 struct hostent *BIO_gethostbyname(const char *name)
         {
+#if 1
+        /* Caching gethostbyname() results forever is wrong,
+         * so we have to let the true gethostbyname() worry about this */
+        return gethostbyname(name);
+#else
         struct hostent *ret;
         int i,lowi=0,j;
         unsigned long low= (unsigned long)-1;
 
-/*      return(gethostbyname(name)); */
 
-#if 0 /* It doesn't make sense to use locking here: The function interface
-           * is not thread-safe, because threads can never be sure when
-           * some other thread destroys the data they were given a pointer to.
-           */
+#  if 0
+        /* It doesn't make sense to use locking here: The function interface
+         * is not thread-safe, because threads can never be sure when
+         * some other thread destroys the data they were given a pointer to.
+         */
         CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
-#endif
+#  endif
         j=strlen(name);
         if (j < 128)
                 {
@@ -384,20 +394,21 @@ struct hostent *BIO_gethostbyname(const char *name)
                  * parameter is 'char *', instead of 'const char *'
                  */
                 ret=gethostbyname(
-#ifndef CONST_STRICT
+#  ifndef CONST_STRICT
                     (char *)
-#endif
+#  endif
                     name);
 
                 if (ret == NULL)
                         goto end;
                 if (j > 128) /* too big to cache */
                         {
-#if 0 /* If we were trying to make this function thread-safe (which
-           * is bound to fail), we'd have to give up in this case
-           * (or allocate more memory). */
+#  if 0
+                        /* If we were trying to make this function thread-safe (which
+                         * is bound to fail), we'd have to give up in this case
+                         * (or allocate more memory). */
                         ret = NULL;
-#endif
+#  endif
                         goto end;
                         }
 
@@ -421,15 +432,17 @@ struct hostent *BIO_gethostbyname(const char *name)
                 ghbn_cache[i].order=BIO_ghbn_miss+BIO_ghbn_hits;
                 }
 end:
-#if 0
+#  if 0
         CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
-#endif
+#  endif
         return(ret);
+#endif
         }
 
+
 int BIO_sock_init(void)
         {
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
         static struct WSAData wsa_state;
 
         if (!wsa_init_done)
@@ -449,13 +462,13 @@ int BIO_sock_init(void)
                         return(-1);
                         }
                 }
-#endif /* WINDOWS */
+#endif /* OPENSSL_SYS_WINDOWS */
         return(1);
         }
 
 void BIO_sock_cleanup(void)
         {
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
         if (wsa_init_done)
                 {
                 wsa_init_done=0;
@@ -465,7 +478,7 @@ void BIO_sock_cleanup(void)
 #endif
         }
 
-#if !defined(VMS) || __VMS_VER >= 70000000
+#if !defined(OPENSSL_SYS_VMS) || __VMS_VER >= 70000000
 
 int BIO_socket_ioctl(int fd, long type, unsigned long *arg)
         {
@@ -494,16 +507,16 @@ static int get_ip(const char *str, unsigned char ip[4])
                         {
                         ok=1;
                         tmp[num]=tmp[num]*10+c-'0';
-                        if (tmp[num] > 255) return(-1);
+                        if (tmp[num] > 255) return(0);
                         }
                 else if (c == '.')
                         {
                         if (!ok) return(-1);
-                        if (num == 3) break;
+                        if (num == 3) return(0);
                         num++;
                         ok=0;
                         }
-                else if ((num == 3) && ok)
+                else if (c == '\0' && (num == 3) && ok)
                         break;
                 else
                         return(0);
@@ -661,6 +674,7 @@ int BIO_accept(int sock, char **addr)
         ret=accept(sock,(struct sockaddr *)&from,(void *)&len);
         if (ret == INVALID_SOCKET)
                 {
+                if(BIO_sock_should_retry(ret)) return -2;
                 SYSerr(SYS_F_ACCEPT,get_last_socket_error());
                 BIOerr(BIO_F_BIO_ACCEPT,BIO_R_ACCEPT_ERROR);
                 goto end;
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index c90238bae1..6ccda06596 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -60,7 +60,6 @@
 #include <errno.h>
 #include "cryptlib.h"
 #include <openssl/bio.h>
-#include <openssl/evp.h>
 
 static int buffer_write(BIO *h, const char *buf,int num);
 static int buffer_read(BIO *h, char *buf, int size);
diff --git a/src/lib/libcrypto/bio/bf_lbuf.c b/src/lib/libcrypto/bio/bf_lbuf.c
index 7bcf8ed941..ec0f7eb0b7 100644
--- a/src/lib/libcrypto/bio/bf_lbuf.c
+++ b/src/lib/libcrypto/bio/bf_lbuf.c
@@ -200,7 +200,7 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
                                         }
                                 }
 
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, "<*<", 3);
 #endif
                         i=BIO_write(b->next_bio,
@@ -210,13 +210,13 @@ BIO_write(b->next_bio, "<*<", 3);
                                 ctx->obuf_len = orig_olen;
                                 BIO_copy_next_retry(b);
 
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
                                 if (i < 0) return((num > 0)?num:i);
                                 if (i == 0) return(num);
                                 }
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
                         if (i < ctx->obuf_len)
@@ -229,20 +229,20 @@ BIO_write(b->next_bio, ">*>", 3);
                    buffer if a NL was found and there is anything to write. */
                 if ((foundnl || p - in > ctx->obuf_size) && p - in > 0)
                         {
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, "<*<", 3);
 #endif
                         i=BIO_write(b->next_bio,in,p - in);
                         if (i <= 0)
                                 {
                                 BIO_copy_next_retry(b);
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
                                 if (i < 0) return((num > 0)?num:i);
                                 if (i == 0) return(num);
                                 }
-#ifdef DEBUG
+#if 0
 BIO_write(b->next_bio, ">*>", 3);
 #endif
                         num+=i;
diff --git a/src/lib/libcrypto/bio/bf_nbio.c b/src/lib/libcrypto/bio/bf_nbio.c
index 413ef5c4c5..c193e9debf 100644
--- a/src/lib/libcrypto/bio/bf_nbio.c
+++ b/src/lib/libcrypto/bio/bf_nbio.c
@@ -61,7 +61,6 @@
 #include "cryptlib.h"
 #include <openssl/rand.h>
 #include <openssl/bio.h>
-#include <openssl/evp.h>
 
 /* BIO_put and BIO_get both add to the digest,
  * BIO_gets returns the digest */
diff --git a/src/lib/libcrypto/bio/bf_null.c b/src/lib/libcrypto/bio/bf_null.c
index 2678a1a85d..c1bf39a904 100644
--- a/src/lib/libcrypto/bio/bf_null.c
+++ b/src/lib/libcrypto/bio/bf_null.c
@@ -60,7 +60,6 @@
 #include <errno.h>
 #include "cryptlib.h"
 #include <openssl/bio.h>
-#include <openssl/evp.h>
 
 /* BIO_put and BIO_get both add to the digest,
  * BIO_gets returns the digest */
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index 97003b503c..b122c7069d 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -59,12 +59,13 @@
 #ifndef HEADER_BIO_H
 #define HEADER_BIO_H
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 # include <stdio.h>
 #endif
 #include <stdarg.h>
 
 #include <openssl/crypto.h>
+#include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -179,7 +180,7 @@ extern "C" {
 #define BIO_retry_type(a)               ((a)->flags & BIO_FLAGS_RWS)
 #define BIO_should_retry(a)             ((a)->flags & BIO_FLAGS_SHOULD_RETRY)
 
-/* The next two are used in conjunction with the
+/* The next three are used in conjunction with the
  * BIO_should_io_special() condition.  After this returns true,
  * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO 
  * stack and return the 'reason' for the special and the offending BIO.
@@ -188,6 +189,8 @@ extern "C" {
 #define BIO_RR_SSL_X509_LOOKUP          0x01
 /* Returned from the connect BIO when a connect would have blocked */
 #define BIO_RR_CONNECT                  0x02
+/* Returned from the accept BIO when an accept would have blocked */
+#define BIO_RR_ACCEPT                   0x03
 
 /* These are passed by the BIO callback */
 #define BIO_CB_FREE     0x01
@@ -215,7 +218,7 @@ typedef struct bio_st BIO;
 
 typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long);
 
-#ifndef WIN16
+#ifndef OPENSSL_SYS_WIN16
 typedef struct bio_method_st
         {
         int type;
@@ -356,8 +359,8 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_set_conn_int_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,3,(char *)port)
 #define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 #define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
-#define BIO_get_conn_ip(b,ip) BIO_ptr_ctrl(b,BIO_C_SET_CONNECT,2)
-#define BIO_get_conn_int_port(b,port) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,port)
+#define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
+#define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3)
 
 
 #define BIO_set_nbio(b,n)       BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
@@ -431,7 +434,7 @@ int BIO_read_filename(BIO *b,const char *name);
 #define BIO_set_ssl_renegotiate_bytes(b,num) \
         BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
 #define BIO_get_num_renegotiates(b) \
-        BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
+        BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL);
 #define BIO_set_ssl_renegotiate_timeout(b,seconds) \
         BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
 
@@ -464,8 +467,9 @@ int BIO_read_filename(BIO *b,const char *name);
 size_t BIO_ctrl_pending(BIO *b);
 size_t BIO_ctrl_wpending(BIO *b);
 #define BIO_flush(b)            (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL)
-#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0,(bio_info_cb **)(cbp))
-#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,(bio_info_cb *)(cb))
+#define BIO_get_info_callback(b,cbp) (int)BIO_ctrl(b,BIO_CTRL_GET_CALLBACK,0, \
+                                                   cbp)
+#define BIO_set_info_callback(b,cb) (int)BIO_callback_ctrl(b,BIO_CTRL_SET_CALLBACK,cb)
 
 /* For the BIO_f_buffer() type */
 #define BIO_buffer_get_num_lines(b) BIO_ctrl(b,BIO_CTRL_GET,0,NULL)
@@ -493,8 +497,8 @@ int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 unsigned long BIO_number_read(BIO *bio);
 unsigned long BIO_number_written(BIO *bio);
 
-# ifndef NO_FP_API
-#  if defined(WIN16) && defined(_WINDLL)
+# ifndef OPENSSL_NO_FP_API
+#  if defined(OPENSSL_SYS_WIN16) && defined(_WINDLL)
 BIO_METHOD *BIO_s_file_internal(void);
 BIO *BIO_new_file_internal(char *filename, char *mode);
 BIO *BIO_new_fp_internal(FILE *stream, int close_flag);
@@ -536,7 +540,7 @@ int BIO_nread(BIO *bio, char **buf, int num);
 int BIO_nwrite0(BIO *bio, char **buf);
 int BIO_nwrite(BIO *bio, char **buf, int num);
 
-#ifndef WIN16
+#ifndef OPENSSL_SYS_WIN16
 long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi,
         long argl,long ret);
 #else
@@ -555,7 +559,7 @@ BIO_METHOD *BIO_s_bio(void);
 BIO_METHOD *BIO_s_null(void);
 BIO_METHOD *BIO_f_null(void);
 BIO_METHOD *BIO_f_buffer(void);
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
 BIO_METHOD *BIO_f_linebuffer(void);
 #endif
 BIO_METHOD *BIO_f_nbio_test(void);
@@ -588,8 +592,6 @@ int BIO_sock_init(void );
 void BIO_sock_cleanup(void);
 int BIO_set_tcp_ndelay(int sock,int turn_on);
 
-void ERR_load_BIO_strings(void );
-
 BIO *BIO_new_socket(int sock, int close_flag);
 BIO *BIO_new_fd(int fd, int close_flag);
 BIO *BIO_new_connect(char *host_port);
@@ -615,6 +617,7 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_BIO_strings(void);
 
 /* Error codes for the BIO functions. */
 
@@ -670,6 +673,7 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
 #define BIO_R_NO_HOSTNAME_SPECIFIED                      112
 #define BIO_R_NO_PORT_DEFINED                            113
 #define BIO_R_NO_PORT_SPECIFIED                          114
+#define BIO_R_NO_SUCH_FILE                               128
 #define BIO_R_NULL_PARAMETER                             115
 #define BIO_R_TAG_MISMATCH                               116
 #define BIO_R_UNABLE_TO_BIND_SOCKET                      117
@@ -684,4 +688,3 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/bio/bio_cb.c b/src/lib/libcrypto/bio/bio_cb.c
index 37c7c22666..0ffa4d2136 100644
--- a/src/lib/libcrypto/bio/bio_cb.c
+++ b/src/lib/libcrypto/bio/bio_cb.c
@@ -125,7 +125,7 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
         b=(BIO *)bio->cb_arg;
         if (b != NULL)
                 BIO_write(b,buf,strlen(buf));
-#if !defined(NO_STDIO) && !defined(WIN16)
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
         else
                 fputs(buf,stderr);
 #endif
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index bb815fb1e6..99ca3cd0da 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -63,7 +63,7 @@
 #include <openssl/bio.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA BIO_str_functs[]=
         {
 {ERR_PACK(0,BIO_F_ACPT_STATE,0),        "ACPT_STATE"},
@@ -120,6 +120,7 @@ static ERR_STRING_DATA BIO_str_reasons[]=
 {BIO_R_NO_HOSTNAME_SPECIFIED             ,"no hostname specified"},
 {BIO_R_NO_PORT_DEFINED                   ,"no port defined"},
 {BIO_R_NO_PORT_SPECIFIED                 ,"no port specified"},
+{BIO_R_NO_SUCH_FILE                      ,"no such file"},
 {BIO_R_NULL_PARAMETER                    ,"null parameter"},
 {BIO_R_TAG_MISMATCH                      ,"tag mismatch"},
 {BIO_R_UNABLE_TO_BIND_SOCKET             ,"unable to bind socket"},
@@ -141,7 +142,7 @@ void ERR_load_BIO_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_BIO,BIO_str_functs);
                 ERR_load_strings(ERR_LIB_BIO,BIO_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 381afc9b8e..50df2238fa 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -63,9 +63,6 @@
 #include <openssl/bio.h>
 #include <openssl/stack.h>
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
-static int bio_meth_num=0;
-
 BIO *BIO_new(BIO_METHOD *method)
         {
         BIO *ret=NULL;
@@ -100,10 +97,14 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
         bio->references=1;
         bio->num_read=0L;
         bio->num_write=0L;
-        CRYPTO_new_ex_data(bio_meth,bio,&bio->ex_data);
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
         if (method->create != NULL)
                 if (!method->create(bio))
+                        {
+                        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio,
+                                        &bio->ex_data);
                         return(0);
+                        }
         return(1);
         }
 
@@ -129,7 +130,7 @@ int BIO_free(BIO *a)
                 ((i=(int)a->callback(a,BIO_CB_FREE,NULL,0,0L,1L)) <= 0))
                         return(i);
 
-        CRYPTO_free_ex_data(bio_meth,a,&a->ex_data);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
         if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
         ret=a->method->destroy(a);
@@ -482,7 +483,8 @@ BIO *BIO_dup_chain(BIO *in)
                         }
 
                 /* copy app data */
-                if (!CRYPTO_dup_ex_data(bio_meth,&new->ex_data,&bio->ex_data))
+                if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data,
+                                        &bio->ex_data))
                         goto err;
 
                 if (ret == NULL)
@@ -512,9 +514,8 @@ void BIO_copy_next_retry(BIO *b)
 int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-        bio_meth_num++;
-        return(CRYPTO_get_ex_new_index(bio_meth_num-1,&bio_meth,
-                argl,argp,new_func,dup_func,free_func));
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_BIO, argl, argp,
+                                new_func, dup_func, free_func);
         }
 
 int BIO_set_ex_data(BIO *bio, int idx, void *data)
diff --git a/src/lib/libcrypto/bio/bss_acpt.c b/src/lib/libcrypto/bio/bss_acpt.c
index 4da5822062..8ea1db158b 100644
--- a/src/lib/libcrypto/bio/bss_acpt.c
+++ b/src/lib/libcrypto/bio/bss_acpt.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 
 #include <stdio.h>
 #include <errno.h>
@@ -64,13 +64,13 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
 #else
 #define SOCKET_PROTOCOL IPPROTO_TCP
 #endif
 
-#if (defined(VMS) && __VMS_VER < 70000000)
+#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
 #undef FIONBIO
 #endif
@@ -236,8 +236,20 @@ again:
                         c->state=ACPT_S_OK;
                         goto again;
                         }
+                BIO_clear_retry_flags(b);
+                b->retry_reason=0;
                 i=BIO_accept(c->accept_sock,&(c->addr));
+
+                /* -2 return means we should retry */
+                if(i == -2)
+                        {
+                        BIO_set_retry_special(b);
+                        b->retry_reason=BIO_RR_ACCEPT;
+                        return -1;
+                        }
+
                 if (i < 0) return(i);
+
                 bio=BIO_new_socket(i,BIO_CLOSE);
                 if (bio == NULL) goto err;
 
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 78c6ab4fdd..a5da473031 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -22,7 +22,12 @@
 #include <openssl/err.h>
 #include <openssl/crypto.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
+
+/* VxWorks defines SSIZE_MAX with an empty value causing compile errors */
+#if defined(OPENSSL_SYS_VSWORKS)
+# undef SSIZE_MAX
+#endif
 #ifndef SSIZE_MAX
 # define SSIZE_MAX INT_MAX
 #endif
@@ -474,7 +479,8 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
                 break;
 
         case BIO_C_GET_WRITE_BUF_SIZE:
-                num = (long) b->size;
+                ret = (long) b->size;
+                break;
 
         case BIO_C_MAKE_BIO_PAIR:
                 {
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index a6b77a2cb9..f91ae4c8c6 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SOCK
+#ifndef OPENSSL_NO_SOCK
 
 #include <stdio.h>
 #include <errno.h>
@@ -64,13 +64,13 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
 #define SOCKET_PROTOCOL 0 /* more microsoft stupidity */
 #else
 #define SOCKET_PROTOCOL IPPROTO_TCP
 #endif
 
-#if (defined(VMS) && __VMS_VER < 70000000)
+#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
 #undef FIONBIO
 #endif
@@ -95,7 +95,7 @@ typedef struct bio_connect_st
         /* called when the connection is initially made
          *  callback(BIO,state,ret);  The callback should return
          * 'ret'.  state is for compatibility with the ssl info_callback */
-        int (*info_callback)();
+        int (*info_callback)(const BIO *bio,int state,int ret);
         } BIO_CONNECT;
 
 static int conn_write(BIO *h, const char *buf, int num);
@@ -236,7 +236,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                                 }
                         c->state=BIO_CONN_S_CONNECT;
 
-#if defined(SO_KEEPALIVE) && !defined(MPE)
+#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
                         i=1;
                         i=setsockopt(b->num,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
                         if (i < 0)
@@ -574,7 +574,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
                 if (data->param_hostname)
                         BIO_set_conn_hostname(dbio,data->param_hostname);
                 BIO_set_nbio(dbio,data->nbio);
-                (void)BIO_set_info_callback(dbio,data->info_callback);
+                /* FIXME: the cast of the function seems unlikely to be a good idea */
+                (void)BIO_set_info_callback(dbio,(bio_info_cb *)data->info_callback);
                 }
                 break;
         case BIO_CTRL_SET_CALLBACK:
@@ -613,7 +614,7 @@ static long conn_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
                 {
         case BIO_CTRL_SET_CALLBACK:
                 {
-                data->info_callback=(int (*)())fp;
+                data->info_callback=(int (*)(const struct bio_st *, int, int))fp;
                 }
                 break;
         default:
diff --git a/src/lib/libcrypto/bio/bss_fd.c b/src/lib/libcrypto/bio/bss_fd.c
index 686c4909a2..5e3e187de6 100644
--- a/src/lib/libcrypto/bio/bss_fd.c
+++ b/src/lib/libcrypto/bio/bss_fd.c
@@ -56,7 +56,227 @@
  * [including the GNU Public Licence.]
  */
 
-#define BIO_FD
-#include "bss_sock.c"
-#undef BIO_FD
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "cryptlib.h"
+#include <openssl/bio.h>
 
+static int fd_write(BIO *h, const char *buf, int num);
+static int fd_read(BIO *h, char *buf, int size);
+static int fd_puts(BIO *h, const char *str);
+static long fd_ctrl(BIO *h, int cmd, long arg1, void *arg2);
+static int fd_new(BIO *h);
+static int fd_free(BIO *data);
+int BIO_fd_should_retry(int s);
+
+static BIO_METHOD methods_fdp=
+        {
+        BIO_TYPE_FD,"file descriptor",
+        fd_write,
+        fd_read,
+        fd_puts,
+        NULL, /* fd_gets, */
+        fd_ctrl,
+        fd_new,
+        fd_free,
+        NULL,
+        };
+
+BIO_METHOD *BIO_s_fd(void)
+        {
+        return(&methods_fdp);
+        }
+
+BIO *BIO_new_fd(int fd,int close_flag)
+        {
+        BIO *ret;
+        ret=BIO_new(BIO_s_fd());
+        if (ret == NULL) return(NULL);
+        BIO_set_fd(ret,fd,close_flag);
+        return(ret);
+        }
+
+static int fd_new(BIO *bi)
+        {
+        bi->init=0;
+        bi->num=0;
+        bi->ptr=NULL;
+        bi->flags=0;
+        return(1);
+        }
+
+static int fd_free(BIO *a)
+        {
+        if (a == NULL) return(0);
+        if (a->shutdown)
+                {
+                if (a->init)
+                        {
+                        close(a->num);
+                        }
+                a->init=0;
+                a->flags=0;
+                }
+        return(1);
+        }
+        
+static int fd_read(BIO *b, char *out,int outl)
+        {
+        int ret=0;
+
+        if (out != NULL)
+                {
+                clear_sys_error();
+                ret=read(b->num,out,outl);
+                BIO_clear_retry_flags(b);
+                if (ret <= 0)
+                        {
+                        if (BIO_fd_should_retry(ret))
+                                BIO_set_retry_read(b);
+                        }
+                }
+        return(ret);
+        }
+
+static int fd_write(BIO *b, const char *in, int inl)
+        {
+        int ret;
+        clear_sys_error();
+        ret=write(b->num,in,inl);
+        BIO_clear_retry_flags(b);
+        if (ret <= 0)
+                {
+                if (BIO_fd_should_retry(ret))
+                        BIO_set_retry_write(b);
+                }
+        return(ret);
+        }
+
+static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
+        {
+        long ret=1;
+        int *ip;
+
+        switch (cmd)
+                {
+        case BIO_CTRL_RESET:
+                num=0;
+        case BIO_C_FILE_SEEK:
+                ret=(long)lseek(b->num,num,0);
+                break;
+        case BIO_C_FILE_TELL:
+        case BIO_CTRL_INFO:
+                ret=(long)lseek(b->num,0,1);
+                break;
+        case BIO_C_SET_FD:
+                fd_free(b);
+                b->num= *((int *)ptr);
+                b->shutdown=(int)num;
+                b->init=1;
+                break;
+        case BIO_C_GET_FD:
+                if (b->init)
+                        {
+                        ip=(int *)ptr;
+                        if (ip != NULL) *ip=b->num;
+                        ret=b->num;
+                        }
+                else
+                        ret= -1;
+                break;
+        case BIO_CTRL_GET_CLOSE:
+                ret=b->shutdown;
+                break;
+        case BIO_CTRL_SET_CLOSE:
+                b->shutdown=(int)num;
+                break;
+        case BIO_CTRL_PENDING:
+        case BIO_CTRL_WPENDING:
+                ret=0;
+                break;
+        case BIO_CTRL_DUP:
+        case BIO_CTRL_FLUSH:
+                ret=1;
+                break;
+        default:
+                ret=0;
+                break;
+                }
+        return(ret);
+        }
+
+static int fd_puts(BIO *bp, const char *str)
+        {
+        int n,ret;
+
+        n=strlen(str);
+        ret=fd_write(bp,str,n);
+        return(ret);
+        }
+
+int BIO_fd_should_retry(int i)
+        {
+        int err;
+
+        if ((i == 0) || (i == -1))
+                {
+                err=get_last_sys_error();
+
+#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
+                if ((i == -1) && (err == 0))
+                        return(1);
+#endif
+
+                return(BIO_fd_non_fatal_error(err));
+                }
+        return(0);
+        }
+
+int BIO_fd_non_fatal_error(int err)
+        {
+        switch (err)
+                {
+
+#ifdef EWOULDBLOCK
+# ifdef WSAEWOULDBLOCK
+#  if WSAEWOULDBLOCK != EWOULDBLOCK
+        case EWOULDBLOCK:
+#  endif
+# else
+        case EWOULDBLOCK:
+# endif
+#endif
+
+#if defined(ENOTCONN)
+        case ENOTCONN:
+#endif
+
+#ifdef EINTR
+        case EINTR:
+#endif
+
+#ifdef EAGAIN
+#if EWOULDBLOCK != EAGAIN
+        case EAGAIN:
+# endif
+#endif
+
+#ifdef EPROTO
+        case EPROTO:
+#endif
+
+#ifdef EINPROGRESS
+        case EINPROGRESS:
+#endif
+
+#ifdef EALREADY
+        case EALREADY:
+#endif
+                return(1);
+                /* break; */
+        default:
+                break;
+                }
+        return(0);
+        }
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 1f770b390f..8b3ff278d9 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -71,7 +71,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 
-#if !defined(NO_STDIO)
+#if !defined(OPENSSL_NO_STDIO)
 
 static int MS_CALLBACK file_write(BIO *h, const char *buf, int num);
 static int MS_CALLBACK file_read(BIO *h, char *buf, int size);
@@ -103,7 +103,10 @@ BIO *BIO_new_file(const char *filename, const char *mode)
                 {
                 SYSerr(SYS_F_FOPEN,get_last_sys_error());
                 ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
-                BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
+                if (errno == ENOENT)
+                        BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
+                else
+                        BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
                 return(NULL);
                 }
         if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
@@ -204,12 +207,17 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                 b->shutdown=(int)num&BIO_CLOSE;
                 b->ptr=(char *)ptr;
                 b->init=1;
-#if defined(MSDOS) || defined(WINDOWS)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
                 /* Set correct text/binary mode */
                 if (num & BIO_FP_TEXT)
                         _setmode(fileno((FILE *)ptr),_O_TEXT);
                 else
                         _setmode(fileno((FILE *)ptr),_O_BINARY);
+#elif defined(OPENSSL_SYS_OS2)
+                if (num & BIO_FP_TEXT)
+                        setmode(fileno((FILE *)ptr), O_TEXT);
+                else
+                        setmode(fileno((FILE *)ptr), O_BINARY);
 #endif
                 break;
         case BIO_C_SET_FILENAME:
@@ -233,7 +241,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
                         ret=0;
                         break;
                         }
-#if defined(MSDOS) || defined(WINDOWS)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
                 if (!(num & BIO_FP_TEXT))
                         strcat(p,"b");
                 else
@@ -303,7 +311,7 @@ static int MS_CALLBACK file_puts(BIO *bp, const char *str)
         return(ret);
         }
 
-#endif /* NO_STDIO */
+#endif /* OPENSSL_NO_STDIO */
 
 #endif /* HEADER_BSS_FILE_C */
 
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
index 1edf16a76f..a39d95297c 100644
--- a/src/lib/libcrypto/bio/bss_log.c
+++ b/src/lib/libcrypto/bio/bss_log.c
@@ -66,26 +66,27 @@
 #include <stdio.h>
 #include <errno.h>
 
-#if defined(WIN32)
+#include "cryptlib.h"
+
+#if defined(OPENSSL_SYS_WIN32)
 #  include <process.h>
-#elif defined(VMS) || defined(__VMS)
+#elif defined(OPENSSL_SYS_VMS)
 #  include <opcdef.h>
 #  include <descrip.h>
 #  include <lib$routines.h>
 #  include <starlet.h>
 #elif defined(__ultrix)
 #  include <sys/syslog.h>
-#elif !defined(MSDOS) /* Unix */
+#elif !defined(MSDOS) && !defined(OPENSSL_SYS_VXWORKS) && !defined(NO_SYSLOG) /* Unix */
 #  include <syslog.h>
 #endif
 
-#include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 
 #ifndef NO_SYSLOG
 
-#if defined(WIN32)
+#if defined(OPENSSL_SYS_WIN32)
 #define LOG_EMERG       0
 #define LOG_ALERT       1
 #define LOG_CRIT        2
@@ -96,7 +97,7 @@
 #define LOG_DEBUG       7
 
 #define LOG_DAEMON      (3<<3)
-#elif defined(VMS)
+#elif defined(OPENSSL_SYS_VMS)
 /* On VMS, we don't really care about these, but we need them to compile */
 #define LOG_EMERG       0
 #define LOG_ALERT       1
@@ -118,7 +119,7 @@ static int MS_CALLBACK slg_free(BIO *data);
 static void xopenlog(BIO* bp, char* name, int level);
 static void xsyslog(BIO* bp, int priority, const char* string);
 static void xcloselog(BIO* bp);
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 LONG    (WINAPI *go_for_advapi)()       = RegOpenKeyEx;
 HANDLE  (WINAPI *register_event_source)()       = NULL;
 BOOL    (WINAPI *deregister_event_source)()     = NULL;
@@ -241,7 +242,7 @@ static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
         return(ret);
         }
 
-#if defined(WIN32)
+#if defined(OPENSSL_SYS_WIN32)
 
 static void xopenlog(BIO* bp, char* name, int level)
 {
@@ -313,7 +314,7 @@ static void xcloselog(BIO* bp)
         bp->ptr= NULL;
 }
 
-#elif defined(VMS)
+#elif defined(OPENSSL_SYS_VMS)
 
 static int VMS_OPC_target = LOG_DAEMON;
 
diff --git a/src/lib/libcrypto/bio/bss_sock.c b/src/lib/libcrypto/bio/bss_sock.c
index 50c6744c06..fdabd16d7e 100644
--- a/src/lib/libcrypto/bio/bss_sock.c
+++ b/src/lib/libcrypto/bio/bss_sock.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#if !defined(NO_SOCK) || defined(BIO_FD)
+#ifndef OPENSSL_NO_SOCK
 
 #include <stdio.h>
 #include <errno.h>
@@ -64,7 +64,6 @@
 #include "cryptlib.h"
 #include <openssl/bio.h>
 
-#ifndef BIO_FD
 static int sock_write(BIO *h, const char *buf, int num);
 static int sock_read(BIO *h, char *buf, int size);
 static int sock_puts(BIO *h, const char *str);
@@ -72,18 +71,7 @@ static long sock_ctrl(BIO *h, int cmd, long arg1, void *arg2);
 static int sock_new(BIO *h);
 static int sock_free(BIO *data);
 int BIO_sock_should_retry(int s);
-#else
 
-static int fd_write(BIO *h, const char *buf, int num);
-static int fd_read(BIO *h, char *buf, int size);
-static int fd_puts(BIO *h, const char *str);
-static long fd_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int fd_new(BIO *h);
-static int fd_free(BIO *data);
-int BIO_fd_should_retry(int s);
-#endif
-
-#ifndef BIO_FD
 static BIO_METHOD methods_sockp=
         {
         BIO_TYPE_SOCKET,
@@ -102,49 +90,18 @@ BIO_METHOD *BIO_s_socket(void)
         {
         return(&methods_sockp);
         }
-#else
-static BIO_METHOD methods_fdp=
-        {
-        BIO_TYPE_FD,"file descriptor",
-        fd_write,
-        fd_read,
-        fd_puts,
-        NULL, /* fd_gets, */
-        fd_ctrl,
-        fd_new,
-        fd_free,
-        NULL,
-        };
-
-BIO_METHOD *BIO_s_fd(void)
-        {
-        return(&methods_fdp);
-        }
-#endif
 
-#ifndef BIO_FD
 BIO *BIO_new_socket(int fd, int close_flag)
-#else
-BIO *BIO_new_fd(int fd,int close_flag)
-#endif
         {
         BIO *ret;
 
-#ifndef BIO_FD
         ret=BIO_new(BIO_s_socket());
-#else
-        ret=BIO_new(BIO_s_fd());
-#endif
         if (ret == NULL) return(NULL);
         BIO_set_fd(ret,fd,close_flag);
         return(ret);
         }
 
-#ifndef BIO_FD
 static int sock_new(BIO *bi)
-#else
-static int fd_new(BIO *bi)
-#endif
         {
         bi->init=0;
         bi->num=0;
@@ -153,23 +110,14 @@ static int fd_new(BIO *bi)
         return(1);
         }
 
-#ifndef BIO_FD
 static int sock_free(BIO *a)
-#else
-static int fd_free(BIO *a)
-#endif
         {
         if (a == NULL) return(0);
         if (a->shutdown)
                 {
                 if (a->init)
                         {
-#ifndef BIO_FD
                         SHUTDOWN2(a->num);
-#else                   /* BIO_FD */
-                        close(a->num);
-#endif
-
                         }
                 a->init=0;
                 a->flags=0;
@@ -177,70 +125,40 @@ static int fd_free(BIO *a)
         return(1);
         }
         
-#ifndef BIO_FD
 static int sock_read(BIO *b, char *out, int outl)
-#else
-static int fd_read(BIO *b, char *out,int outl)
-#endif
         {
         int ret=0;
 
         if (out != NULL)
                 {
-#ifndef BIO_FD
                 clear_socket_error();
                 ret=readsocket(b->num,out,outl);
-#else
-                clear_sys_error();
-                ret=read(b->num,out,outl);
-#endif
                 BIO_clear_retry_flags(b);
                 if (ret <= 0)
                         {
-#ifndef BIO_FD
                         if (BIO_sock_should_retry(ret))
-#else
-                        if (BIO_fd_should_retry(ret))
-#endif
                                 BIO_set_retry_read(b);
                         }
                 }
         return(ret);
         }
 
-#ifndef BIO_FD
 static int sock_write(BIO *b, const char *in, int inl)
-#else
-static int fd_write(BIO *b, const char *in, int inl)
-#endif
         {
         int ret;
         
-#ifndef BIO_FD
         clear_socket_error();
         ret=writesocket(b->num,in,inl);
-#else
-        clear_sys_error();
-        ret=write(b->num,in,inl);
-#endif
         BIO_clear_retry_flags(b);
         if (ret <= 0)
                 {
-#ifndef BIO_FD
                 if (BIO_sock_should_retry(ret))
-#else
-                if (BIO_fd_should_retry(ret))
-#endif
                         BIO_set_retry_write(b);
                 }
         return(ret);
         }
 
-#ifndef BIO_FD
 static long sock_ctrl(BIO *b, int cmd, long num, void *ptr)
-#else
-static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
-#endif
         {
         long ret=1;
         int *ip;
@@ -250,26 +168,14 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_CTRL_RESET:
                 num=0;
         case BIO_C_FILE_SEEK:
-#ifdef BIO_FD
-                ret=(long)lseek(b->num,num,0);
-#else
                 ret=0;
-#endif
                 break;
         case BIO_C_FILE_TELL:
         case BIO_CTRL_INFO:
-#ifdef BIO_FD
-                ret=(long)lseek(b->num,0,1);
-#else
                 ret=0;
-#endif
                 break;
         case BIO_C_SET_FD:
-#ifndef BIO_FD
                 sock_free(b);
-#else
-                fd_free(b);
-#endif
                 b->num= *((int *)ptr);
                 b->shutdown=(int)num;
                 b->init=1;
@@ -305,69 +211,38 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
         return(ret);
         }
 
-#ifdef undef
-static int sock_gets(BIO *bp, char *buf,int size)
-        {
-        return(-1);
-        }
-#endif
-
-#ifndef BIO_FD
 static int sock_puts(BIO *bp, const char *str)
-#else
-static int fd_puts(BIO *bp, const char *str)
-#endif
         {
         int n,ret;
 
         n=strlen(str);
-#ifndef BIO_FD
         ret=sock_write(bp,str,n);
-#else
-        ret=fd_write(bp,str,n);
-#endif
         return(ret);
         }
 
-#ifndef BIO_FD
 int BIO_sock_should_retry(int i)
-#else
-int BIO_fd_should_retry(int i)
-#endif
         {
         int err;
 
         if ((i == 0) || (i == -1))
                 {
-#ifndef BIO_FD
                 err=get_last_socket_error();
-#else
-                err=get_last_sys_error();
-#endif
 
-#if defined(WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
+#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
                 if ((i == -1) && (err == 0))
                         return(1);
 #endif
 
-#ifndef BIO_FD
                 return(BIO_sock_non_fatal_error(err));
-#else
-                return(BIO_fd_non_fatal_error(err));
-#endif
                 }
         return(0);
         }
 
-#ifndef BIO_FD
 int BIO_sock_non_fatal_error(int err)
-#else
-int BIO_fd_non_fatal_error(int err)
-#endif
         {
         switch (err)
                 {
-#if !defined(BIO_FD) && defined(WINDOWS)
+#if defined(OPENSSL_SYS_WINDOWS)
 # if defined(WSAEWOULDBLOCK)
         case WSAEWOULDBLOCK:
 # endif
diff --git a/src/lib/libcrypto/bn/Makefile.ssl b/src/lib/libcrypto/bn/Makefile.ssl
index 526d7adb5c..eb6f0eeebd 100644
--- a/src/lib/libcrypto/bn/Makefile.ssl
+++ b/src/lib/libcrypto/bn/Makefile.ssl
@@ -6,13 +6,14 @@ DIR=	bn
 TOP=    ../..
 CC=     cc
 CPP=    $(CC) -E
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -35,15 +36,15 @@ TEST=bntest.c exptest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \
+LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
         bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
-        bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c bn_recp.c bn_mont.c \
-        bn_mpi.c bn_exp2.c
+        bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
+        bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c
 
-LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o \
+LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
         bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
-        bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) bn_recp.o bn_mont.o \
-        bn_mpi.o bn_exp2.o
+        bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
+        bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o
 
 SRC= $(LIBSRC)
 
@@ -68,8 +69,7 @@ bnbug: bnbug.c ../../libcrypto.a top
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -124,6 +124,18 @@ asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
         $(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
                 /usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
 
+
+asm/ia64.o:     asm/ia64.S
+
+# Some compiler drivers (most notably HP-UX and Intel C++) don't
+# understand .S extension:-( I wish I could pipe output from cc -E,
+# but it's too compiler driver/ABI dependent to cover with a single
+# rule...       <appro@fy.chalmers.se>
+asm/ia64-cpp.o: asm/ia64.S
+        $(CC) $(ASFLAGS) -E asm/ia64.S > /tmp/ia64.$$$$.s &&    \
+        $(CC) $(ASFLAGS) -c -o asm/ia64-cpp.o /tmp/ia64.$$$$.s; \
+        rm -f /tmp/ia64.$$$$.s
+
 files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
@@ -168,146 +180,160 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bn_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_add.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_add.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_add.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_asm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_add.o: ../cryptlib.h bn_add.c bn_lcl.h
+bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_asm.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_asm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_asm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_blind.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_asm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_asm.o: ../cryptlib.h bn_asm.c bn_lcl.h
+bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_blind.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_blind.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_blind.o: ../../include/openssl/opensslconf.h
+bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_blind.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_blind.o: ../cryptlib.h bn_lcl.h
-bn_ctx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_blind.o: ../cryptlib.h bn_blind.c bn_lcl.h
+bn_ctx.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_ctx.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_ctx.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_ctx.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_ctx.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bn_div.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_ctx.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_ctx.o: ../cryptlib.h bn_ctx.c bn_lcl.h
+bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_div.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_div.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_div.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_div.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_div.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_div.o: ../cryptlib.h bn_div.c bn_lcl.h
 bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
-bn_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+bn_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_err.o: ../../include/openssl/symhacks.h bn_err.c
+bn_exp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_exp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_exp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_exp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_exp2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h
+bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_exp2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_exp2.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_exp2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_exp2.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_gcd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_exp2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_exp2.o: ../cryptlib.h bn_exp2.c bn_lcl.h
+bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_gcd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_gcd.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_gcd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_gcd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_gcd.o: ../cryptlib.h bn_gcd.c bn_lcl.h
+bn_kron.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_kron.o: ../../include/openssl/opensslconf.h bn_kron.c bn_lcl.h
+bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_lib.o: ../cryptlib.h bn_lcl.h bn_lib.c
+bn_mod.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mod.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_mod.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_mod.o: ../cryptlib.h bn_lcl.h bn_mod.c
+bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mont.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_mont.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_mont.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_mont.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_mpi.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_mont.o: ../cryptlib.h bn_lcl.h bn_mont.c
+bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mpi.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_mpi.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_mpi.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_mpi.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mpi.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_mpi.o: ../cryptlib.h bn_lcl.h bn_mpi.c
+bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mul.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_mul.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_mul.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_mul.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_prime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_mul.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_mul.o: ../cryptlib.h bn_lcl.h bn_mul.c
+bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_prime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_prime.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_prime.o: ../../include/openssl/opensslconf.h
-bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-bn_prime.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_prime.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_prime.h
-bn_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_prime.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_prime.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+bn_prime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_prime.o: ../cryptlib.h bn_lcl.h bn_prime.c bn_prime.h
+bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_print.o: ../../include/openssl/opensslconf.h
+bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_print.o: ../cryptlib.h bn_lcl.h
-bn_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_print.o: ../cryptlib.h bn_lcl.h bn_print.c
+bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_rand.o: ../cryptlib.h bn_lcl.h
-bn_recp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_rand.o: ../cryptlib.h bn_lcl.h bn_rand.c
+bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_recp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_recp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_recp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_recp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_shift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_recp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_recp.o: ../cryptlib.h bn_lcl.h bn_recp.c
+bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_shift.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_shift.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_shift.o: ../../include/openssl/opensslconf.h
+bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_shift.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_shift.o: ../cryptlib.h bn_lcl.h
-bn_sqr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_shift.o: ../cryptlib.h bn_lcl.h bn_shift.c
+bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_sqr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_sqr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_sqr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_sqr.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_word.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_sqr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_sqr.o: ../cryptlib.h bn_lcl.h bn_sqr.c
+bn_sqrt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_sqrt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_sqrt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_sqrt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_sqrt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_sqrt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_sqrt.o: ../cryptlib.h bn_lcl.h bn_sqrt.c
+bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_word.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bn_word.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-bn_word.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
diff --git a/src/lib/libcrypto/bn/asm/README b/src/lib/libcrypto/bn/asm/README
index a0fe58a677..b0f3a68a06 100644
--- a/src/lib/libcrypto/bn/asm/README
+++ b/src/lib/libcrypto/bn/asm/README
@@ -1,3 +1,5 @@
+<OBSOLETE>
+
 All assember in this directory are just version of the file
 crypto/bn/bn_asm.c.
 
@@ -21,3 +23,5 @@ pa-risc.s is the origional one which works fine and generated using gcc :-)
 
 pa-risc2W.s and pa-risc2.s are 64 and 32-bit PA-RISC 2.0 implementations
 by Chris Ruemmler from HP (with some help from the HP C compiler).
+
+</OBSOLETE>
diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl
index 5191bed273..33f6125920 100644
--- a/src/lib/libcrypto/bn/asm/bn-586.pl
+++ b/src/lib/libcrypto/bn/asm/bn-586.pl
@@ -11,6 +11,7 @@ require "x86asm.pl";
 &bn_div_words("bn_div_words");
 &bn_add_words("bn_add_words");
 &bn_sub_words("bn_sub_words");
+&bn_sub_part_words("bn_sub_part_words");
 
 &asm_finish();
 
@@ -300,7 +301,7 @@ sub bn_add_words
                  &add($tmp1,$tmp2);
                 &adc($c,0);
                  &dec($num) if ($i != 6);
-                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *r
                  &jz(&label("aw_end")) if ($i != 6);
                 }
         &set_label("aw_end",0);
@@ -372,7 +373,7 @@ sub bn_sub_words
                  &sub($tmp1,$tmp2);
                 &adc($c,0);
                  &dec($num) if ($i != 6);
-                &mov(&DWP($i*4,$r,"",0),$tmp1); # *a
+                &mov(&DWP($i*4,$r,"",0),$tmp1); # *r
                  &jz(&label("aw_end")) if ($i != 6);
                 }
         &set_label("aw_end",0);
@@ -382,3 +383,211 @@ sub bn_sub_words
         &function_end($name);
         }
 
+sub bn_sub_part_words
+        {
+        local($name)=@_;
+
+        &function_begin($name,"");
+
+        &comment("");
+        $a="esi";
+        $b="edi";
+        $c="eax";
+        $r="ebx";
+        $tmp1="ecx";
+        $tmp2="edx";
+        $num="ebp";
+
+        &mov($r,&wparam(0));    # get r
+         &mov($a,&wparam(1));   # get a
+        &mov($b,&wparam(2));    # get b
+         &mov($num,&wparam(3)); # get num
+        &xor($c,$c);            # clear carry
+         &and($num,0xfffffff8); # num / 8
+
+        &jz(&label("aw_finish"));
+
+        &set_label("aw_loop",0);
+        for ($i=0; $i<8; $i++)
+                {
+                &comment("Round $i");
+
+                &mov($tmp1,&DWP($i*4,$a,"",0));         # *a
+                 &mov($tmp2,&DWP($i*4,$b,"",0));        # *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                 &mov(&DWP($i*4,$r,"",0),$tmp1);        # *r
+                }
+
+        &comment("");
+        &add($a,32);
+         &add($b,32);
+        &add($r,32);
+         &sub($num,8);
+        &jnz(&label("aw_loop"));
+
+        &set_label("aw_finish",0);
+        &mov($num,&wparam(3));  # get num
+        &and($num,7);
+         &jz(&label("aw_end"));
+
+        for ($i=0; $i<7; $i++)
+                {
+                &comment("Tail Round $i");
+                &mov($tmp1,&DWP(0,$a,"",0));    # *a
+                 &mov($tmp2,&DWP(0,$b,"",0));# *b
+                &sub($tmp1,$c);
+                 &mov($c,0);
+                &adc($c,$c);
+                 &sub($tmp1,$tmp2);
+                &adc($c,0);
+                &mov(&DWP(0,$r,"",0),$tmp1);    # *r
+                &add($a, 4);
+                &add($b, 4);
+                &add($r, 4);
+                 &dec($num) if ($i != 6);
+                 &jz(&label("aw_end")) if ($i != 6);
+                }
+        &set_label("aw_end",0);
+
+        &cmp(&wparam(4),0);
+        &je(&label("pw_end"));
+
+        &mov($num,&wparam(4));  # get dl
+        &cmp($num,0);
+        &je(&label("pw_end"));
+        &jge(&label("pw_pos"));
+
+        &comment("pw_neg");
+        &mov($tmp2,0);
+        &sub($tmp2,$num);
+        &mov($num,$tmp2);
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("pw_neg_finish"));
+
+        &set_label("pw_neg_loop",0);
+        for ($i=0; $i<8; $i++)
+        {
+            &comment("dl<0 Round $i");
+
+            &mov($tmp1,0);
+            &mov($tmp2,&DWP($i*4,$b,"",0));     # *b
+            &sub($tmp1,$c);
+            &mov($c,0);
+            &adc($c,$c);
+            &sub($tmp1,$tmp2);
+            &adc($c,0);
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+        }
+            
+        &comment("");
+        &add($b,32);
+        &add($r,32);
+        &sub($num,8);
+        &jnz(&label("pw_neg_loop"));
+            
+        &set_label("pw_neg_finish",0);
+        &mov($tmp2,&wparam(4)); # get dl
+        &mov($num,0);
+        &sub($num,$tmp2);
+        &and($num,7);
+        &jz(&label("pw_end"));
+            
+        for ($i=0; $i<7; $i++)
+        {
+            &comment("dl<0 Tail Round $i");
+            &mov($tmp1,0);
+            &mov($tmp2,&DWP($i*4,$b,"",0));# *b
+            &sub($tmp1,$c);
+            &mov($c,0);
+            &adc($c,$c);
+            &sub($tmp1,$tmp2);
+            &adc($c,0);
+            &dec($num) if ($i != 6);
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+            &jz(&label("pw_end")) if ($i != 6);
+        }
+
+        &jmp(&label("pw_end"));
+        
+        &set_label("pw_pos",0);
+        
+        &and($num,0xfffffff8);  # num / 8
+        &jz(&label("pw_pos_finish"));
+
+        &set_label("pw_pos_loop",0);
+
+        for ($i=0; $i<8; $i++)
+        {
+            &comment("dl>0 Round $i");
+
+            &mov($tmp1,&DWP($i*4,$a,"",0));     # *a
+            &sub($tmp1,$c);
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+            &jnc(&label("pw_nc".$i));
+        }
+            
+        &comment("");
+        &add($a,32);
+        &add($r,32);
+        &sub($num,8);
+        &jnz(&label("pw_pos_loop"));
+            
+        &set_label("pw_pos_finish",0);
+        &mov($num,&wparam(4));  # get dl
+        &and($num,7);
+        &jz(&label("pw_end"));
+            
+        for ($i=0; $i<7; $i++)
+        {
+            &comment("dl>0 Tail Round $i");
+            &mov($tmp1,&DWP($i*4,$a,"",0));     # *a
+            &sub($tmp1,$c);
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+            &jnc(&label("pw_tail_nc".$i));
+            &dec($num) if ($i != 6);
+            &jz(&label("pw_end")) if ($i != 6);
+        }
+        &mov($c,1);
+        &jmp(&label("pw_end"));
+
+        &set_label("pw_nc_loop",0);
+        for ($i=0; $i<8; $i++)
+        {
+            &mov($tmp1,&DWP($i*4,$a,"",0));     # *a
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+            &set_label("pw_nc".$i,0);
+        }
+            
+        &comment("");
+        &add($a,32);
+        &add($r,32);
+        &sub($num,8);
+        &jnz(&label("pw_nc_loop"));
+            
+        &mov($num,&wparam(4));  # get dl
+        &and($num,7);
+        &jz(&label("pw_nc_end"));
+            
+        for ($i=0; $i<7; $i++)
+        {
+            &mov($tmp1,&DWP($i*4,$a,"",0));     # *a
+            &mov(&DWP($i*4,$r,"",0),$tmp1);     # *r
+            &set_label("pw_tail_nc".$i,0);
+            &dec($num) if ($i != 6);
+            &jz(&label("pw_nc_end")) if ($i != 6);
+        }
+
+        &set_label("pw_nc_end",0);
+        &mov($c,0);
+
+        &set_label("pw_end",0);
+
+#       &mov("eax",$c);         # $c is "eax"
+
+        &function_end($name);
+        }
+
diff --git a/src/lib/libcrypto/bn/asm/ia64.S b/src/lib/libcrypto/bn/asm/ia64.S
new file mode 100644
index 0000000000..ae56066310
--- /dev/null
+++ b/src/lib/libcrypto/bn/asm/ia64.S
@@ -0,0 +1,1498 @@
+.explicit
+.text
+.ident  "ia64.S, Version 1.1"
+.ident  "IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"
+
+//
+// ====================================================================
+// Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
+// project.
+//
+// Rights for redistribution and usage in source and binary forms are
+// granted according to the OpenSSL license. Warranty of any kind is
+// disclaimed.
+// ====================================================================
+//
+
+// Q.   How much faster does it get?
+// A.   Here is the output from 'openssl speed rsa dsa' for vanilla
+//      0.9.6a compiled with gcc version 2.96 20000731 (Red Hat
+//      Linux 7.1 2.96-81):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0036s   0.0003s    275.3   2999.2
+//      rsa 1024 bits   0.0203s   0.0011s     49.3    894.1
+//      rsa 2048 bits   0.1331s   0.0040s      7.5    250.9
+//      rsa 4096 bits   0.9270s   0.0147s      1.1     68.1
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0035s   0.0043s    288.3    234.8
+//      dsa 1024 bits   0.0111s   0.0135s     90.0     74.2
+//
+//      And here is similar output but for this assembler
+//      implementation:-)
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0021s   0.0001s    549.4   9638.5
+//      rsa 1024 bits   0.0055s   0.0002s    183.8   4481.1
+//      rsa 2048 bits   0.0244s   0.0006s     41.4   1726.3
+//      rsa 4096 bits   0.1295s   0.0018s      7.7    561.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0012s   0.0013s    891.9    756.6
+//      dsa 1024 bits   0.0023s   0.0028s    440.4    376.2
+//      
+//      Yes, you may argue that it's not fair comparison as it's
+//      possible to craft the C implementation with BN_UMULT_HIGH
+//      inline assembler macro. But of course! Here is the output
+//      with the macro:
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0020s   0.0002s    495.0   6561.0
+//      rsa 1024 bits   0.0086s   0.0004s    116.2   2235.7
+//      rsa 2048 bits   0.0519s   0.0015s     19.3    667.3
+//      rsa 4096 bits   0.3464s   0.0053s      2.9    187.7
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0016s   0.0020s    613.1    510.5
+//      dsa 1024 bits   0.0045s   0.0054s    221.0    183.9
+//
+//      My code is still way faster, huh:-) And I believe that even
+//      higher performance can be achieved. Note that as keys get
+//      longer, performance gain is larger. Why? According to the
+//      profiler there is another player in the field, namely
+//      BN_from_montgomery consuming larger and larger portion of CPU
+//      time as keysize decreases. I therefore consider putting effort
+//      to assembler implementation of the following routine:
+//
+//      void bn_mul_add_mont (BN_ULONG *rp,BN_ULONG *np,int nl,BN_ULONG n0)
+//      {
+//      int      i,j;
+//      BN_ULONG v;
+//
+//      for (i=0; i<nl; i++)
+//              {
+//              v=bn_mul_add_words(rp,np,nl,(rp[0]*n0)&BN_MASK2);
+//              nrp++;
+//              rp++;
+//              if (((nrp[-1]+=v)&BN_MASK2) < v)
+//                      for (j=0; ((++nrp[j])&BN_MASK2) == 0; j++) ;
+//              }
+//      }
+//
+//      It might as well be beneficial to implement even combaX
+//      variants, as it appears as it can literally unleash the
+//      performance (see comment section to bn_mul_comba8 below).
+//
+//      And finally for your reference the output for 0.9.6a compiled
+//      with SGIcc version 0.01.0-12 (keep in mind that for the moment
+//      of this writing it's not possible to convince SGIcc to use
+//      BN_UMULT_HIGH inline assembler macro, yet the code is fast,
+//      i.e. for a compiler generated one:-):
+//
+//                        sign    verify    sign/s verify/s
+//      rsa  512 bits   0.0022s   0.0002s    452.7   5894.3
+//      rsa 1024 bits   0.0097s   0.0005s    102.7   2002.9
+//      rsa 2048 bits   0.0578s   0.0017s     17.3    600.2
+//      rsa 4096 bits   0.3838s   0.0061s      2.6    164.5
+//                        sign    verify    sign/s verify/s
+//      dsa  512 bits   0.0018s   0.0022s    547.3    459.6
+//      dsa 1024 bits   0.0051s   0.0062s    196.6    161.3
+//
+//      Oh! Benchmarks were performed on 733MHz Lion-class Itanium
+//      system running Redhat Linux 7.1 (very special thanks to Ray
+//      McCaffity of Williams Communications for providing an account).
+//
+// Q.   What's the heck with 'rum 1<<5' at the end of every function?
+// A.   Well, by clearing the "upper FP registers written" bit of the
+//      User Mask I want to excuse the kernel from preserving upper
+//      (f32-f128) FP register bank over process context switch, thus
+//      minimizing bus bandwidth consumption during the switch (i.e.
+//      after PKI opration completes and the program is off doing
+//      something else like bulk symmetric encryption). Having said
+//      this, I also want to point out that it might be good idea
+//      to compile the whole toolkit (as well as majority of the
+//      programs for that matter) with -mfixed-range=f32-f127 command
+//      line option. No, it doesn't prevent the compiler from writing
+//      to upper bank, but at least discourages to do so. If you don't
+//      like the idea you have the option to compile the module with
+//      -Drum=nop.m in command line.
+//
+
+#if 1
+//
+// bn_[add|sub]_words routines.
+//
+// Loops are spinning in 2*(n+5) ticks on Itanuim (provided that the
+// data reside in L1 cache, i.e. 2 ticks away). It's possible to
+// compress the epilogue and get down to 2*n+6, but at the cost of
+// scalability (the neat feature of this implementation is that it
+// shall automagically spin in n+5 on "wider" IA-64 implementations:-)
+// I consider that the epilogue is short enough as it is to trade tiny
+// performance loss on Itanium for scalability.
+//
+// BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_add_words#
+.proc   bn_add_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_add_words_ctop,.L_bn_add_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_add_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   add             r39=r37,r34
+        (p19)   cmp.ltu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=-1,r41     // (p20)
+        (p58)   add             r41=1,r41       } // (p20)
+{ .mfb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_add_words_ctop    };;
+.L_bn_add_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_add_words#
+
+//
+// BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num)
+//
+.global bn_sub_words#
+.proc   bn_sub_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_sub_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r35,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mib; sub             r10=r35,r0,1
+        mov             r3=ar.lc
+        brp.loop.imp    .L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
+                                        }
+        .body
+{ .mib; mov             r14=r32                 // rp
+        mov             r9=pr           };;
+{ .mii; mov             r15=r33                 // ap
+        mov             ar.lc=r10
+        mov             ar.ec=6         }
+{ .mib; mov             r16=r34                 // bp
+        mov             pr.rot=1<<16    };;
+
+.L_bn_sub_words_ctop:
+{ .mii; (p16)   ld8             r32=[r16],8       // b=*(bp++)
+        (p18)   sub             r39=r37,r34
+        (p19)   cmp.gtu.unc     p56,p0=r40,r38  }
+{ .mfb; (p0)    nop.m           0x0
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p16)   ld8             r35=[r15],8       // a=*(ap++)
+        (p58)   cmp.eq.or       p57,p0=0,r41      // (p20)
+        (p58)   add             r41=-1,r41      } // (p20)
+{ .mbb; (p21)   st8             [r14]=r42,8       // *(rp++)=r
+        (p0)    nop.b           0x0
+        br.ctop.sptk    .L_bn_sub_words_ctop    };;
+.L_bn_sub_words_cend:
+
+{ .mii;
+(p59)   add             r8=1,r8         // return value
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mbb; nop.b           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sub_words#
+#endif
+
+#if 0
+#define XMA_TEMPTATION
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_words#
+.proc   bn_mul_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary
+bn_mul_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+#ifdef XMA_TEMPTATION
+{ .mfi; alloc           r2=ar.pfs,4,0,0,0       };;
+#else
+{ .mfi; alloc           r2=ar.pfs,4,4,0,8       };;
+#endif
+{ .mib; mov             r8=r0                   // return value
+        cmp4.le         p6,p0=r34,r0
+(p6)    br.ret.spnt.many        b0              };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_words_ctop,.L_bn_mul_words_cend-16
+                                        }
+
+#ifndef XMA_TEMPTATION
+
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             ar.ec=12        };;
+
+// This loop spins in 2*(n+11) ticks. It's scheduled for data in L2
+// cache (i.e. 9 ticks away) as floating point load/store instructions
+// bypass L1 cache and L2 latency is actually best-case scenario for
+// ldf8. The loop is not scalable and shall run in 2*(n+11) even on
+// "wider" IA-64 implementations. It's a trade-off here. n+22 loop
+// would give us ~5% in *overall* performance improvement on "wider"
+// IA-64, but would hurt Itanium for about same because of longer
+// epilogue. As it's a matter of few percents in either case I've
+// chosen to trade the scalability for development time (you can see
+// this very instruction sequence in bn_mul_add_words loop which in
+// turn is scalable).
+.L_bn_mul_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p0)    nop.i           0x0             };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   st8             [r14]=r39,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p49,p53
+(p49)   add             r8=r34,r0
+(p53)   add             r8=r34,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     }
+
+#else   // XMA_TEMPTATION
+
+        setf.sig        f37=r0  // serves as carry at (p18) tick
+        mov             ar.lc=r10
+        mov             ar.ec=5;;
+
+// Most of you examining this code very likely wonder why in the name
+// of Intel the following loop is commented out? Indeed, it looks so
+// neat that you find it hard to believe that it's something wrong
+// with it, right? The catch is that every iteration depends on the
+// result from previous one and the latter isn't available instantly.
+// The loop therefore spins at the latency of xma minus 1, or in other
+// words at 6*(n+4) ticks:-( Compare to the "production" loop above
+// that runs in 2*(n+11) where the low latency problem is worked around
+// by moving the dependency to one-tick latent interger ALU. Note that
+// "distance" between ldf8 and xma is not latency of ldf8, but the
+// *difference* between xma and ldf8 latencies.
+.L_bn_mul_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p18)   xma.hu          f38=f34,f8,f39  }
+{ .mfb; (p20)   stf8            [r32]=f37,8
+        (p18)   xma.lu          f35=f34,f8,f39
+        br.ctop.sptk    .L_bn_mul_words_ctop    };;
+.L_bn_mul_words_cend:
+
+        getf.sig        r8=f41          // the return value
+
+#endif  // XMA_TEMPTATION
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_words#
+#endif
+
+#if 1
+//
+// BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+//
+.global bn_mul_add_words#
+.proc   bn_mul_add_words#
+.align  64
+//.skip 0       // makes the loop split at 64-byte boundary
+bn_mul_add_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,4,12,0,16
+        cmp4.le         p6,p0=r34,r0    };;
+{ .mfb; mov             r8=r0                   // return value
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib; setf.sig        f8=r35  // w
+        mov             pr.rot=0x400001<<16
+                        // ------^----- serves as (p48) at first (p26)
+        brp.loop.imp    .L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
+                                        }
+{ .mii; mov             r14=r32 // rp
+        mov             r15=r33 // ap
+        mov             ar.lc=r10       }
+{ .mii; mov             r39=0   // serves as r33 at first (p26)
+        mov             r18=r32 // rp copy
+        mov             ar.ec=14        };;
+
+// This loop spins in 3*(n+13) ticks on Itanium and should spin in
+// 2*(n+13) on "wider" IA-64 implementations (to be verified with new
+// µ-architecture manuals as they become available). As usual it's
+// possible to compress the epilogue, down to 10 in this case, at the
+// cost of scalability. Compressed (and therefore non-scalable) loop
+// running at 3*(n+10) would buy you ~10% on Itanium but take ~35%
+// from "wider" IA-64 so let it be scalable! Special attention was
+// paid for having the loop body split at 64-byte boundary. ld8 is
+// scheduled for L1 cache as the data is more than likely there.
+// Indeed, bn_mul_words has put it there a moment ago:-)
+.L_bn_mul_add_words_ctop:
+{ .mfi; (p25)   getf.sig        r36=f49                 // low
+        (p21)   xmpy.lu         f45=f37,f8
+        (p27)   cmp.ltu         p52,p48=r39,r38 }
+{ .mfi; (p16)   ldf8            f32=[r15],8
+        (p21)   xmpy.hu         f38=f37,f8
+        (p27)   add             r43=r43,r39     };;
+{ .mii; (p26)   getf.sig        r32=f43                 // high
+        .pred.rel       "mutex",p48,p52
+        (p48)   add             r38=r37,r33             // (p26)
+        (p52)   add             r38=r37,r33,1   }       // (p26)
+{ .mfb; (p27)   cmp.ltu.unc     p56,p0=r43,r39
+        (p0)    nop.f           0x0
+        (p0)    nop.b           0x0             }
+{ .mii; (p26)   ld8             r42=[r18],8
+        (p58)   cmp.eq.or       p57,p0=-1,r44
+        (p58)   add             r44=1,r44       }
+{ .mfb; (p29)   st8             [r14]=r45,8
+        (p0)    nop.f           0x0
+        br.ctop.sptk    .L_bn_mul_add_words_ctop};;
+.L_bn_mul_add_words_cend:
+
+{ .mii; nop.m           0x0
+.pred.rel       "mutex",p51,p55
+(p51)   add             r8=r36,r0
+(p55)   add             r8=r36,r0,1     }
+{ .mfb; nop.m   0x0
+        nop.f   0x0
+        nop.b   0x0                     };;
+{ .mii;
+(p59)   add             r8=1,r8
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_add_words#
+#endif
+
+#if 1
+//
+// void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num)
+//
+.global bn_sqr_words#
+.proc   bn_sqr_words#
+.align  64
+.skip   32      // makes the loop body aligned at 64-byte boundary 
+bn_sqr_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc           r2=ar.pfs,3,0,0,0
+        sxt4            r34=r34         };;
+{ .mii; cmp.le          p6,p0=r34,r0
+        mov             r8=r0           }       // return value
+{ .mfb; nop.f           0x0
+(p6)    br.ret.spnt.many        b0      };;
+
+        .save   ar.lc,r3
+{ .mii; sub     r10=r34,r0,1
+        mov     r3=ar.lc
+        mov     r9=pr                   };;
+
+        .body
+{ .mib;
+        mov             pr.rot=1<<16
+        brp.loop.imp    .L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
+                                        }
+{ .mii; add             r34=8,r32
+        mov             ar.lc=r10
+        mov             ar.ec=18        };;
+
+// 2*(n+17) on Itanium, (n+17) on "wider" IA-64 implementations. It's
+// possible to compress the epilogue (I'm getting tired to write this
+// comment over and over) and get down to 2*n+16 at the cost of
+// scalability. The decision will very likely be reconsidered after the
+// benchmark program is profiled. I.e. if perfomance gain on Itanium
+// will appear larger than loss on "wider" IA-64, then the loop should
+// be explicitely split and the epilogue compressed.
+.L_bn_sqr_words_ctop:
+{ .mfi; (p16)   ldf8            f32=[r33],8
+        (p25)   xmpy.lu         f42=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r32]=f50,16
+        (p0)    nop.i           0x0
+        (p0)    nop.b           0x0             }
+{ .mfi; (p0)    nop.m           0x0
+        (p25)   xmpy.hu         f52=f41,f41
+        (p0)    nop.i           0x0             }
+{ .mib; (p33)   stf8            [r34]=f60,16
+        (p0)    nop.i           0x0
+        br.ctop.sptk    .L_bn_sqr_words_ctop    };;
+.L_bn_sqr_words_cend:
+
+{ .mii; nop.m           0x0
+        mov             pr=r9,-1
+        mov             ar.lc=r3        }
+{ .mfb; rum             1<<5            // clear um.mfh
+        nop.f           0x0
+        br.ret.sptk.many        b0      };;
+.endp   bn_sqr_words#
+#endif
+
+#if 1
+// Apparently we win nothing by implementing special bn_sqr_comba8.
+// Yes, it is possible to reduce the number of multiplications by
+// almost factor of two, but then the amount of additions would
+// increase by factor of two (as we would have to perform those
+// otherwise performed by xma ourselves). Normally we would trade
+// anyway as multiplications are way more expensive, but not this
+// time... Multiplication kernel is fully pipelined and as we drain
+// one 128-bit multiplication result per clock cycle multiplications
+// are effectively as inexpensive as additions. Special implementation
+// might become of interest for "wider" IA-64 implementation as you'll
+// be able to get through the multiplication phase faster (there won't
+// be any stall issues as discussed in the commentary section below and
+// you therefore will be able to employ all 4 FP units)... But these
+// Itanium days it's simply too hard to justify the effort so I just
+// drop down to bn_mul_comba8 code:-)
+//
+// void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba8#
+.proc   bn_sqr_comba8#
+.align  64
+bn_sqr_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point8   };;
+.endp   bn_sqr_comba8#
+#endif
+
+#if 1
+// I've estimated this routine to run in ~120 ticks, but in reality
+// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
+// cycles consumed for instructions fetch? Or did I misinterpret some
+// clause in Itanium µ-architecture manual? Comments are welcomed and
+// highly appreciated.
+//
+// However! It should be noted that even 160 ticks is darn good result
+// as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
+// C version (compiled with gcc with inline assembler). I really
+// kicked compiler's butt here, didn't I? Yeah! This brings us to the
+// following statement. It's damn shame that this routine isn't called
+// very often nowadays! According to the profiler most CPU time is
+// consumed by bn_mul_add_words called from BN_from_montgomery. In
+// order to estimate what we're missing, I've compared the performance
+// of this routine against "traditional" implementation, i.e. against
+// following routine:
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+// {    r[ 8]=bn_mul_words(    &(r[0]),a,8,b[0]);
+//      r[ 9]=bn_mul_add_words(&(r[1]),a,8,b[1]);
+//      r[10]=bn_mul_add_words(&(r[2]),a,8,b[2]);
+//      r[11]=bn_mul_add_words(&(r[3]),a,8,b[3]);
+//      r[12]=bn_mul_add_words(&(r[4]),a,8,b[4]);
+//      r[13]=bn_mul_add_words(&(r[5]),a,8,b[5]);
+//      r[14]=bn_mul_add_words(&(r[6]),a,8,b[6]);
+//      r[15]=bn_mul_add_words(&(r[7]),a,8,b[7]);
+// }
+//
+// The one below is over 8 times faster than the one above:-( Even
+// more reasons to "combafy" bn_mul_add_mont...
+//
+// And yes, this routine really made me wish there were an optimizing
+// assembler! It also feels like it deserves a dedication.
+//
+//      To my wife for being there and to my kids...
+//
+// void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+#define carry3  r34
+.global bn_mul_comba8#
+.proc   bn_mul_comba8#
+.align  64
+bn_mul_comba8:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              }
+.L_cheat_entry_point8:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33],32            };;
+
+{ .mmi; ldf8    f120=[r34],32
+        ldf8    f121=[r17],32           }
+{ .mmi; ldf8    f122=[r18],32
+        ldf8    f123=[r19],32           };;
+{ .mmi; ldf8    f124=[r34]
+        ldf8    f125=[r17]              }
+{ .mmi; ldf8    f126=[r18]
+        ldf8    f127=[r19]              }
+
+{ .mmi; ldf8    f33=[r14],32
+        ldf8    f34=[r15],32            }
+{ .mmi; ldf8    f35=[r16],32;;
+        ldf8    f36=[r33]               }
+{ .mmi; ldf8    f37=[r14]
+        ldf8    f38=[r15]               }
+{ .mfi; ldf8    f39=[r16]
+// -------\ Entering multiplier's heaven /-------
+// ------------\                    /------------
+// -----------------\          /-----------------
+// ----------------------\/----------------------
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };; // (*)
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;
+{ .mfi;         xma.hu  f81=f32,f124,f0         }
+{ .mfi;         xma.lu  f80=f32,f124,f0         };;
+{ .mfi;         xma.hu  f91=f32,f125,f0         }
+{ .mfi;         xma.lu  f90=f32,f125,f0         };;
+{ .mfi;         xma.hu  f101=f32,f126,f0        }
+{ .mfi;         xma.lu  f100=f32,f126,f0        };;
+{ .mfi;         xma.hu  f111=f32,f127,f0        }
+{ .mfi;         xma.lu  f110=f32,f127,f0        };;//
+// (*)  You can argue that splitting at every second bundle would
+//      prevent "wider" IA-64 implementations from achieving the peak
+//      performance. Well, not really... The catch is that if you
+//      intend to keep 4 FP units busy by splitting at every fourth
+//      bundle and thus perform these 16 multiplications in 4 ticks,
+//      the first bundle *below* would stall because the result from
+//      the first xma bundle *above* won't be available for another 3
+//      ticks (if not more, being an optimist, I assume that "wider"
+//      implementation will have same latency:-). This stall will hold
+//      you back and the performance would be as if every second bundle
+//      were split *anyway*...
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;
+{ .mfi;         xma.hu  f82=f33,f124,f81        }
+{ .mfi;         xma.lu  f81=f33,f124,f81        };;
+{ .mfi;         xma.hu  f92=f33,f125,f91        }
+{ .mfi;         xma.lu  f91=f33,f125,f91        };;
+{ .mfi;         xma.hu  f102=f33,f126,f101      }
+{ .mfi;         xma.lu  f101=f33,f126,f101      };;
+{ .mfi;         xma.hu  f112=f33,f127,f111      }
+{ .mfi;         xma.lu  f111=f33,f127,f111      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi;         xma.lu  f62=f34,f122,f62
+        mov             carry1=0                };;
+{ .mfi; cmp.ltu         p6,p0=r25,r24
+                xma.hu  f73=f34,f123,f72        }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f83=f34,f124,f82
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f82=f34,f124,f82        };;
+{ .mfi;         xma.hu  f93=f34,f125,f92        }
+{ .mfi;         xma.lu  f92=f34,f125,f92        };;
+{ .mfi;         xma.hu  f103=f34,f126,f102      }
+{ .mfi;         xma.lu  f102=f34,f126,f102      };;
+{ .mfi;         xma.hu  f113=f34,f127,f112      }
+{ .mfi;         xma.lu  f112=f34,f127,f112      };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+        add             r17=r17,r16             }
+{ .mfi;         xma.lu  f43=f35,f120,f43        };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53        }
+{ .mfi; mov             carry2=0
+                xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi; add             r18=r18,r17
+                xma.lu  f63=f35,f122,f63        };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+{ .mfi;
+                xma.hu  f84=f35,f124,f83
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,carry1
+                xma.lu  f83=f35,f124,f83        };;
+{ .mfi; st8             [r32]=r18,16
+                xma.hu  f94=f35,f125,f93
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f93=f35,f125,f93        };;
+{ .mfi;         xma.hu  f104=f35,f126,f103      }
+{ .mfi;         xma.lu  f103=f35,f126,f103      };;
+{ .mfi;         xma.hu  f114=f35,f127,f113      }
+{ .mfi; mov             carry1=0
+                xma.lu  f113=f35,f127,f113
+        add             r25=r25,r24             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r27=f43
+                xma.hu  f45=f36,f120,f44
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f44=f36,f120,f44        
+        add             r26=r26,r25             };;
+{ .mfi; getf.sig        r16=f80
+                xma.hu  f55=f36,f121,f54
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f54=f36,f121,f54        };;
+{ .mfi; getf.sig        r17=f71
+                xma.hu  f65=f36,f122,f64
+        cmp.ltu         p6,p0=r26,r25           }
+{ .mfi;         xma.lu  f64=f36,f122,f64
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r18=f62
+                xma.hu  f75=f36,f123,f74
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f74=f36,f123,f74
+        add             r27=r27,carry2          };;
+{ .mfi; getf.sig        r19=f53
+                xma.hu  f85=f36,f124,f84
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f84=f36,f124,f84
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+                xma.hu  f95=f36,f125,f94
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f94=f36,f125,f94        };;
+{ .mfi;         xma.hu  f105=f36,f126,f104      }
+{ .mfi; mov             carry2=0
+                xma.lu  f104=f36,f126,f104
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f115=f36,f127,f114
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f114=f36,f127,f114
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r20=f44
+                xma.hu  f46=f37,f120,f45
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f45=f37,f120,f45
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f90
+                xma.hu  f56=f37,f121,f55        }
+{ .mfi;         xma.lu  f55=f37,f121,f55        };;
+{ .mfi; getf.sig        r25=f81
+                xma.hu  f66=f37,f122,f65
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f65=f37,f122,f65
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r26=f72
+                xma.hu  f76=f37,f123,f75
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f75=f37,f123,f75
+        add             r20=r20,carry1          };;
+{ .mfi; getf.sig        r27=f63
+                xma.hu  f86=f37,f124,f85
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f85=f37,f124,f85
+        cmp.ltu         p7,p0=r20,carry1        };;
+{ .mfi; getf.sig        r28=f54
+                xma.hu  f96=f37,f125,f95
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r20,16
+                xma.lu  f95=f37,f125,f95        };;
+{ .mfi;         xma.hu  f106=f37,f126,f105      }
+{ .mfi; mov             carry1=0
+                xma.lu  f105=f37,f126,f105
+        add             r25=r25,r24             };;
+{ .mfi;         xma.hu  f116=f37,f127,f115
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f115=f37,f127,f115
+        add             r26=r26,r25             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r29=f45
+                xma.hu  f47=f38,f120,f46
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r26,r25
+                xma.lu  f46=f38,f120,f46
+        add             r27=r27,r26             };;
+{ .mfi; getf.sig        r16=f100
+                xma.hu  f57=f38,f121,f56
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r27,r26
+                xma.lu  f56=f38,f121,f56
+        add             r28=r28,r27             };;
+{ .mfi; getf.sig        r17=f91
+                xma.hu  f67=f38,f122,f66
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r28,r27
+                xma.lu  f66=f38,f122,f66
+        add             r29=r29,r28             };;
+{ .mfi; getf.sig        r18=f82
+                xma.hu  f77=f38,f123,f76
+(p6)    add             carry1=1,carry1         }
+{ .mfi; cmp.ltu         p6,p0=r29,r28
+                xma.lu  f76=f38,f123,f76
+        add             r29=r29,carry2          };;
+{ .mfi; getf.sig        r19=f73
+                xma.hu  f87=f38,f124,f86
+(p6)    add             carry1=1,carry1         }
+{ .mfi;         xma.lu  f86=f38,f124,f86
+        cmp.ltu         p6,p0=r29,carry2        };;
+{ .mfi; getf.sig        r20=f64
+                xma.hu  f97=f38,f125,f96
+(p6)    add             carry1=1,carry1         }
+{ .mfi; st8             [r33]=r29,16
+                xma.lu  f96=f38,f125,f96        };;
+{ .mfi; getf.sig        r21=f55
+                xma.hu  f107=f38,f126,f106      }
+{ .mfi; mov             carry2=0
+                xma.lu  f106=f38,f126,f106
+        add             r17=r17,r16             };;
+{ .mfi;         xma.hu  f117=f38,f127,f116
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f116=f38,f127,f116
+        add             r18=r18,r17             };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r22=f46
+                xma.hu  f48=f39,f120,f47
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r18,r17
+                xma.lu  f47=f39,f120,f47
+        add             r19=r19,r18             };;
+{ .mfi; getf.sig        r24=f110
+                xma.hu  f58=f39,f121,f57
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r19,r18
+                xma.lu  f57=f39,f121,f57
+        add             r20=r20,r19             };;
+{ .mfi; getf.sig        r25=f101
+                xma.hu  f68=f39,f122,f67
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r20,r19
+                xma.lu  f67=f39,f122,f67
+        add             r21=r21,r20             };;
+{ .mfi; getf.sig        r26=f92
+                xma.hu  f78=f39,f123,f77
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r21,r20
+                xma.lu  f77=f39,f123,f77
+        add             r22=r22,r21             };;
+{ .mfi; getf.sig        r27=f83
+                xma.hu  f88=f39,f124,f87
+(p7)    add             carry2=1,carry2         }
+{ .mfi; cmp.ltu         p7,p0=r22,r21
+                xma.lu  f87=f39,f124,f87
+        add             r22=r22,carry1          };;
+{ .mfi; getf.sig        r28=f74
+                xma.hu  f98=f39,f125,f97
+(p7)    add             carry2=1,carry2         }
+{ .mfi;         xma.lu  f97=f39,f125,f97
+        cmp.ltu         p7,p0=r22,carry1        };;
+{ .mfi; getf.sig        r29=f65
+                xma.hu  f108=f39,f126,f107
+(p7)    add             carry2=1,carry2         }
+{ .mfi; st8             [r32]=r22,16
+                xma.lu  f107=f39,f126,f107      };;
+{ .mfi; getf.sig        r30=f56
+                xma.hu  f118=f39,f127,f117      }
+{ .mfi;         xma.lu  f117=f39,f127,f117      };;//
+//-------------------------------------------------//
+// Leaving muliplier's heaven... Quite a ride, huh?
+
+{ .mii; getf.sig        r31=f47
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f111
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f102        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mii;         getf.sig        r18=f93
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mii;         getf.sig        r19=f84
+                cmp.ltu         p7,p0=r17,r16   }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r20=f75
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r31=r31,r30             };;
+{ .mfb;         getf.sig        r21=f66         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,r30
+        add             r31=r31,carry2          };;
+{ .mfb;         getf.sig        r22=f57         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     }
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r31,carry2        };;
+{ .mfb;         getf.sig        r23=f48         }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     }
+{ .mii;
+(p6)    add             carry1=1,carry1         }
+{ .mfb; st8             [r33]=r31,16            };;
+
+{ .mfb; getf.sig        r24=f112                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r22=r22,r21     };;
+{ .mfb; getf.sig        r25=f103                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r22,r21
+                add             r23=r23,r22     };;
+{ .mfb; getf.sig        r26=f94                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r23,r22
+                add             r23=r23,carry1  };;
+{ .mfb; getf.sig        r27=f85                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r23,carry1};;
+{ .mii; getf.sig        r28=f76
+        add             r25=r25,r24
+        mov             carry1=0                }
+{ .mii;         st8             [r32]=r23,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 };;
+
+{ .mfb; nop.m   0x0                             }
+{ .mii; getf.sig        r29=f67
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb; getf.sig        r30=f58                 }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r16=f113        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r17=f104        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r29=r29,r28             };;
+{ .mfb;         getf.sig        r18=f95         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r29,r28
+        add             r30=r30,r29             };;
+{ .mii;         getf.sig        r19=f86
+                add             r17=r17,r16
+                mov             carry3=0        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,r29
+        add             r30=r30,carry2          };;
+{ .mii;         getf.sig        r20=f77
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r30,carry2        };;
+{ .mfb;         getf.sig        r21=f68         }
+{ .mii; st8             [r33]=r30,16
+(p6)    add             carry1=1,carry1         };;
+
+{ .mfb; getf.sig        r24=f114                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f105                }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r19,r18
+                add             r20=r20,r19     };;
+{ .mfb; getf.sig        r26=f96                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r20,r19
+                add             r21=r21,r20     };;
+{ .mfb; getf.sig        r27=f87                 }
+{ .mii; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p0=r21,r20
+                add             r21=r21,carry1  };;
+{ .mib; getf.sig        r28=f78                 
+        add             r25=r25,r24             }
+{ .mib; (p7)    add             carry3=1,carry3
+                cmp.ltu         p7,p8=r21,carry1};;
+{ .mii;         st8             [r32]=r21,16
+        (p7)    add             carry2=1,carry3
+        (p8)    add             carry2=0,carry3 }
+
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r16=f115        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mfb;         getf.sig        r17=f106        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r28=r28,r27             };;
+{ .mfb;         getf.sig        r18=f97         }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,r27
+        add             r28=r28,carry2          };;
+{ .mib;         getf.sig        r19=f88
+                add             r17=r17,r16     }
+{ .mib;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r28,carry2        };;
+{ .mii; st8             [r33]=r28,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mfb; getf.sig        r24=f116                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mfb; getf.sig        r25=f107                }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mfb; getf.sig        r26=f98                 }
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mfb; add             r25=r25,r24             };;
+
+{ .mfb;         getf.sig        r16=f117        }
+{ .mii; mov             carry1=0
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mfb;         getf.sig        r17=f108        }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mfb; nop.m   0x0                             }
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mfb;         add             r17=r17,r16     };;
+{ .mfb; getf.sig        r24=f118                }
+{ .mii;         mov             carry2=0
+                cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17
+        (p7)    add             carry2=1,carry2 };;
+{ .mfb; add             r24=r24,carry2          };;
+{ .mib; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba8#
+#undef  carry3
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+// It's possible to make it faster (see comment to bn_sqr_comba8), but
+// I reckon it doesn't worth the effort. Basically because the routine
+// (actually both of them) practically never called... So I just play
+// same trick as with bn_sqr_comba8.
+//
+// void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+//
+.global bn_sqr_comba4#
+.proc   bn_sqr_comba4#
+.align  64
+bn_sqr_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,2,1,0,0
+        mov     r34=r33
+        add     r14=8,r33               };;
+        .body
+{ .mii; add     r17=8,r34
+        add     r15=16,r33
+        add     r18=16,r34              }
+{ .mfb; add     r16=24,r33
+        br      .L_cheat_entry_point4   };;
+.endp   bn_sqr_comba4#
+#endif
+
+#if 1
+// Runs in ~115 cycles and ~4.5 times faster than C. Well, whatever...
+//
+// void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+//
+#define carry1  r14
+#define carry2  r15
+.global bn_mul_comba4#
+.proc   bn_mul_comba4#
+.align  64
+bn_mul_comba4:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+{ .mii; alloc   r2=ar.pfs,3,0,0,0
+        add     r14=8,r33
+        add     r17=8,r34               }
+        .body
+{ .mii; add     r15=16,r33
+        add     r18=16,r34
+        add     r16=24,r33              };;
+.L_cheat_entry_point4:
+{ .mmi; add     r19=24,r34
+
+        ldf8    f32=[r33]               }
+
+{ .mmi; ldf8    f120=[r34]
+        ldf8    f121=[r17]              };;
+{ .mmi; ldf8    f122=[r18]
+        ldf8    f123=[r19]              }
+
+{ .mmi; ldf8    f33=[r14]
+        ldf8    f34=[r15]               }
+{ .mfi; ldf8    f35=[r16]
+
+                xma.hu  f41=f32,f120,f0         }
+{ .mfi;         xma.lu  f40=f32,f120,f0         };;
+{ .mfi;         xma.hu  f51=f32,f121,f0         }
+{ .mfi;         xma.lu  f50=f32,f121,f0         };;
+{ .mfi;         xma.hu  f61=f32,f122,f0         }
+{ .mfi;         xma.lu  f60=f32,f122,f0         };;
+{ .mfi;         xma.hu  f71=f32,f123,f0         }
+{ .mfi;         xma.lu  f70=f32,f123,f0         };;//
+// Major stall takes place here, and 3 more places below. Result from
+// first xma is not available for another 3 ticks.
+{ .mfi; getf.sig        r16=f40
+                xma.hu  f42=f33,f120,f41
+        add             r33=8,r32               }
+{ .mfi;         xma.lu  f41=f33,f120,f41        };;
+{ .mfi; getf.sig        r24=f50
+                xma.hu  f52=f33,f121,f51        }
+{ .mfi;         xma.lu  f51=f33,f121,f51        };;
+{ .mfi; st8             [r32]=r16,16
+                xma.hu  f62=f33,f122,f61        }
+{ .mfi;         xma.lu  f61=f33,f122,f61        };;
+{ .mfi;         xma.hu  f72=f33,f123,f71        }
+{ .mfi;         xma.lu  f71=f33,f123,f71        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r25=f41
+                xma.hu  f43=f34,f120,f42        }
+{ .mfi;         xma.lu  f42=f34,f120,f42        };;
+{ .mfi; getf.sig        r16=f60
+                xma.hu  f53=f34,f121,f52        }
+{ .mfi;         xma.lu  f52=f34,f121,f52        };;
+{ .mfi; getf.sig        r17=f51
+                xma.hu  f63=f34,f122,f62
+        add             r25=r25,r24             }
+{ .mfi; mov             carry1=0
+                xma.lu  f62=f34,f122,f62        };;
+{ .mfi; st8             [r33]=r25,16
+                xma.hu  f73=f34,f123,f72
+        cmp.ltu         p6,p0=r25,r24           }
+{ .mfi;         xma.lu  f72=f34,f123,f72        };;//
+//-------------------------------------------------//
+{ .mfi; getf.sig        r18=f42
+                xma.hu  f44=f35,f120,f43
+(p6)    add             carry1=1,carry1         }
+{ .mfi; add             r17=r17,r16
+                xma.lu  f43=f35,f120,f43
+        mov             carry2=0                };;
+{ .mfi; getf.sig        r24=f70
+                xma.hu  f54=f35,f121,f53
+        cmp.ltu         p7,p0=r17,r16           }
+{ .mfi;         xma.lu  f53=f35,f121,f53        };;
+{ .mfi; getf.sig        r25=f61
+                xma.hu  f64=f35,f122,f63
+        add             r18=r18,r17             }
+{ .mfi;         xma.lu  f63=f35,f122,f63
+(p7)    add             carry2=1,carry2         };;
+{ .mfi; getf.sig        r26=f52
+                xma.hu  f74=f35,f123,f73
+        cmp.ltu         p7,p0=r18,r17           }
+{ .mfi;         xma.lu  f73=f35,f123,f73
+        add             r18=r18,carry1          };;
+//-------------------------------------------------//
+{ .mii; st8             [r32]=r18,16
+(p7)    add             carry2=1,carry2
+        cmp.ltu         p7,p0=r18,carry1        };;
+
+{ .mfi; getf.sig        r27=f43 // last major stall
+(p7)    add             carry2=1,carry2         };;
+{ .mii;         getf.sig        r16=f71
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r17=f62 
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r27=r27,r26             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,r26
+        add             r27=r27,carry2          };;
+{ .mii;         getf.sig        r18=f53
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r27,carry2        };;
+{ .mfi; st8             [r33]=r27,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii;         getf.sig        r19=f44
+                add             r17=r17,r16
+                mov             carry2=0        };;
+{ .mii; getf.sig        r24=f72
+                cmp.ltu         p7,p0=r17,r16
+                add             r18=r18,r17     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r18,r17
+                add             r19=r19,r18     };;
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,r18
+                add             r19=r19,carry1  };;
+{ .mii; getf.sig        r25=f63
+        (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r19,carry1};;
+{ .mii;         st8             [r32]=r19,16
+        (p7)    add             carry2=1,carry2 }
+
+{ .mii; getf.sig        r26=f54
+        add             r25=r25,r24
+        mov             carry1=0                };;
+{ .mii;         getf.sig        r16=f73
+        cmp.ltu         p6,p0=r25,r24
+        add             r26=r26,r25             };;
+{ .mii;
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,r25
+        add             r26=r26,carry2          };;
+{ .mii;         getf.sig        r17=f64
+(p6)    add             carry1=1,carry1
+        cmp.ltu         p6,p0=r26,carry2        };;
+{ .mii; st8             [r33]=r26,16
+(p6)    add             carry1=1,carry1         }
+
+{ .mii; getf.sig        r24=f74
+                add             r17=r17,r16     
+                mov             carry2=0        };;
+{ .mii;         cmp.ltu         p7,p0=r17,r16
+                add             r17=r17,carry1  };;
+
+{ .mii; (p7)    add             carry2=1,carry2
+                cmp.ltu         p7,p0=r17,carry1};;
+{ .mii;         st8             [r32]=r17,16
+        (p7)    add             carry2=1,carry2 };;
+
+{ .mii; add             r24=r24,carry2          };;
+{ .mii; st8             [r33]=r24               }
+
+{ .mib; rum             1<<5            // clear um.mfh
+        br.ret.sptk.many        b0      };;
+.endp   bn_mul_comba4#
+#undef  carry2
+#undef  carry1
+#endif
+
+#if 1
+//
+// BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
+//
+// In the nutshell it's a port of my MIPS III/IV implementation.
+//
+#define AT      r14
+#define H       r16
+#define HH      r20
+#define L       r17
+#define D       r18
+#define DH      r22
+#define I       r21
+
+#if 0
+// Some preprocessors (most notably HP-UX) apper to be allergic to
+// macros enclosed to parenthesis as these three will be.
+#define cont    p16
+#define break   p0      // p20
+#define equ     p24
+#else
+cont=p16
+break=p0
+equ=p24
+#endif
+
+.global abort#
+.global bn_div_words#
+.proc   bn_div_words#
+.align  64
+bn_div_words:
+        .prologue
+        .fframe 0
+        .save   ar.pfs,r2
+        .save   b0,r3
+{ .mii; alloc           r2=ar.pfs,3,5,0,8
+        mov             r3=b0
+        mov             r10=pr          };;
+{ .mmb; cmp.eq          p6,p0=r34,r0
+        mov             r8=-1
+(p6)    br.ret.spnt.many        b0      };;
+
+        .body
+{ .mii; mov             H=r32           // save h
+        mov             ar.ec=0         // don't rotate at exit
+        mov             pr.rot=0        }
+{ .mii; mov             L=r33           // save l
+        mov             r36=r0          };;
+
+.L_divw_shift:  // -vv- note signed comparison
+{ .mfi; (p0)    cmp.lt          p16,p0=r0,r34   // d
+        (p0)    shladd          r33=r34,1,r0    }
+{ .mfb; (p0)    add             r35=1,r36
+        (p0)    nop.f           0x0
+(p16)   br.wtop.dpnt            .L_divw_shift   };;
+
+{ .mii; mov             D=r34
+        shr.u           DH=r34,32
+        sub             r35=64,r36              };;
+{ .mii; setf.sig        f7=DH
+        shr.u           AT=H,r35
+        mov             I=r36                   };;
+{ .mib; cmp.ne          p6,p0=r0,AT
+        shl             H=H,r36
+(p6)    br.call.spnt.clr        b0=abort        };;     // overflow, die...
+
+{ .mfi; fcvt.xuf.s1     f7=f7
+        shr.u           AT=L,r35                };;
+{ .mii; shl             L=L,r36
+        or              H=H,AT                  };;
+
+{ .mii; nop.m           0x0
+        cmp.leu         p6,p0=D,H;;
+(p6)    sub             H=H,D                   }
+
+{ .mlx; setf.sig        f14=D
+        movl            AT=0xffffffff           };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_1st_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_1st_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub             H=H,r35
+        shl             r8=r33,32
+        shl             L=L,32                  };;
+///////////////////////////////////////////////////////////
+{ .mii; setf.sig        f6=H
+        shr.u           HH=H,32;;
+        cmp.eq          p6,p7=HH,DH             };;
+{ .mfb;
+(p6)    setf.sig        f8=AT
+(p7)    fcvt.xuf.s1     f6=f6
+(p7)    br.call.sptk    b6=.L_udiv64_32_b6      };;
+
+{ .mfi; getf.sig        r33=f8                          // q
+        xmpy.lu         f9=f8,f14               }
+{ .mfi; xmpy.hu         f10=f8,f14
+        shrp            H=H,L,32                };;
+
+{ .mmi; getf.sig        r35=f9                          // tl
+        getf.sig        r31=f10                 };;     // th
+
+.L_divw_2nd_iter:
+{ .mii; (p0)    add             r32=-1,r33
+        (p0)    cmp.eq          equ,cont=HH,r31         };;
+{ .mii; (p0)    cmp.ltu         p8,p0=r35,D
+        (p0)    sub             r34=r35,D
+        (equ)   cmp.leu         break,cont=r35,H        };;
+{ .mib; (cont)  cmp.leu         cont,break=HH,r31
+        (p8)    add             r31=-1,r31
+(cont)  br.wtop.spnt            .L_divw_2nd_iter        };;
+///////////////////////////////////////////////////////////
+{ .mii; sub     H=H,r35
+        or      r8=r8,r33
+        mov     ar.pfs=r2               };;
+{ .mii; shr.u   r9=H,I                  // remainder if anybody wants it
+        mov     pr=r10,-1               }
+{ .mfb; br.ret.sptk.many        b0      };;
+
+// Unsigned 64 by 32 (well, by 64 for the moment) bit integer division
+// procedure.
+//
+// inputs:      f6 = (double)a, f7 = (double)b
+// output:      f8 = (int)(a/b)
+// clobbered:   f8,f9,f10,f11,pred
+pred=p15
+// This procedure is essentially Intel code and therefore is
+// copyrighted to Intel Corporation (I suppose...). It's sligtly
+// modified for specific needs.
+.align  32
+.skip   16
+.L_udiv64_32_b6:
+        frcpa.s1        f8,pred=f6,f7;;         // [0]  y0 = 1 / b
+
+(pred)  fnma.s1         f9=f7,f8,f1             // [5]  e0 = 1 - b * y0
+(pred)  fmpy.s1         f10=f6,f8;;             // [5]  q0 = a * y0
+(pred)  fmpy.s1         f11=f9,f9               // [10] e1 = e0 * e0
+(pred)  fma.s1          f10=f9,f10,f10;;        // [10] q1 = q0 + e0 * q0
+(pred)  fma.s1          f8=f9,f8,f8     //;;    // [15] y1 = y0 + e0 * y0
+(pred)  fma.s1          f9=f11,f10,f10;;        // [15] q2 = q1 + e1 * q1
+(pred)  fma.s1          f8=f11,f8,f8    //;;    // [20] y2 = y1 + e1 * y1
+(pred)  fnma.s1         f10=f7,f9,f6;;          // [20] r2 = a - b * q2
+(pred)  fma.s1          f8=f10,f8,f9;;          // [25] q3 = q2 + r2 * y2
+
+        fcvt.fxu.trunc.s1       f8=f8           // [30] q = trunc(q3)
+        br.ret.sptk.many        b6;;
+.endp   bn_div_words#
+#endif
diff --git a/src/lib/libcrypto/bn/asm/vms.mar b/src/lib/libcrypto/bn/asm/vms.mar
index ac9d57d7b0..465f2774b6 100644
--- a/src/lib/libcrypto/bn/asm/vms.mar
+++ b/src/lib/libcrypto/bn/asm/vms.mar
@@ -162,442 +162,237 @@ n=12 ;(AP)	n	by value (input)
         movl    #1,r0                   ; return SS$_NORMAL
         ret
 
-        .title  (generated)
-
-        .psect  code,nowrt
-
-.entry  BN_DIV_WORDS,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10>
-        subl2   #4,sp
-
-        clrl    r9
-        movl    #2,r8
-
-        tstl    12(ap)
-        bneq    noname.2
-        mnegl   #1,r10
-        brw     noname.3
-        tstl    r0
-        nop     
-noname.2:
-
-        pushl   12(ap)
-        calls   #1,BN_NUM_BITS_WORD
-        movl    r0,r7
-
-        cmpl    r7,#32
-        beql    noname.4
-        ashl    r7,#1,r2
-        cmpl    4(ap),r2
-        blequ   noname.4
-
-        pushl   r7
-        calls   #1,BN_DIV_WORDS_ABORT
-noname.4:
-
-        subl3   r7,#32,r7
-
-        movl    12(ap),r2
-        cmpl    4(ap),r2
-        blssu   noname.5
-        subl2   r2,4(ap)
-noname.5:
-
-        tstl    r7
-        beql    noname.6
-
-        ashl    r7,r2,12(ap)
-
-        ashl    r7,4(ap),r4
-        subl3   r7,#32,r3
-        subl3   r3,#32,r2
-        extzv   r3,r2,8(ap),r2
-        bisl3   r4,r2,4(ap)
-
-        ashl    r7,8(ap),8(ap)
-noname.6:
-
-        bicl3   #65535,12(ap),r2
-        extzv   #16,#16,r2,r5
-
-        bicl3   #-65536,12(ap),r6
-
-noname.7:
-
-        moval   4(ap),r2
-        movzwl  2(r2),r0
-        cmpl    r0,r5
-        bneq    noname.8
-
-        movzwl  #65535,r4
-        brb     noname.9
-noname.8:
-
-        clrl    r1
-        movl    (r2),r0
-        movl    r5,r2
-        bgeq    vcg.1
-        cmpl    r2,r0
-        bgtru   vcg.2
-        incl    r1
-        brb     vcg.2
-        nop     
-vcg.1:
-        ediv    r2,r0,r1,r0
-vcg.2:
-        movl    r1,r4
-noname.9:
-
-noname.10:
-
-        mull3   r5,r4,r0
-        subl3   r0,4(ap),r3
-
-        bicl3   #65535,r3,r0
-        bneq    noname.13
-        mull3   r6,r4,r2
-        ashl    #16,r3,r1
-        bicl3   #65535,8(ap),r0
-        extzv   #16,#16,r0,r0
-        addl2   r0,r1
-        cmpl    r2,r1
-        bgtru   noname.12
-noname.11:
-
-        brb     noname.13
-        nop     
-noname.12:
-
-        decl    r4
-        brb     noname.10
-noname.13:
-
-        mull3   r5,r4,r1
-
-        mull3   r6,r4,r0
-
-        extzv   #16,#16,r0,r3
-
-        ashl    #16,r0,r2
-        bicl3   #65535,r2,r0
-
-        addl2   r3,r1
-
-        moval   8(ap),r3
-        cmpl    (r3),r0
-        bgequ   noname.15
-        incl    r1
-noname.15:
-
-        subl2   r0,(r3)
-
-        cmpl    4(ap),r1
-        bgequ   noname.16
-
-        addl2   12(ap),4(ap)
-
-        decl    r4
-noname.16:
-
-        subl2   r1,4(ap)
-
-        decl    r8
-        beql    noname.18
-noname.17:
-
-        ashl    #16,r4,r9
+        .title  vax_bn_div_words  unsigned divide
+;
+; Richard Levitte 20-Nov-2000
+;
+; ULONG bn_div_words(ULONG h, ULONG l, ULONG d)
+; {
+;       return ((ULONG)((((ULLONG)h)<<32)|l) / (ULLONG)d);
+; }
+;
+; Using EDIV would be very easy, if it didn't do signed calculations.
+; Therefore, som extra things have to happen around it.  The way to
+; handle that is to shift all operands right one step (basically dividing
+; them by 2) and handle the different cases depending on what the lowest
+; bit of each operand was.
+;
+; To start with, let's define the following:
+;
+; a' = l & 1
+; a2 = <h,l> >> 1       # UNSIGNED shift!
+; b' = d & 1
+; b2 = d >> 1           # UNSIGNED shift!
+;
+; Now, use EDIV to calculate a quotient and a remainder:
+;
+; q'' = a2/b2
+; r'' = a2 - q''*b2
+;
+; If b' is 0, the quotient is already correct, we just need to adjust the
+; remainder:
+;
+; if (b' == 0)
+;   {
+;     r = 2*r'' + a'
+;     q = q''
+;   }
+;
+; If b' is 1, we need to do other adjustements.  The first thought is the
+; following (note that r' will not always have the right value, but an
+; adjustement follows further down):
+;
+; if (b' == 1)
+;   {
+;     q' = q''
+;     r' = a - q'*b
+;
+; However, one can note the folowing relationship:
+;
+;                         r'' = a2 - q''*b2
+;                  =>   2*r'' = 2*a2 - 2*q''*b2
+;                             = { a = 2*a2 + a', b = 2*b2 + b' = 2*b2 + 1,
+;                                 q' = q'' }
+;                             = a - a' - q'*(b - 1)
+;                             = a - q'*b - a' + q'
+;                             = r' - a' + q'
+;                  =>     r'  = 2*r'' - q' + a'
+;
+; This enables us to use r'' instead of discarding and calculating another
+; modulo:
+;
+; if (b' == 1)
+;   {
+;     q' = q''
+;     r' = (r'' << 1) - q' + a'
+;
+; Now, all we have to do is adjust r', because it might be < 0:
+;
+;     while (r' < 0)
+;       {
+;         r' = r' + b
+;         q' = q' - 1
+;       }
+;   }
+;
+; return q'
 
-        ashl    #16,4(ap),r2
-        movzwl  2(r3),r0
-        bisl2   r0,r2
-        bicl3   #0,r2,4(ap)
+h=4 ;(AP)       h       by value (input)
+l=8 ;(AP)       l       by value (input)
+d=12 ;(AP)      d       by value (input)
 
-        bicl3   #-65536,(r3),r0
-        ashl    #16,r0,(r3)
-        brw     noname.7
-        nop     
-noname.18:
+;aprim=r5
+;a2=r6
+;a20=r6
+;a21=r7
+;bprim=r8
+;b2=r9
+;qprim=r10      ; initially used as q''
+;rprim=r11      ; initially used as r''
 
-        bisl2   r4,r9
 
-        movl    r9,r10
+        .psect  code,nowrt
 
-noname.3:
+.entry  bn_div_words,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
+        movl    l(ap),r2
+        movl    h(ap),r3
+        movl    d(ap),r4
+
+        movl    #0,r5
+        movl    #0,r8
+        movl    #0,r0
+;       movl    #0,r1
+
+        rotl    #-1,r2,r6       ; a20 = l >> 1 (almost)
+        rotl    #-1,r3,r7       ; a21 = h >> 1 (almost)
+        rotl    #-1,r4,r9       ; b2 = d >> 1 (almost)
+
+        tstl    r6
+        bgeq    1$
+        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 0
+        incl    r5              ; a' = 1
+1$:
+        tstl    r7
+        bgeq    2$
+        xorl2   #^X80000000,r6  ; fixup a20 so highest bit is 1,
+                                ; since that's what was lowest in a21
+        xorl2   #^X80000000,r7  ; fixup a21 so highest bit is 1
+2$:
+        tstl    r9
+        beql    666$            ; Uh-oh, the divisor is 0...
+        bgtr    3$
+        xorl2   #^X80000000,r9  ; fixup b2 so highest bit is 0
+        incl    r8              ; b' = 1
+3$:
+        tstl    r9
+        bneq    4$              ; if b2 is 0, we know that b' is 1
+        tstl    r3
+        bneq    666$            ; if higher half isn't 0, we overflow
+        movl    r2,r10          ; otherwise, we have our result
+        brb     42$             ; This is a success, really.
+4$:
+        ediv    r9,r6,r10,r11
+
+        tstl    r8
+        bneq    5$              ; If b' != 0, go to the other part
+;       addl3   r11,r11,r1
+;       addl2   r5,r1
+        brb     42$
+5$:
+        ashl    #1,r11,r11
+        subl2   r10,r11
+        addl2   r5,r11
+        bgeq    7$
+6$:
+        decl    r10
+        addl2   r4,r11
+        blss    6$
+7$:
+;       movl    r11,r1
+42$:
         movl    r10,r0
-        ret     
-        tstl    r0
-
+666$:
+        ret
 
-        .psect  code,nowrt
-
-.entry  BN_ADD_WORDS,^m<r2,r3,r4,r5,r6,r7>
-
-        tstl    16(ap)
-        bgtr    noname.21
-        clrl    r7
-        brw     noname.22
-noname.21:
-
-        clrl    r4
-
-        tstl    r0
-noname.23:
-
-        movl    8(ap),r6
-        addl3   r4,(r6),r2
-
-        bicl2   #0,r2
-
-        clrl    r0
-        cmpl    r2,r4
-        bgequ   vcg.3
-        incl    r0
-vcg.3:
-        movl    r0,r4
-
-        movl    12(ap),r5
-        addl3   (r5),r2,r1
-        bicl2   #0,r1
-
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.4
-        incl    r0
-vcg.4:
-        addl2   r0,r4
-
-        movl    4(ap),r3
-        movl    r1,(r3)
-
-        decl    16(ap)
-        bgtr    gen.1
-        brw     noname.25
-gen.1:
-noname.24:
-
-        addl3   r4,4(r6),r2
-
-        bicl2   #0,r2
-
-        clrl    r0
-        cmpl    r2,r4
-        bgequ   vcg.5
-        incl    r0
-vcg.5:
-        movl    r0,r4
-
-        addl3   4(r5),r2,r1
-        bicl2   #0,r1
-
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.6
-        incl    r0
-vcg.6:
-        addl2   r0,r4
-
-        movl    r1,4(r3)
-
-        decl    16(ap)
-        bleq    noname.25
-noname.26:
-
-        addl3   r4,8(r6),r2
-
-        bicl2   #0,r2
-
-        clrl    r0
-        cmpl    r2,r4
-        bgequ   vcg.7
-        incl    r0
-vcg.7:
-        movl    r0,r4
-
-        addl3   8(r5),r2,r1
-        bicl2   #0,r1
-
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.8
-        incl    r0
-vcg.8:
-        addl2   r0,r4
-
-        movl    r1,8(r3)
-
-        decl    16(ap)
-        bleq    noname.25
-noname.27:
-
-        addl3   r4,12(r6),r2
-
-        bicl2   #0,r2
-
-        clrl    r0
-        cmpl    r2,r4
-        bgequ   vcg.9
-        incl    r0
-vcg.9:
-        movl    r0,r4
-
-        addl3   12(r5),r2,r1
-        bicl2   #0,r1
-
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.10
-        incl    r0
-vcg.10:
-        addl2   r0,r4
+        .title  vax_bn_add_words  unsigned add of two arrays
+;
+; Richard Levitte 20-Nov-2000
+;
+; ULONG bn_add_words(ULONG r[], ULONG a[], ULONG b[], int n) {
+;       ULONG c = 0;
+;       int i;
+;       for (i = 0; i < n; i++) <c,r[i]> = a[i] + b[i] + c;
+;       return(c);
+; }
 
-        movl    r1,12(r3)
+r=4 ;(AP)       r       by reference (output)
+a=8 ;(AP)       a       by reference (input)
+b=12 ;(AP)      b       by reference (input)
+n=16 ;(AP)      n       by value (input)
 
-        decl    16(ap)
-        bleq    noname.25
-noname.28:
 
-        addl3   #16,r6,8(ap)
+        .psect  code,nowrt
 
-        addl3   #16,r5,12(ap)
+.entry  bn_add_words,^m<r2,r3,r4,r5,r6>
 
-        addl3   #16,r3,4(ap)
-        brw     noname.23
-        tstl    r0
-noname.25:
+        moval   @r(ap),r2
+        moval   @a(ap),r3
+        moval   @b(ap),r4
+        movl    n(ap),r5        ; assumed >0 by C code
+        clrl    r0              ; c
 
-        movl    r4,r7
+        tstl    r5              ; carry = 0
+        bleq    666$
 
-noname.22:
-        movl    r7,r0
-        ret     
-        nop     
+0$:
+        movl    (r3)+,r6        ; carry untouched
+        adwc    (r4)+,r6        ; carry used and touched
+        movl    r6,(r2)+        ; carry untouched
+        sobgtr  r5,0$           ; carry untouched
 
+        adwc    #0,r0
+666$:
+        ret
 
+        .title  vax_bn_sub_words  unsigned add of two arrays
+;
+; Richard Levitte 20-Nov-2000
+;
+; ULONG bn_sub_words(ULONG r[], ULONG a[], ULONG b[], int n) {
+;       ULONG c = 0;
+;       int i;
+;       for (i = 0; i < n; i++) <c,r[i]> = a[i] - b[i] - c;
+;       return(c);
+; }
 
-;r=4 ;(AP)
-;a=8 ;(AP)
-;b=12 ;(AP)
-;n=16 ;(AP)     n       by value (input)
+r=4 ;(AP)       r       by reference (output)
+a=8 ;(AP)       a       by reference (input)
+b=12 ;(AP)      b       by reference (input)
+n=16 ;(AP)      n       by value (input)
 
-        .psect  code,nowrt
 
-.entry  BN_SUB_WORDS,^m<r2,r3,r4,r5,r6,r7>
+        .psect  code,nowrt
 
-        clrl    r6
+.entry  bn_sub_words,^m<r2,r3,r4,r5,r6>
 
-        tstl    16(ap)
-        bgtr    noname.31
-        clrl    r7
-        brw     noname.32
-        tstl    r0
-noname.31:
+        moval   @r(ap),r2
+        moval   @a(ap),r3
+        moval   @b(ap),r4
+        movl    n(ap),r5        ; assumed >0 by C code
+        clrl    r0              ; c
 
-noname.33:
+        tstl    r5              ; carry = 0
+        bleq    666$
 
-        movl    8(ap),r5
-        movl    (r5),r1
-        movl    12(ap),r4
-        movl    (r4),r2
-
-        movl    4(ap),r3
-        subl3   r2,r1,r0
-        subl2   r6,r0
-        bicl3   #0,r0,(r3)
-
-        cmpl    r1,r2
-        beql    noname.34
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.11
-        incl    r0
-vcg.11:
-        movl    r0,r6
-noname.34:
-
-        decl    16(ap)
-        bgtr    gen.2
-        brw     noname.36
-gen.2:
-noname.35:
-
-        movl    4(r5),r2
-        movl    4(r4),r1
-
-        subl3   r1,r2,r0
-        subl2   r6,r0
-        bicl3   #0,r0,4(r3)
-
-        cmpl    r2,r1
-        beql    noname.37
-        clrl    r0
-        cmpl    r2,r1
-        bgequ   vcg.12
-        incl    r0
-vcg.12:
-        movl    r0,r6
-noname.37:
-
-        decl    16(ap)
-        bleq    noname.36
-noname.38:
-
-        movl    8(r5),r1
-        movl    8(r4),r2
-
-        subl3   r2,r1,r0
-        subl2   r6,r0
-        bicl3   #0,r0,8(r3)
-
-        cmpl    r1,r2
-        beql    noname.39
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.13
-        incl    r0
-vcg.13:
-        movl    r0,r6
-noname.39:
-
-        decl    16(ap)
-        bleq    noname.36
-noname.40:
-
-        movl    12(r5),r1
-        movl    12(r4),r2
-
-        subl3   r2,r1,r0
-        subl2   r6,r0
-        bicl3   #0,r0,12(r3)
-
-        cmpl    r1,r2
-        beql    noname.41
-        clrl    r0
-        cmpl    r1,r2
-        bgequ   vcg.14
-        incl    r0
-vcg.14:
-        movl    r0,r6
-noname.41:
-
-        decl    16(ap)
-        bleq    noname.36
-noname.42:
-
-        addl3   #16,r5,8(ap)
-
-        addl3   #16,r4,12(ap)
-
-        addl3   #16,r3,4(ap)
-        brw     noname.33
-        tstl    r0
-noname.36:
-
-        movl    r6,r7
-
-noname.32:
-        movl    r7,r0
-        ret     
-        nop     
+0$:
+        movl    (r3)+,r6        ; carry untouched
+        sbwc    (r4)+,r6        ; carry used and touched
+        movl    r6,(r2)+        ; carry untouched
+        sobgtr  r5,0$           ; carry untouched
 
+        adwc    #0,r0
+666$:
+        ret
 
 
 ;r=4 ;(AP)
@@ -6615,81 +6410,3 @@ noname.610:
 
 ; For now, the code below doesn't work, so I end this prematurely.
 .end
-
-        .title  vax_bn_div64    division 64/32=>32
-; 
-; r.l. 16-jan-1998
-;
-; unsigned int bn_div64(unsigned long h, unsigned long l, unsigned long d)
-;       return <h,l>/d;
-;
-
-        .psect  code,nowrt
-
-h=4 ;(AP)       by value (input)
-l=8 ;(AP)       by value (input)
-d=12 ;(AP)      by value (input)
-
-.entry  bn_div64,^m<r2,r3,r4,r5,r6,r7,r8,r9>
-
-        movl    l(ap),r2        ; l
-        movl    h(ap),r3        ; h
-        movl    d(ap),r4        ; d
-        clrl    r5              ; q
-        clrl    r6              ; r
-
-        ; Treat "negative" specially
-        tstl    r3
-        blss    30$
-
-        tstl    r4
-        beql    90$
-
-        ediv    r4,r2,r5,r6
-        bvs     666$
-
-        movl    r5,r0
-        ret
-
-30$:
-        ; The theory here is to do some harmless shifting and a little
-        ; bit of rounding (brackets are to designate when decimals are
-        ; cut off):
-        ;
-        ;       result = 2 * [ ([<h,0>/2] + [d/2]) / d ] + [ l / d ]
-
-        movl    #0,r7
-        movl    r3,r8           ; copy h
-        ashq    #-1,r7,r7       ; [<h,0>/2] => <r8,r7>
-        bicl2   #^X80000000,r8  ; Remove "sign"
-
-        movl    r4,r9           ; copy d
-        ashl    #-1,r9,r9       ; [d/2] => r9
-        bicl2   #^X80000000,r9  ; Remove "sign"
-
-        addl2   r9,r7
-        adwc    #0,r8           ; [<h,0>/2] + [d/2] => <r8,r7>
-
-        ediv    r4,r7,r5,r6     ; [ ([<h,0>/2] + [d/2]) / d ] => <r5,r6>
-        bvs     666$
-
-        movl    #0,r6
-        ashq    #1,r5,r5        ; 2 * [ ([<h,0>/2] + [d/2]) / d ] => r5
-
-        movl    #0,r3
-        ediv    r4,r2,r8,r9     ; [ l / d ] => <r8,r9>
-
-        addl2   r8,r5           ;
-        bcs     666$
-
-        movl    r5,r0
-        ret
-                
-90$:
-        movl    #-1,r0
-        ret
-
-666$:
-
-        
-.end
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index b232c2ceae..d25b49c9d8 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -59,24 +59,22 @@
 #ifndef HEADER_BN_H
 #define HEADER_BN_H
 
-#ifndef NO_FP_API
+#include <openssl/e_os2.h>
+#ifndef OPENSSL_NO_FP_API
 #include <stdio.h> /* FILE */
 #endif
-#include <openssl/opensslconf.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
 #undef BN_LLONG /* experimental, so far... */
 #endif
 
 #define BN_MUL_COMBA
 #define BN_SQR_COMBA
 #define BN_RECURSION
-#define RECP_MUL_MOD
-#define MONT_MUL_MOD
 
 /* This next option uses the C libraries (2 word)/(1 word) function.
  * If it is not defined, I use my C version (which is slower).
@@ -89,8 +87,11 @@ extern "C" {
  * For machines with only one compiler (or shared libraries), this should
  * be on.  Again this in only really a problem on machines
  * using "long long's", are 32bit, and are not using my assembler code. */
-#if defined(MSDOS) || defined(WINDOWS) || defined(WIN32) || defined(linux)
-#define BN_DIV2W
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \
+    defined(OPENSSL_SYS_WIN32) || defined(linux)
+# ifndef BN_DIV2W
+#  define BN_DIV2W
+# endif
 #endif
 
 /* assuming long is 64bit - this is the DEC Alpha
@@ -142,7 +143,7 @@ extern "C" {
 #endif
 
 #ifdef THIRTY_TWO_BIT
-#if defined(WIN32) && !defined(__GNUC__)
+#if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
 #define BN_ULLONG       unsigned _int64
 #else
 #define BN_ULLONG       unsigned long long
@@ -153,7 +154,7 @@ extern "C" {
 #define BN_BYTES        4
 #define BN_BITS2        32
 #define BN_BITS4        16
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 /* VC++ doesn't like the LL suffix */
 #define BN_MASK         (0xffffffffffffffffL)
 #else
@@ -238,18 +239,8 @@ typedef struct bignum_st
         int flags;
         } BIGNUM;
 
-/* Used for temp variables */
-#define BN_CTX_NUM      16
-#define BN_CTX_NUM_POS  12
-typedef struct bignum_ctx
-        {
-        int tos;
-        BIGNUM bn[BN_CTX_NUM];
-        int flags;
-        int depth;
-        int pos[BN_CTX_NUM_POS];
-        int too_many;
-        } BN_CTX;
+/* Used for temp variables (declaration hidden in bn_lcl.h) */
+typedef struct bignum_ctx BN_CTX;
 
 typedef struct bn_blinding_st
         {
@@ -283,9 +274,6 @@ typedef struct bn_recp_ctx_st
         int flags;
         } BN_RECP_CTX;
 
-#define BN_to_montgomery(r,a,mont,ctx)  BN_mod_mul_montgomery(\
-        r,a,&((mont)->RR),(mont),ctx)
-
 #define BN_prime_checks 0 /* default: select number of iterations
                              based on the size of the number */
 
@@ -308,17 +296,22 @@ typedef struct bn_recp_ctx_st
                                 /* b >= 100 */ 27)
 
 #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8)
-#define BN_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
-#define BN_is_zero(a)   (((a)->top == 0) || BN_is_word(a,0))
-#define BN_is_one(a)    (BN_is_word((a),1))
-#define BN_is_odd(a)    (((a)->top > 0) && ((a)->d[0] & 1))
+
+/* Note that BN_abs_is_word does not work reliably for w == 0 */
+#define BN_abs_is_word(a,w) (((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w)))
+#define BN_is_zero(a)       (((a)->top == 0) || BN_abs_is_word(a,0))
+#define BN_is_one(a)        (BN_abs_is_word((a),1) && !(a)->neg)
+#define BN_is_word(a,w)     ((w) ? BN_abs_is_word((a),(w)) && !(a)->neg : \
+                                   BN_is_zero((a)))
+#define BN_is_odd(a)        (((a)->top > 0) && ((a)->d[0] & 1))
+
 #define BN_one(a)       (BN_set_word((a),1))
 #define BN_zero(a)      (BN_set_word((a),0))
 
 /*#define BN_ascii2bn(a)        BN_hex2bn(a) */
 /*#define BN_bn2ascii(a)        BN_bn2hex(a) */
 
-BIGNUM *BN_value_one(void);
+const BIGNUM *BN_value_one(void);
 char *  BN_options(void);
 BN_CTX *BN_CTX_new(void);
 void    BN_CTX_init(BN_CTX *c);
@@ -329,51 +322,70 @@ void	BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_rand_range(BIGNUM *rnd, BIGNUM *range);
+int     BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
 int     BN_num_bits(const BIGNUM *a);
 int     BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
 void    BN_init(BIGNUM *);
 void    BN_clear_free(BIGNUM *a);
 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+void    BN_swap(BIGNUM *a, BIGNUM *b);
 BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
 int     BN_bn2bin(const BIGNUM *a, unsigned char *to);
-BIGNUM *BN_mpi2bn(unsigned char *s,int len,BIGNUM *ret);
+BIGNUM *BN_mpi2bn(const unsigned char *s,int len,BIGNUM *ret);
 int     BN_bn2mpi(const BIGNUM *a, unsigned char *to);
 int     BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int     BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int     BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 int     BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-int     BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int     BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+int     BN_sqr(BIGNUM *r, const BIGNUM *a,BN_CTX *ctx);
+
 int     BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
-               BN_CTX *ctx);
-int     BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
-int     BN_sqr(BIGNUM *r, BIGNUM *a,BN_CTX *ctx);
+        BN_CTX *ctx);
+#define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx))
+int     BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx);
+int     BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
+int     BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m);
+int     BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+        const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m);
+int     BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx);
+int     BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m);
+
 BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
 BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
 int     BN_mul_word(BIGNUM *a, BN_ULONG w);
 int     BN_add_word(BIGNUM *a, BN_ULONG w);
 int     BN_sub_word(BIGNUM *a, BN_ULONG w);
 int     BN_set_word(BIGNUM *a, BN_ULONG w);
-BN_ULONG BN_get_word(BIGNUM *a);
+BN_ULONG BN_get_word(const BIGNUM *a);
+
 int     BN_cmp(const BIGNUM *a, const BIGNUM *b);
 void    BN_free(BIGNUM *a);
 int     BN_is_bit_set(const BIGNUM *a, int n);
 int     BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
-int     BN_lshift1(BIGNUM *r, BIGNUM *a);
-int     BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p,BN_CTX *ctx);
-int     BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                   const BIGNUM *m,BN_CTX *ctx);
-int     BN_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int     BN_lshift1(BIGNUM *r, const BIGNUM *a);
+int     BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,BN_CTX *ctx);
+
+int     BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m,BN_CTX *ctx);
+int     BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 int     BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
-                        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-int     BN_mod_exp2_mont(BIGNUM *r, BIGNUM *a1, BIGNUM *p1,BIGNUM *a2,
-                BIGNUM *p2,BIGNUM *m,BN_CTX *ctx,BN_MONT_CTX *m_ctx);
-int     BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p,
-        BIGNUM *m,BN_CTX *ctx);
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int     BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1,
+        const BIGNUM *a2, const BIGNUM *p2,const BIGNUM *m,
+        BN_CTX *ctx,BN_MONT_CTX *m_ctx);
+int     BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m,BN_CTX *ctx);
+
 int     BN_mask_bits(BIGNUM *a,int n);
-int     BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int     BN_print_fp(FILE *fp, const BIGNUM *a);
 #endif
 #ifdef HEADER_BIO_H
@@ -381,9 +393,9 @@ int	BN_print(BIO *fp, const BIGNUM *a);
 #else
 int     BN_print(void *fp, const BIGNUM *a);
 #endif
-int     BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx);
-int     BN_rshift(BIGNUM *r, BIGNUM *a, int n);
-int     BN_rshift1(BIGNUM *r, BIGNUM *a);
+int     BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
+int     BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
+int     BN_rshift1(BIGNUM *r, const BIGNUM *a);
 void    BN_clear(BIGNUM *a);
 BIGNUM *BN_dup(const BIGNUM *a);
 int     BN_ucmp(const BIGNUM *a, const BIGNUM *b);
@@ -393,23 +405,30 @@ char *	BN_bn2hex(const BIGNUM *a);
 char *  BN_bn2dec(const BIGNUM *a);
 int     BN_hex2bn(BIGNUM **a, const char *str);
 int     BN_dec2bn(BIGNUM **a, const char *str);
-int     BN_gcd(BIGNUM *r,BIGNUM *in_a,BIGNUM *in_b,BN_CTX *ctx);
-BIGNUM *BN_mod_inverse(BIGNUM *ret,BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
-BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,BIGNUM *add,
-                BIGNUM *rem,void (*callback)(int,int,void *),void *cb_arg);
+int     BN_gcd(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx);
+int     BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
+BIGNUM *BN_mod_inverse(BIGNUM *ret,
+        const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+BIGNUM *BN_mod_sqrt(BIGNUM *ret,
+        const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
+        const BIGNUM *add, const BIGNUM *rem,
+        void (*callback)(int,int,void *),void *cb_arg);
 int     BN_is_prime(const BIGNUM *p,int nchecks,
-                void (*callback)(int,int,void *),
-                BN_CTX *ctx,void *cb_arg);
+        void (*callback)(int,int,void *),
+        BN_CTX *ctx,void *cb_arg);
 int     BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
-                void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
-                int do_trial_division);
-void    ERR_load_BN_strings(void );
+        void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
+        int do_trial_division);
 
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
-int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
-                          BN_CTX *ctx);
-int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
+int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
+        BN_MONT_CTX *mont, BN_CTX *ctx);
+#define BN_to_montgomery(r,a,mont,ctx)  BN_mod_mul_montgomery(\
+        (r),(a),&((mont)->RR),(mont),(ctx))
+int BN_from_montgomery(BIGNUM *r,const BIGNUM *a,
+        BN_MONT_CTX *mont, BN_CTX *ctx);
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
 int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
@@ -427,12 +446,12 @@ void	BN_RECP_CTX_init(BN_RECP_CTX *recp);
 BN_RECP_CTX *BN_RECP_CTX_new(void);
 void    BN_RECP_CTX_free(BN_RECP_CTX *recp);
 int     BN_RECP_CTX_set(BN_RECP_CTX *recp,const BIGNUM *rdiv,BN_CTX *ctx);
-int     BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y,
-                BN_RECP_CTX *recp,BN_CTX *ctx);
+int     BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
+        BN_RECP_CTX *recp,BN_CTX *ctx);
 int     BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-                        const BIGNUM *m, BN_CTX *ctx);
-int     BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
-                BN_RECP_CTX *recp, BN_CTX *ctx);
+        const BIGNUM *m, BN_CTX *ctx);
+int     BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+        BN_RECP_CTX *recp, BN_CTX *ctx);
 
 /* library internal functions */
 
@@ -440,6 +459,7 @@ int	BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m,
         (a):bn_expand2((a),(bits)/BN_BITS2+1))
 #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
+BIGNUM *bn_dup_expand(const BIGNUM *a, int words);
 
 #define bn_fix_top(a) \
         { \
@@ -451,15 +471,15 @@ BIGNUM *bn_expand2(BIGNUM *a, int words);
                 } \
         }
 
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w);
-void     bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num);
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
+BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
+void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
-BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num);
+BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
+BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int num);
 
 #ifdef BN_DEBUG
-  void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n);
+void bn_dump1(FILE *o, const char *a, const BN_ULONG *b,int n);
 # define bn_print(a) {fprintf(stderr, #a "="); BN_print_fp(stderr,a); \
    fprintf(stderr,"\n");}
 # define bn_dump(a,n) bn_dump1(stderr,#a,a,n);
@@ -474,6 +494,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_BN_strings(void);
 
 /* Error codes for the BN functions. */
 
@@ -488,11 +509,14 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
 #define BN_F_BN_CTX_NEW                                  106
 #define BN_F_BN_DIV                                      107
 #define BN_F_BN_EXPAND2                                  108
+#define BN_F_BN_EXPAND_INTERNAL                          120
 #define BN_F_BN_MOD_EXP2_MONT                            118
 #define BN_F_BN_MOD_EXP_MONT                             109
 #define BN_F_BN_MOD_EXP_MONT_WORD                        117
 #define BN_F_BN_MOD_INVERSE                              110
+#define BN_F_BN_MOD_LSHIFT_QUICK                         119
 #define BN_F_BN_MOD_MUL_RECIPROCAL                       111
+#define BN_F_BN_MOD_SQRT                                 121
 #define BN_F_BN_MPI2BN                                   112
 #define BN_F_BN_NEW                                      113
 #define BN_F_BN_RAND                                     114
@@ -507,14 +531,17 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
 #define BN_R_DIV_BY_ZERO                                 103
 #define BN_R_ENCODING_ERROR                              104
 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA                105
+#define BN_R_INPUT_NOT_REDUCED                           110
 #define BN_R_INVALID_LENGTH                              106
 #define BN_R_INVALID_RANGE                               115
+#define BN_R_NOT_A_SQUARE                                111
 #define BN_R_NOT_INITIALIZED                             107
 #define BN_R_NO_INVERSE                                  108
+#define BN_R_P_IS_NOT_PRIME                              112
+#define BN_R_TOO_MANY_ITERATIONS                         113
 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES                109
 
 #ifdef  __cplusplus
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c
index 5d24691233..6cba07e9f6 100644
--- a/src/lib/libcrypto/bn/bn_add.c
+++ b/src/lib/libcrypto/bn/bn_add.c
@@ -64,6 +64,7 @@
 int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
         {
         const BIGNUM *tmp;
+        int a_neg = a->neg;
 
         bn_check_top(a);
         bn_check_top(b);
@@ -73,10 +74,10 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
          * -a +  b      b-a
          * -a + -b      -(a+b)
          */
-        if (a->neg ^ b->neg)
+        if (a_neg ^ b->neg)
                 {
                 /* only one is negative */
-                if (a->neg)
+                if (a_neg)
                         { tmp=a; a=b; b=tmp; }
 
                 /* we are now a - b */
@@ -94,12 +95,11 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
                 return(1);
                 }
 
-        if (a->neg) /* both are neg */
+        if (!BN_uadd(r,a,b)) return(0);
+        if (a_neg) /* both are neg */
                 r->neg=1;
         else
                 r->neg=0;
-
-        if (!BN_uadd(r,a,b)) return(0);
         return(1);
         }
 
@@ -160,6 +160,7 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
                         *(rp++)= *(ap++);
                 }
         /* memcpy(rp,ap,sizeof(*ap)*(max-i));*/
+        r->neg = 0;
         return(1);
         }
 
@@ -251,6 +252,7 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 #endif
 
         r->top=max;
+        r->neg=0;
         bn_fix_top(r);
         return(1);
         }
diff --git a/src/lib/libcrypto/bn/bn_asm.c b/src/lib/libcrypto/bn/bn_asm.c
index 44e52a40db..be8aa3ffc5 100644
--- a/src/lib/libcrypto/bn/bn_asm.c
+++ b/src/lib/libcrypto/bn/bn_asm.c
@@ -68,7 +68,7 @@
 
 #if defined(BN_LLONG) || defined(BN_UMULT_HIGH)
 
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
         {
         BN_ULONG c1=0;
 
@@ -93,7 +93,7 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
         return(c1);
         } 
 
-BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
         {
         BN_ULONG c1=0;
 
@@ -117,7 +117,7 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
         return(c1);
         } 
 
-void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
         {
         assert(n >= 0);
         if (n <= 0) return;
@@ -139,7 +139,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
 
 #else /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */
 
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
         {
         BN_ULONG c=0;
         BN_ULONG bl,bh;
@@ -166,7 +166,7 @@ BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
         return(c);
         } 
 
-BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w)
         {
         BN_ULONG carry=0;
         BN_ULONG bl,bh;
@@ -193,7 +193,7 @@ BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
         return(carry);
         } 
 
-void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n)
         {
         assert(n >= 0);
         if (n <= 0) return;
@@ -296,7 +296,7 @@ BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 #endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */
 
 #ifdef BN_LLONG
-BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
         {
         BN_ULLONG ll=0;
 
@@ -332,7 +332,7 @@ BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         return((BN_ULONG)ll);
         }
 #else /* !BN_LLONG */
-BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
         {
         BN_ULONG c,l,t;
 
@@ -382,7 +382,7 @@ BN_ULONG bn_add_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         }
 #endif /* !BN_LLONG */
 
-BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
         {
         BN_ULONG t1,t2;
         int c=0;
@@ -673,7 +673,7 @@ void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
         r[7]=c2;
         }
 
-void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
+void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
         {
 #ifdef BN_LLONG
         BN_ULLONG t,tt;
@@ -754,7 +754,7 @@ void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a)
         r[15]=c1;
         }
 
-void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a)
+void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
         {
 #ifdef BN_LLONG
         BN_ULLONG t,tt;
diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c
index b1a8d7571e..7daf19eb84 100644
--- a/src/lib/libcrypto/bn/bn_ctx.c
+++ b/src/lib/libcrypto/bn/bn_ctx.c
@@ -61,8 +61,9 @@
 
 #include <stdio.h>
 #include <assert.h>
+
 #include "cryptlib.h"
-#include <openssl/bn.h>
+#include "bn_lcl.h"
 
 
 BN_CTX *BN_CTX_new(void)
@@ -83,6 +84,7 @@ BN_CTX *BN_CTX_new(void)
 
 void BN_CTX_init(BN_CTX *ctx)
         {
+#if 0 /* explicit version */
         int i;
         ctx->tos = 0;
         ctx->flags = 0;
@@ -90,6 +92,9 @@ void BN_CTX_init(BN_CTX *ctx)
         ctx->too_many = 0;
         for (i = 0; i < BN_CTX_NUM; i++)
                 BN_init(&(ctx->bn[i]));
+#else
+        memset(ctx, 0, sizeof *ctx);
+#endif
         }
 
 void BN_CTX_free(BN_CTX *ctx)
@@ -112,8 +117,14 @@ void BN_CTX_start(BN_CTX *ctx)
         ctx->depth++;
         }
 
+
 BIGNUM *BN_CTX_get(BN_CTX *ctx)
         {
+        /* Note: If BN_CTX_get is ever changed to allocate BIGNUMs dynamically,
+         * make sure that if BN_CTX_get fails once it will return NULL again
+         * until BN_CTX_end is called.  (This is so that callers have to check
+         * only the last return value.)
+         */
         if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM)
                 {
                 if (!ctx->too_many)
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index c328b5b411..ac1a09615a 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -61,6 +61,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+
 /* The old slow way */
 #if 0
 int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
@@ -126,9 +127,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 
 #else
 
-#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W)
+#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
+    && !defined(PEDANTIC) && !defined(BN_DIV3W)
 # if defined(__GNUC__) && __GNUC__>=2
-#  if defined(__i386)
+#  if defined(__i386) || defined (__i386__)
    /*
     * There were two reasons for implementing this template:
     * - GNU C generates a call to a function (__udivdi3 to be exact)
@@ -150,8 +152,16 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 #  define REMAINDER_IS_ALREADY_CALCULATED
 #  endif /* __<cpu> */
 # endif /* __GNUC__ */
-#endif /* NO_ASM */
+#endif /* OPENSSL_NO_ASM */
+
 
+/* BN_div computes  dv := num / divisor,  rounding towards zero, and sets up
+ * rm  such that  dv*divisor + rm = num  holds.
+ * Thus:
+ *     dv->neg == num->neg ^ divisor->neg  (unless the result is zero)
+ *     rm->neg == num->neg                 (unless the remainder is zero)
+ * If 'dv' or 'rm' is NULL, the respective value is not returned.
+ */
 int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
            BN_CTX *ctx)
         {
@@ -185,7 +195,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
         if (dv == NULL)
                 res=BN_CTX_get(ctx);
         else    res=dv;
-        if (sdiv==NULL || res == NULL) goto err;
+        if (sdiv == NULL || res == NULL) goto err;
         tmp->neg=0;
 
         /* First we normalise the numbers */
@@ -232,12 +242,14 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                 }
         else
                 res->top--;
+        if (res->top == 0)
+                res->neg = 0;
         resp--;
 
         for (i=0; i<loop-1; i++)
                 {
                 BN_ULONG q,l0;
-#if defined(BN_DIV3W) && !defined(NO_ASM)
+#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
                 BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG);
                 q=bn_div_3_words(wnump,d1,d0);
 #else
@@ -331,8 +343,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
                 }
         if (rm != NULL)
                 {
+                /* Keep a copy of the neg flag in num because if rm==num
+                 * BN_rshift() will overwrite it.
+                 */
+                int neg = num->neg;
                 BN_rshift(rm,snum,norm_shift);
-                rm->neg=num->neg;
+                if (!BN_is_zero(rm))
+                        rm->neg = neg;
                 }
         BN_CTX_end(ctx);
         return(1);
@@ -342,40 +359,3 @@ err:
         }
 
 #endif
-
-/* rem != m */
-int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
-        {
-#if 0 /* The old slow way */
-        int i,nm,nd;
-        BIGNUM *dv;
-
-        if (BN_ucmp(m,d) < 0)
-                return((BN_copy(rem,m) == NULL)?0:1);
-
-        BN_CTX_start(ctx);
-        dv=BN_CTX_get(ctx);
-
-        if (!BN_copy(rem,m)) goto err;
-
-        nm=BN_num_bits(rem);
-        nd=BN_num_bits(d);
-        if (!BN_lshift(dv,d,nm-nd)) goto err;
-        for (i=nm-nd; i>=0; i--)
-                {
-                if (BN_cmp(rem,dv) >= 0)
-                        {
-                        if (!BN_sub(rem,rem,dv)) goto err;
-                        }
-                if (!BN_rshift1(dv,dv)) goto err;
-                }
-        BN_CTX_end(ctx);
-        return(1);
- err:
-        BN_CTX_end(ctx);
-        return(0);
-#else
-        return(BN_div(NULL,rem,m,d,ctx));
-#endif
-        }
-
diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c
index adc6a214fc..fb84ee96d8 100644
--- a/src/lib/libcrypto/bn/bn_err.c
+++ b/src/lib/libcrypto/bn/bn_err.c
@@ -63,7 +63,7 @@
 #include <openssl/bn.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA BN_str_functs[]=
         {
 {ERR_PACK(0,BN_F_BN_BLINDING_CONVERT,0),        "BN_BLINDING_convert"},
@@ -76,11 +76,14 @@ static ERR_STRING_DATA BN_str_functs[]=
 {ERR_PACK(0,BN_F_BN_CTX_NEW,0), "BN_CTX_new"},
 {ERR_PACK(0,BN_F_BN_DIV,0),     "BN_div"},
 {ERR_PACK(0,BN_F_BN_EXPAND2,0), "bn_expand2"},
+{ERR_PACK(0,BN_F_BN_EXPAND_INTERNAL,0), "BN_EXPAND_INTERNAL"},
 {ERR_PACK(0,BN_F_BN_MOD_EXP2_MONT,0),   "BN_mod_exp2_mont"},
 {ERR_PACK(0,BN_F_BN_MOD_EXP_MONT,0),    "BN_mod_exp_mont"},
 {ERR_PACK(0,BN_F_BN_MOD_EXP_MONT_WORD,0),       "BN_mod_exp_mont_word"},
 {ERR_PACK(0,BN_F_BN_MOD_INVERSE,0),     "BN_mod_inverse"},
+{ERR_PACK(0,BN_F_BN_MOD_LSHIFT_QUICK,0),        "BN_mod_lshift_quick"},
 {ERR_PACK(0,BN_F_BN_MOD_MUL_RECIPROCAL,0),      "BN_mod_mul_reciprocal"},
+{ERR_PACK(0,BN_F_BN_MOD_SQRT,0),        "BN_mod_sqrt"},
 {ERR_PACK(0,BN_F_BN_MPI2BN,0),  "BN_mpi2bn"},
 {ERR_PACK(0,BN_F_BN_NEW,0),     "BN_new"},
 {ERR_PACK(0,BN_F_BN_RAND,0),    "BN_rand"},
@@ -98,10 +101,14 @@ static ERR_STRING_DATA BN_str_reasons[]=
 {BN_R_DIV_BY_ZERO                        ,"div by zero"},
 {BN_R_ENCODING_ERROR                     ,"encoding error"},
 {BN_R_EXPAND_ON_STATIC_BIGNUM_DATA       ,"expand on static bignum data"},
+{BN_R_INPUT_NOT_REDUCED                  ,"input not reduced"},
 {BN_R_INVALID_LENGTH                     ,"invalid length"},
 {BN_R_INVALID_RANGE                      ,"invalid range"},
+{BN_R_NOT_A_SQUARE                       ,"not a square"},
 {BN_R_NOT_INITIALIZED                    ,"not initialized"},
 {BN_R_NO_INVERSE                         ,"no inverse"},
+{BN_R_P_IS_NOT_PRIME                     ,"p is not prime"},
+{BN_R_TOO_MANY_ITERATIONS                ,"too many iterations"},
 {BN_R_TOO_MANY_TEMPORARY_VARIABLES       ,"too many temporary variables"},
 {0,NULL}
         };
@@ -115,7 +122,7 @@ void ERR_load_BN_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_BN,BN_str_functs);
                 ERR_load_strings(ERR_LIB_BN,BN_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index d2c91628ac..afdfd580fb 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -110,38 +110,13 @@
  */
 
 
-#include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
 #define TABLE_SIZE      32
 
-/* slow but works */
-int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
-        {
-        BIGNUM *t;
-        int r=0;
-
-        bn_check_top(a);
-        bn_check_top(b);
-        bn_check_top(m);
-
-        BN_CTX_start(ctx);
-        if ((t = BN_CTX_get(ctx)) == NULL) goto err;
-        if (a == b)
-                { if (!BN_sqr(t,a,ctx)) goto err; }
-        else
-                { if (!BN_mul(t,a,b,ctx)) goto err; }
-        if (!BN_mod(ret,t,m,ctx)) goto err;
-        r=1;
-err:
-        BN_CTX_end(ctx);
-        return(r);
-        }
-
-
 /* this one works - simple but works */
-int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx)
+int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
         {
         int i,bits,ret=0;
         BIGNUM *v,*rr;
@@ -176,7 +151,7 @@ err:
         }
 
 
-int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
                BN_CTX *ctx)
         {
         int ret;
@@ -185,6 +160,40 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
         bn_check_top(p);
         bn_check_top(m);
 
+        /* For even modulus  m = 2^k*m_odd,  it might make sense to compute
+         * a^p mod m_odd  and  a^p mod 2^k  separately (with Montgomery
+         * exponentiation for the odd part), using appropriate exponent
+         * reductions, and combine the results using the CRT.
+         *
+         * For now, we use Montgomery only if the modulus is odd; otherwise,
+         * exponentiation using the reciprocal-based quick remaindering
+         * algorithm is used.
+         *
+         * (Timing obtained with expspeed.c [computations  a^p mod m
+         * where  a, p, m  are of the same length: 256, 512, 1024, 2048,
+         * 4096, 8192 bits], compared to the running time of the
+         * standard algorithm:
+         *
+         *   BN_mod_exp_mont   33 .. 40 %  [AMD K6-2, Linux, debug configuration]
+         *                     55 .. 77 %  [UltraSparc processor, but
+         *                                  debug-solaris-sparcv8-gcc conf.]
+         * 
+         *   BN_mod_exp_recp   50 .. 70 %  [AMD K6-2, Linux, debug configuration]
+         *                     62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
+         *
+         * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
+         * at 2048 and more bits, but at 512 and 1024 bits, it was
+         * slower even than the standard algorithm!
+         *
+         * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
+         * should be obtained when the new Montgomery reduction code
+         * has been integrated into OpenSSL.)
+         */
+
+#define MONT_MUL_MOD
+#define MONT_EXP_WORD
+#define RECP_MUL_MOD
+
 #ifdef MONT_MUL_MOD
         /* I have finally been able to take out this pre-condition of
          * the top bit being set.  It was caused by an error in BN_div
@@ -194,12 +203,14 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 
         if (BN_is_odd(m))
                 {
-                if (a->top == 1)
+#  ifdef MONT_EXP_WORD
+                if (a->top == 1 && !a->neg)
                         {
                         BN_ULONG A = a->d[0];
                         ret=BN_mod_exp_mont_word(r,A,p,m,ctx,NULL);
                         }
                 else
+#  endif
                         ret=BN_mod_exp_mont(r,a,p,m,ctx,NULL);
                 }
         else
@@ -227,20 +238,35 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 
         if (bits == 0)
                 {
-                BN_one(r);
-                return(1);
+                ret = BN_one(r);
+                return ret;
                 }
 
         BN_CTX_start(ctx);
         if ((aa = BN_CTX_get(ctx)) == NULL) goto err;
 
         BN_RECP_CTX_init(&recp);
-        if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
+        if (m->neg)
+                {
+                /* ignore sign of 'm' */
+                if (!BN_copy(aa, m)) goto err;
+                aa->neg = 0;
+                if (BN_RECP_CTX_set(&recp,aa,ctx) <= 0) goto err;
+                }
+        else
+                {
+                if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err;
+                }
 
         BN_init(&(val[0]));
         ts=1;
 
-        if (!BN_mod(&(val[0]),a,m,ctx)) goto err;               /* 1 */
+        if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err;             /* 1 */
+        if (BN_is_zero(&(val[0])))
+                {
+                ret = BN_zero(r);
+                goto err;
+                }
 
         window = BN_window_bits_for_exponent_size(bits);
         if (window > 1)
@@ -325,13 +351,13 @@ err:
         }
 
 
-int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
+int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
                     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
         {
         int i,j,bits,ret=0,wstart,wend,window,wvalue;
         int start=1,ts=0;
         BIGNUM *d,*r;
-        BIGNUM *aa;
+        const BIGNUM *aa;
         BIGNUM val[TABLE_SIZE];
         BN_MONT_CTX *mont=NULL;
 
@@ -347,9 +373,10 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
         bits=BN_num_bits(p);
         if (bits == 0)
                 {
-                BN_one(rr);
-                return(1);
+                ret = BN_one(rr);
+                return ret;
                 }
+
         BN_CTX_start(ctx);
         d = BN_CTX_get(ctx);
         r = BN_CTX_get(ctx);
@@ -368,14 +395,19 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 
         BN_init(&val[0]);
         ts=1;
-        if (BN_ucmp(a,m) >= 0)
+        if (a->neg || BN_ucmp(a,m) >= 0)
                 {
-                if (!BN_mod(&(val[0]),a,m,ctx))
+                if (!BN_nnmod(&(val[0]),a,m,ctx))
                         goto err;
                 aa= &(val[0]);
                 }
         else
                 aa=a;
+        if (BN_is_zero(aa))
+                {
+                ret = BN_zero(rr);
+                goto err;
+                }
         if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */
 
         window = BN_window_bits_for_exponent_size(bits);
@@ -475,26 +507,39 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
                 (/* BN_ucmp(r, (m)) < 0 ? 1 :*/  \
                         (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
                 /* BN_MOD_MUL_WORD is only used with 'w' large,
-                  * so the BN_ucmp test is probably more overhead
-                  * than always using BN_mod (which uses BN_copy if
-                  * a similar test returns true). */
+                 * so the BN_ucmp test is probably more overhead
+                 * than always using BN_mod (which uses BN_copy if
+                 * a similar test returns true). */
+                /* We can use BN_mod and do not need BN_nnmod because our
+                 * accumulator is never negative (the result of BN_mod does
+                 * not depend on the sign of the modulus).
+                 */
 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
                 (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
 
         bn_check_top(p);
         bn_check_top(m);
 
-        if (!(m->d[0] & 1))
+        if (m->top == 0 || !(m->d[0] & 1))
                 {
                 BNerr(BN_F_BN_MOD_EXP_MONT_WORD,BN_R_CALLED_WITH_EVEN_MODULUS);
                 return(0);
                 }
+        if (m->top == 1)
+                a %= m->d[0]; /* make sure that 'a' is reduced */
+
         bits = BN_num_bits(p);
         if (bits == 0)
                 {
-                BN_one(rr);
-                return(1);
+                ret = BN_one(rr);
+                return ret;
+                }
+        if (a == 0)
+                {
+                ret = BN_zero(rr);
+                return ret;
                 }
+
         BN_CTX_start(ctx);
         d = BN_CTX_get(ctx);
         r = BN_CTX_get(ctx);
@@ -590,8 +635,9 @@ err:
 
 
 /* The old fallback, simple version :-) */
-int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
-             BN_CTX *ctx)
+int BN_mod_exp_simple(BIGNUM *r,
+        const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
+        BN_CTX *ctx)
         {
         int i,j,bits,ret=0,wstart,wend,window,wvalue,ts=0;
         int start=1;
@@ -602,8 +648,8 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
 
         if (bits == 0)
                 {
-                BN_one(r);
-                return(1);
+                ret = BN_one(r);
+                return ret;
                 }
 
         BN_CTX_start(ctx);
@@ -611,7 +657,12 @@ int BN_mod_exp_simple(BIGNUM *r, BIGNUM *a, BIGNUM *p, BIGNUM *m,
 
         BN_init(&(val[0]));
         ts=1;
-        if (!BN_mod(&(val[0]),a,m,ctx)) goto err;               /* 1 */
+        if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err;             /* 1 */
+        if (BN_is_zero(&(val[0])))
+                {
+                ret = BN_zero(r);
+                goto err;
+                }
 
         window = BN_window_bits_for_exponent_size(bits);
         if (window > 1)
diff --git a/src/lib/libcrypto/bn/bn_exp2.c b/src/lib/libcrypto/bn/bn_exp2.c
index 29029f4c72..73ccd58a83 100644
--- a/src/lib/libcrypto/bn/bn_exp2.c
+++ b/src/lib/libcrypto/bn/bn_exp2.c
@@ -115,13 +115,14 @@
 
 #define TABLE_SIZE      32
 
-int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
-             BIGNUM *p2, BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
+        const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,
+        BN_CTX *ctx, BN_MONT_CTX *in_mont)
         {
         int i,j,bits,b,bits1,bits2,ret=0,wpos1,wpos2,window1,window2,wvalue1,wvalue2;
         int r_is_one=1,ts1=0,ts2=0;
         BIGNUM *d,*r;
-        BIGNUM *a_mod_m;
+        const BIGNUM *a_mod_m;
         BIGNUM val1[TABLE_SIZE], val2[TABLE_SIZE];
         BN_MONT_CTX *mont=NULL;
 
@@ -140,9 +141,10 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
         bits2=BN_num_bits(p2);
         if ((bits1 == 0) && (bits2 == 0))
                 {
-                BN_one(rr);
-                return(1);
+                ret = BN_one(rr);
+                return ret;
                 }
+        
         bits=(bits1 > bits2)?bits1:bits2;
 
         BN_CTX_start(ctx);
@@ -166,7 +168,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
          */
         BN_init(&val1[0]);
         ts1=1;
-        if (BN_ucmp(a1,m) >= 0)
+        if (a1->neg || BN_ucmp(a1,m) >= 0)
                 {
                 if (!BN_mod(&(val1[0]),a1,m,ctx))
                         goto err;
@@ -174,6 +176,12 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
                 }
         else
                 a_mod_m = a1;
+        if (BN_is_zero(a_mod_m))
+                {
+                ret = BN_zero(rr);
+                goto err;
+                }
+
         if (!BN_to_montgomery(&(val1[0]),a_mod_m,mont,ctx)) goto err;
         if (window1 > 1)
                 {
@@ -195,7 +203,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
          */
         BN_init(&val2[0]);
         ts2=1;
-        if (BN_ucmp(a2,m) >= 0)
+        if (a2->neg || BN_ucmp(a2,m) >= 0)
                 {
                 if (!BN_mod(&(val2[0]),a2,m,ctx))
                         goto err;
@@ -203,6 +211,11 @@ int BN_mod_exp2_mont(BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, BIGNUM *a2,
                 }
         else
                 a_mod_m = a2;
+        if (BN_is_zero(a_mod_m))
+                {
+                ret = BN_zero(rr);
+                goto err;
+                }
         if (!BN_to_montgomery(&(val2[0]),a_mod_m,mont,ctx)) goto err;
         if (window2 > 1)
                 {
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index 398207196b..7649f63fd2 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -55,14 +55,66 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
-#include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
 
-int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
+int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
         {
         BIGNUM *a,*b,*t;
         int ret=0;
@@ -77,6 +129,8 @@ int BN_gcd(BIGNUM *r, BIGNUM *in_a, BIGNUM *in_b, BN_CTX *ctx)
 
         if (BN_copy(a,in_a) == NULL) goto err;
         if (BN_copy(b,in_b) == NULL) goto err;
+        a->neg = 0;
+        b->neg = 0;
 
         if (BN_cmp(a,b) < 0) { t=a; a=b; b=t; }
         t=euclid(a,b);
@@ -97,10 +151,10 @@ static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
         bn_check_top(a);
         bn_check_top(b);
 
-        for (;;)
+        /* 0 <= b <= a */
+        while (!BN_is_zero(b))
                 {
-                if (BN_is_zero(b))
-                        break;
+                /* 0 < b <= a */
 
                 if (BN_is_odd(a))
                         {
@@ -133,7 +187,9 @@ static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
                                 shifts++;
                                 }
                         }
+                /* 0 <= b <= a */
                 }
+
         if (shifts)
                 {
                 if (!BN_lshift(a,a,shifts)) goto err;
@@ -143,11 +199,13 @@ err:
         return(NULL);
         }
 
+
 /* solves ax == 1 (mod n) */
-BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+BIGNUM *BN_mod_inverse(BIGNUM *in,
+        const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
         {
-        BIGNUM *A,*B,*X,*Y,*M,*D,*R=NULL;
-        BIGNUM *T,*ret=NULL;
+        BIGNUM *A,*B,*X,*Y,*M,*D,*T,*R=NULL;
+        BIGNUM *ret=NULL;
         int sign;
 
         bn_check_top(a);
@@ -160,7 +218,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
         D = BN_CTX_get(ctx);
         M = BN_CTX_get(ctx);
         Y = BN_CTX_get(ctx);
-        if (Y == NULL) goto err;
+        T = BN_CTX_get(ctx);
+        if (T == NULL) goto err;
 
         if (in == NULL)
                 R=BN_new();
@@ -168,34 +227,256 @@ BIGNUM *BN_mod_inverse(BIGNUM *in, BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
                 R=in;
         if (R == NULL) goto err;
 
-        BN_zero(X);
-        BN_one(Y);
-        if (BN_copy(A,a) == NULL) goto err;
-        if (BN_copy(B,n) == NULL) goto err;
-        sign=1;
+        BN_one(X);
+        BN_zero(Y);
+        if (BN_copy(B,a) == NULL) goto err;
+        if (BN_copy(A,n) == NULL) goto err;
+        A->neg = 0;
+        if (B->neg || (BN_ucmp(B, A) >= 0))
+                {
+                if (!BN_nnmod(B, B, A, ctx)) goto err;
+                }
+        sign = -1;
+        /* From  B = a mod |n|,  A = |n|  it follows that
+         *
+         *      0 <= B < A,
+         *     -sign*X*a  ==  B   (mod |n|),
+         *      sign*Y*a  ==  A   (mod |n|).
+         */
 
-        while (!BN_is_zero(B))
+        if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048)))
                 {
-                if (!BN_div(D,M,A,B,ctx)) goto err;
-                T=A;
-                A=B;
-                B=M;
-                /* T has a struct, M does not */
-
-                if (!BN_mul(T,D,X,ctx)) goto err;
-                if (!BN_add(T,T,Y)) goto err;
-                M=Y;
-                Y=X;
-                X=T;
-                sign= -sign;
+                /* Binary inversion algorithm; requires odd modulus.
+                 * This is faster than the general algorithm if the modulus
+                 * is sufficiently small (about 400 .. 500 bits on 32-bit
+                 * sytems, but much more on 64-bit systems) */
+                int shift;
+                
+                while (!BN_is_zero(B))
+                        {
+                        /*
+                         *      0 < B < |n|,
+                         *      0 < A <= |n|,
+                         * (1) -sign*X*a  ==  B   (mod |n|),
+                         * (2)  sign*Y*a  ==  A   (mod |n|)
+                         */
+
+                        /* Now divide  B  by the maximum possible power of two in the integers,
+                         * and divide  X  by the same value mod |n|.
+                         * When we're done, (1) still holds. */
+                        shift = 0;
+                        while (!BN_is_bit_set(B, shift)) /* note that 0 < B */
+                                {
+                                shift++;
+                                
+                                if (BN_is_odd(X))
+                                        {
+                                        if (!BN_uadd(X, X, n)) goto err;
+                                        }
+                                /* now X is even, so we can easily divide it by two */
+                                if (!BN_rshift1(X, X)) goto err;
+                                }
+                        if (shift > 0)
+                                {
+                                if (!BN_rshift(B, B, shift)) goto err;
+                                }
+
+
+                        /* Same for  A  and  Y.  Afterwards, (2) still holds. */
+                        shift = 0;
+                        while (!BN_is_bit_set(A, shift)) /* note that 0 < A */
+                                {
+                                shift++;
+                                
+                                if (BN_is_odd(Y))
+                                        {
+                                        if (!BN_uadd(Y, Y, n)) goto err;
+                                        }
+                                /* now Y is even */
+                                if (!BN_rshift1(Y, Y)) goto err;
+                                }
+                        if (shift > 0)
+                                {
+                                if (!BN_rshift(A, A, shift)) goto err;
+                                }
+
+                        
+                        /* We still have (1) and (2).
+                         * Both  A  and  B  are odd.
+                         * The following computations ensure that
+                         *
+                         *     0 <= B < |n|,
+                         *      0 < A < |n|,
+                         * (1) -sign*X*a  ==  B   (mod |n|),
+                         * (2)  sign*Y*a  ==  A   (mod |n|),
+                         *
+                         * and that either  A  or  B  is even in the next iteration.
+                         */
+                        if (BN_ucmp(B, A) >= 0)
+                                {
+                                /* -sign*(X + Y)*a == B - A  (mod |n|) */
+                                if (!BN_uadd(X, X, Y)) goto err;
+                                /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
+                                 * actually makes the algorithm slower */
+                                if (!BN_usub(B, B, A)) goto err;
+                                }
+                        else
+                                {
+                                /*  sign*(X + Y)*a == A - B  (mod |n|) */
+                                if (!BN_uadd(Y, Y, X)) goto err;
+                                /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
+                                if (!BN_usub(A, A, B)) goto err;
+                                }
+                        }
+                }
+        else
+                {
+                /* general inversion algorithm */
+
+                while (!BN_is_zero(B))
+                        {
+                        BIGNUM *tmp;
+                        
+                        /*
+                         *      0 < B < A,
+                         * (*) -sign*X*a  ==  B   (mod |n|),
+                         *      sign*Y*a  ==  A   (mod |n|)
+                         */
+                        
+                        /* (D, M) := (A/B, A%B) ... */
+                        if (BN_num_bits(A) == BN_num_bits(B))
+                                {
+                                if (!BN_one(D)) goto err;
+                                if (!BN_sub(M,A,B)) goto err;
+                                }
+                        else if (BN_num_bits(A) == BN_num_bits(B) + 1)
+                                {
+                                /* A/B is 1, 2, or 3 */
+                                if (!BN_lshift1(T,B)) goto err;
+                                if (BN_ucmp(A,T) < 0)
+                                        {
+                                        /* A < 2*B, so D=1 */
+                                        if (!BN_one(D)) goto err;
+                                        if (!BN_sub(M,A,B)) goto err;
+                                        }
+                                else
+                                        {
+                                        /* A >= 2*B, so D=2 or D=3 */
+                                        if (!BN_sub(M,A,T)) goto err;
+                                        if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
+                                        if (BN_ucmp(A,D) < 0)
+                                                {
+                                                /* A < 3*B, so D=2 */
+                                                if (!BN_set_word(D,2)) goto err;
+                                                /* M (= A - 2*B) already has the correct value */
+                                                }
+                                        else
+                                                {
+                                                /* only D=3 remains */
+                                                if (!BN_set_word(D,3)) goto err;
+                                                /* currently  M = A - 2*B,  but we need  M = A - 3*B */
+                                                if (!BN_sub(M,M,B)) goto err;
+                                                }
+                                        }
+                                }
+                        else
+                                {
+                                if (!BN_div(D,M,A,B,ctx)) goto err;
+                                }
+                        
+                        /* Now
+                         *      A = D*B + M;
+                         * thus we have
+                         * (**)  sign*Y*a  ==  D*B + M   (mod |n|).
+                         */
+                        
+                        tmp=A; /* keep the BIGNUM object, the value does not matter */
+                        
+                        /* (A, B) := (B, A mod B) ... */
+                        A=B;
+                        B=M;
+                        /* ... so we have  0 <= B < A  again */
+                        
+                        /* Since the former  M  is now  B  and the former  B  is now  A,
+                         * (**) translates into
+                         *       sign*Y*a  ==  D*A + B    (mod |n|),
+                         * i.e.
+                         *       sign*Y*a - D*A  ==  B    (mod |n|).
+                         * Similarly, (*) translates into
+                         *      -sign*X*a  ==  A          (mod |n|).
+                         *
+                         * Thus,
+                         *   sign*Y*a + D*sign*X*a  ==  B  (mod |n|),
+                         * i.e.
+                         *        sign*(Y + D*X)*a  ==  B  (mod |n|).
+                         *
+                         * So if we set  (X, Y, sign) := (Y + D*X, X, -sign),  we arrive back at
+                         *      -sign*X*a  ==  B   (mod |n|),
+                         *       sign*Y*a  ==  A   (mod |n|).
+                         * Note that  X  and  Y  stay non-negative all the time.
+                         */
+                        
+                        /* most of the time D is very small, so we can optimize tmp := D*X+Y */
+                        if (BN_is_one(D))
+                                {
+                                if (!BN_add(tmp,X,Y)) goto err;
+                                }
+                        else
+                                {
+                                if (BN_is_word(D,2))
+                                        {
+                                        if (!BN_lshift1(tmp,X)) goto err;
+                                        }
+                                else if (BN_is_word(D,4))
+                                        {
+                                        if (!BN_lshift(tmp,X,2)) goto err;
+                                        }
+                                else if (D->top == 1)
+                                        {
+                                        if (!BN_copy(tmp,X)) goto err;
+                                        if (!BN_mul_word(tmp,D->d[0])) goto err;
+                                        }
+                                else
+                                        {
+                                        if (!BN_mul(tmp,D,X,ctx)) goto err;
+                                        }
+                                if (!BN_add(tmp,tmp,Y)) goto err;
+                                }
+                        
+                        M=Y; /* keep the BIGNUM object, the value does not matter */
+                        Y=X;
+                        X=tmp;
+                        sign = -sign;
+                        }
                 }
+                
+        /*
+         * The while loop (Euclid's algorithm) ends when
+         *      A == gcd(a,n);
+         * we have
+         *       sign*Y*a  ==  A  (mod |n|),
+         * where  Y  is non-negative.
+         */
+
         if (sign < 0)
                 {
                 if (!BN_sub(Y,n,Y)) goto err;
                 }
+        /* Now  Y*a  ==  A  (mod |n|).  */
+        
 
         if (BN_is_one(A))
-                { if (!BN_mod(R,Y,n,ctx)) goto err; }
+                {
+                /* Y*a == 1  (mod |n|) */
+                if (!Y->neg && BN_ucmp(Y,n) < 0)
+                        {
+                        if (!BN_copy(R,Y)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_nnmod(R,Y,n,ctx)) goto err;
+                        }
+                }
         else
                 {
                 BNerr(BN_F_BN_MOD_INVERSE,BN_R_NO_INVERSE);
@@ -207,4 +488,3 @@ err:
         BN_CTX_end(ctx);
         return(ret);
         }
-
diff --git a/src/lib/libcrypto/bn/bn_kron.c b/src/lib/libcrypto/bn/bn_kron.c
new file mode 100644
index 0000000000..49f75594ae
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_kron.c
@@ -0,0 +1,182 @@
+/* crypto/bn/bn_kron.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "bn_lcl.h"
+
+
+/* least significant word */
+#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
+
+/* Returns -2 for errors because both -1 and 0 are valid results. */
+int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int i;
+        int ret = -2; /* avoid 'uninitialized' warning */
+        int err = 0;
+        BIGNUM *A, *B, *tmp;
+        /* In 'tab', only odd-indexed entries are relevant:
+         * For any odd BIGNUM n,
+         *     tab[BN_lsw(n) & 7]
+         * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+         * Note that the sign of n does not matter.
+         */
+        static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
+
+        BN_CTX_start(ctx);
+        A = BN_CTX_get(ctx);
+        B = BN_CTX_get(ctx);
+        if (B == NULL) goto end;
+        
+        err = !BN_copy(A, a);
+        if (err) goto end;
+        err = !BN_copy(B, b);
+        if (err) goto end;
+
+        /*
+         * Kronecker symbol, imlemented according to Henri Cohen,
+         * "A Course in Computational Algebraic Number Theory"
+         * (algorithm 1.4.10).
+         */
+
+        /* Cohen's step 1: */
+
+        if (BN_is_zero(B))
+                {
+                ret = BN_abs_is_word(A, 1);
+                goto end;
+                }
+        
+        /* Cohen's step 2: */
+
+        if (!BN_is_odd(A) && !BN_is_odd(B))
+                {
+                ret = 0;
+                goto end;
+                }
+
+        /* now  B  is non-zero */
+        i = 0;
+        while (!BN_is_bit_set(B, i))
+                i++;
+        err = !BN_rshift(B, B, i);
+        if (err) goto end;
+        if (i & 1)
+                {
+                /* i is odd */
+                /* (thus  B  was even, thus  A  must be odd!)  */
+
+                /* set 'ret' to $(-1)^{(A^2-1)/8}$ */
+                ret = tab[BN_lsw(A) & 7];
+                }
+        else
+                {
+                /* i is even */
+                ret = 1;
+                }
+        
+        if (B->neg)
+                {
+                B->neg = 0;
+                if (A->neg)
+                        ret = -ret;
+                }
+
+        /* now  B  is positive and odd, so what remains to be done is
+         * to compute the Jacobi symbol  (A/B)  and multiply it by 'ret' */
+
+        while (1)
+                {
+                /* Cohen's step 3: */
+
+                /*  B  is positive and odd */
+
+                if (BN_is_zero(A))
+                        {
+                        ret = BN_is_one(B) ? ret : 0;
+                        goto end;
+                        }
+
+                /* now  A  is non-zero */
+                i = 0;
+                while (!BN_is_bit_set(A, i))
+                        i++;
+                err = !BN_rshift(A, A, i);
+                if (err) goto end;
+                if (i & 1)
+                        {
+                        /* i is odd */
+                        /* multiply 'ret' by  $(-1)^{(B^2-1)/8}$ */
+                        ret = ret * tab[BN_lsw(B) & 7];
+                        }
+        
+                /* Cohen's step 4: */
+                /* multiply 'ret' by  $(-1)^{(A-1)(B-1)/4}$ */
+                if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2)
+                        ret = -ret;
+                
+                /* (A, B) := (B mod |A|, |A|) */
+                err = !BN_nnmod(B, B, A, ctx);
+                if (err) goto end;
+                tmp = A; A = B; B = tmp;
+                tmp->neg = 0;
+                }
+        
+ end:
+        BN_CTX_end(ctx);
+        if (err)
+                return -2;
+        else
+                return ret;
+        }
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index 9c959921b4..8a4dba375a 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -119,6 +119,20 @@ extern "C" {
 #endif
 
 
+/* Used for temp variables */
+#define BN_CTX_NUM      32
+#define BN_CTX_NUM_POS  12
+struct bignum_ctx
+        {
+        int tos;
+        BIGNUM bn[BN_CTX_NUM];
+        int flags;
+        int depth;
+        int pos[BN_CTX_NUM_POS];
+        int too_many;
+        } /* BN_CTX */;
+
+
 /*
  * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions
  *
@@ -171,7 +185,7 @@ extern "C" {
 #define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL        (32) /* 32 */
 #define BN_MONT_CTX_SET_SIZE_WORD               (64) /* 32 */
 
-#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC)
+#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC)
 /*
  * BN_UMULT_HIGH section.
  *
@@ -217,7 +231,7 @@ extern "C" {
         ret;                    })
 #  endif        /* compiler */
 # endif         /* cpu */
-#endif          /* NO_ASM */
+#endif          /* OPENSSL_NO_ASM */
 
 /*************************************************************
  * Using the long long type
@@ -398,19 +412,26 @@ extern "C" {
 void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
 void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
 void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
-void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp);
-void bn_sqr_comba8(BN_ULONG *r,BN_ULONG *a);
-void bn_sqr_comba4(BN_ULONG *r,BN_ULONG *a);
-int bn_cmp_words(BN_ULONG *a,BN_ULONG *b,int n);
-void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,BN_ULONG *t);
+void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp);
+void bn_sqr_comba8(BN_ULONG *r,const BN_ULONG *a);
+void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
+int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
+int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl);
+void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
+        int dna,int dnb,BN_ULONG *t);
 void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
-        int tn, int n,BN_ULONG *t);
-void bn_sqr_recursive(BN_ULONG *r,BN_ULONG *a, int n2, BN_ULONG *t);
+        int n,int tna,int tnb,BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
 void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
 void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
         BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
         BN_ULONG *t);
+BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl);
+BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl);
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 7767d65170..a016cb7f53 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -128,7 +128,7 @@ int BN_get_params(int which)
         else return(0);
         }
 
-BIGNUM *BN_value_one(void)
+const BIGNUM *BN_value_one(void)
         {
         static BN_ULONG data_one=1L;
         static BIGNUM const_one={&data_one,1,1,0};
@@ -305,172 +305,168 @@ BIGNUM *BN_new(void)
         return(ret);
         }
 
-/* This is an internal function that should not be used in applications.
- * It ensures that 'b' has enough room for a 'words' word number number.
- * It is mostly used by the various BIGNUM routines. If there is an error,
- * NULL is returned. If not, 'b' is returned. */
-
-BIGNUM *bn_expand2(BIGNUM *b, int words)
+/* This is used both by bn_expand2() and bn_dup_expand() */
+/* The caller MUST check that words > b->dmax before calling this */
+static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
         {
-        BN_ULONG *A,*a;
+        BN_ULONG *A,*a = NULL;
         const BN_ULONG *B;
         int i;
 
-        bn_check_top(b);
+        if (words > (INT_MAX/(4*BN_BITS2)))
+                {
+                BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_BIGNUM_TOO_LONG);
+                return NULL;
+                }
 
-        if (words > b->dmax)
+        bn_check_top(b);        
+        if (BN_get_flags(b,BN_FLG_STATIC_DATA))
                 {
-                if (words > (INT_MAX/(4*BN_BITS2)))
-                        {
-                        BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG);
-                        return NULL;
-                        }
-                        
-                bn_check_top(b);        
-                if (BN_get_flags(b,BN_FLG_STATIC_DATA))
+                BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
+                return(NULL);
+                }
+        a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*(words+1));
+        if (A == NULL)
+                {
+                BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE);
+                return(NULL);
+                }
+#if 1
+        B=b->d;
+        /* Check if the previous number needs to be copied */
+        if (B != NULL)
+                {
+                for (i=b->top>>2; i>0; i--,A+=4,B+=4)
                         {
-                        BNerr(BN_F_BN_EXPAND2,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);
-                        return(NULL);
+                        /*
+                         * The fact that the loop is unrolled
+                         * 4-wise is a tribute to Intel. It's
+                         * the one that doesn't have enough
+                         * registers to accomodate more data.
+                         * I'd unroll it 8-wise otherwise:-)
+                         *
+                         *              <appro@fy.chalmers.se>
+                         */
+                        BN_ULONG a0,a1,a2,a3;
+                        a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
+                        A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
                         }
-                a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*(words+1));
-                if (A == NULL)
+                switch (b->top&3)
                         {
-                        BNerr(BN_F_BN_EXPAND2,ERR_R_MALLOC_FAILURE);
-                        return(NULL);
+                case 3: A[2]=B[2];
+                case 2: A[1]=B[1];
+                case 1: A[0]=B[0];
+                case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
+                         * the switch table by doing a=top&3; a--; goto jump_table[a];
+                         * which fails for top== 0 */
+                        ;
                         }
-#if 1
-                B=b->d;
-                /* Check if the previous number needs to be copied */
-                if (B != NULL)
-                        {
-#if 0
-                        /* This lot is an unrolled loop to copy b->top 
-                         * BN_ULONGs from B to A
-                         */
-/*
- * I have nothing against unrolling but it's usually done for
- * several reasons, namely:
- * - minimize percentage of decision making code, i.e. branches;
- * - avoid cache trashing;
- * - make it possible to schedule loads earlier;
- * Now let's examine the code below. The cornerstone of C is
- * "programmer is always right" and that's what we love it for:-)
- * For this very reason C compilers have to be paranoid when it
- * comes to data aliasing and assume the worst. Yeah, but what
- * does it mean in real life? This means that loop body below will
- * be compiled to sequence of loads immediately followed by stores
- * as compiler assumes the worst, something in A==B+1 style. As a
- * result CPU pipeline is going to starve for incoming data. Secondly
- * if A and B happen to share same cache line such code is going to
- * cause severe cache trashing. Both factors have severe impact on
- * performance of modern CPUs and this is the reason why this
- * particular piece of code is #ifdefed away and replaced by more
- * "friendly" version found in #else section below. This comment
- * also applies to BN_copy function.
- *
- *                                      <appro@fy.chalmers.se>
- */
-                        for (i=b->top&(~7); i>0; i-=8)
-                                {
-                                A[0]=B[0]; A[1]=B[1]; A[2]=B[2]; A[3]=B[3];
-                                A[4]=B[4]; A[5]=B[5]; A[6]=B[6]; A[7]=B[7];
-                                A+=8;
-                                B+=8;
-                                }
-                        switch (b->top&7)
-                                {
-                        case 7:
-                                A[6]=B[6];
-                        case 6:
-                                A[5]=B[5];
-                        case 5:
-                                A[4]=B[4];
-                        case 4:
-                                A[3]=B[3];
-                        case 3:
-                                A[2]=B[2];
-                        case 2:
-                                A[1]=B[1];
-                        case 1:
-                                A[0]=B[0];
-                        case 0:
-                                /* I need the 'case 0' entry for utrix cc.
-                                 * If the optimizer is turned on, it does the
-                                 * switch table by doing
-                                 * a=top&7
-                                 * a--;
-                                 * goto jump_table[a];
-                                 * If top is 0, this makes us jump to 0xffffffc 
-                                 * which is rather bad :-(.
-                                 * eric 23-Apr-1998
-                                 */
-                                ;
-                                }
+                }
+
+        /* Now need to zero any data between b->top and b->max */
+        /* XXX Why? */
+
+        A= &(a[b->top]);
+        for (i=(words - b->top)>>3; i>0; i--,A+=8)
+                {
+                A[0]=0; A[1]=0; A[2]=0; A[3]=0;
+                A[4]=0; A[5]=0; A[6]=0; A[7]=0;
+                }
+        for (i=(words - b->top)&7; i>0; i--,A++)
+                A[0]=0;
 #else
-                        for (i=b->top>>2; i>0; i--,A+=4,B+=4)
+        memset(A,0,sizeof(BN_ULONG)*(words+1));
+        memcpy(A,b->d,sizeof(b->d[0])*b->top);
+#endif
+                
+        return(a);
+        }
+
+/* This is an internal function that can be used instead of bn_expand2()
+ * when there is a need to copy BIGNUMs instead of only expanding the
+ * data part, while still expanding them.
+ * Especially useful when needing to expand BIGNUMs that are declared
+ * 'const' and should therefore not be changed.
+ * The reason to use this instead of a BN_dup() followed by a bn_expand2()
+ * is memory allocation overhead.  A BN_dup() followed by a bn_expand2()
+ * will allocate new memory for the BIGNUM data twice, and free it once,
+ * while bn_dup_expand() makes sure allocation is made only once.
+ */
+
+BIGNUM *bn_dup_expand(const BIGNUM *b, int words)
+        {
+        BIGNUM *r = NULL;
+
+        if (words > b->dmax)
+                {
+                BN_ULONG *a = bn_expand_internal(b, words);
+
+                if (a)
+                        {
+                        r = BN_new();
+                        if (r)
                                 {
-                                /*
-                                 * The fact that the loop is unrolled
-                                 * 4-wise is a tribute to Intel. It's
-                                 * the one that doesn't have enough
-                                 * registers to accomodate more data.
-                                 * I'd unroll it 8-wise otherwise:-)
-                                 *
-                                 *              <appro@fy.chalmers.se>
-                                 */
-                                BN_ULONG a0,a1,a2,a3;
-                                a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
-                                A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
+                                r->top = b->top;
+                                r->dmax = words;
+                                r->neg = b->neg;
+                                r->d = a;
                                 }
-                        switch (b->top&3)
+                        else
                                 {
-                                case 3: A[2]=B[2];
-                                case 2: A[1]=B[1];
-                                case 1: A[0]=B[0];
-                                case 0: ; /* ultrix cc workaround, see above */
+                                /* r == NULL, BN_new failure */
+                                OPENSSL_free(a);
                                 }
-#endif
-                        OPENSSL_free(b->d);
                         }
+                /* If a == NULL, there was an error in allocation in
+                   bn_expand_internal(), and NULL should be returned */
+                }
+        else
+                {
+                r = BN_dup(b);
+                }
 
-                b->d=a;
-                b->dmax=words;
+        return r;
+        }
+
+/* This is an internal function that should not be used in applications.
+ * It ensures that 'b' has enough room for a 'words' word number number.
+ * It is mostly used by the various BIGNUM routines. If there is an error,
+ * NULL is returned. If not, 'b' is returned. */
 
-                /* Now need to zero any data between b->top and b->max */
+BIGNUM *bn_expand2(BIGNUM *b, int words)
+        {
+        if (words > b->dmax)
+                {
+                BN_ULONG *a = bn_expand_internal(b, words);
 
-                A= &(b->d[b->top]);
-                for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8)
+                if (a)
                         {
-                        A[0]=0; A[1]=0; A[2]=0; A[3]=0;
-                        A[4]=0; A[5]=0; A[6]=0; A[7]=0;
-                        }
-                for (i=(b->dmax - b->top)&7; i>0; i--,A++)
-                        A[0]=0;
-#else
-                        memset(A,0,sizeof(BN_ULONG)*(words+1));
-                        memcpy(A,b->d,sizeof(b->d[0])*b->top);
+                        if (b->d)
+                                OPENSSL_free(b->d);
                         b->d=a;
-                        b->max=words;
-#endif
-                
-/*              memset(&(p[b->max]),0,((words+1)-b->max)*sizeof(BN_ULONG)); */
-/*      { int i; for (i=b->max; i<words+1; i++) p[i]=i;} */
-
+                        b->dmax=words;
+                        }
+                else
+                        b = NULL;
                 }
-        return(b);
+        return b;
         }
 
 BIGNUM *BN_dup(const BIGNUM *a)
         {
-        BIGNUM *r;
+        BIGNUM *r, *t;
 
         if (a == NULL) return NULL;
 
         bn_check_top(a);
 
-        r=BN_new();
-        if (r == NULL) return(NULL);
-        return((BIGNUM *)BN_copy(r,a));
+        t = BN_new();
+        if (t == NULL) return(NULL);
+        r = BN_copy(t, a);
+        /* now  r == t || r == NULL */
+        if (r == NULL)
+                BN_free(t);
+        return r;
         }
 
 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
@@ -498,7 +494,7 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
                 case 3: A[2]=B[2];
                 case 2: A[1]=B[1];
                 case 1: A[0]=B[0];
-                case 0: ; /* ultrix cc workaround, see comments in bn_expand2 */
+                case 0: ; /* ultrix cc workaround, see comments in bn_expand_internal */
                 }
 #else
         memcpy(a->d,b->d,sizeof(b->d[0])*b->top);
@@ -512,6 +508,35 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
         return(a);
         }
 
+void BN_swap(BIGNUM *a, BIGNUM *b)
+        {
+        int flags_old_a, flags_old_b;
+        BN_ULONG *tmp_d;
+        int tmp_top, tmp_dmax, tmp_neg;
+        
+        flags_old_a = a->flags;
+        flags_old_b = b->flags;
+
+        tmp_d = a->d;
+        tmp_top = a->top;
+        tmp_dmax = a->dmax;
+        tmp_neg = a->neg;
+        
+        a->d = b->d;
+        a->top = b->top;
+        a->dmax = b->dmax;
+        a->neg = b->neg;
+        
+        b->d = tmp_d;
+        b->top = tmp_top;
+        b->dmax = tmp_dmax;
+        b->neg = tmp_neg;
+        
+        a->flags = (flags_old_a & BN_FLG_MALLOCED) | (flags_old_b & BN_FLG_STATIC_DATA);
+        b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA);
+        }
+
+
 void BN_clear(BIGNUM *a)
         {
         if (a->d != NULL)
@@ -520,7 +545,7 @@ void BN_clear(BIGNUM *a)
         a->neg=0;
         }
 
-BN_ULONG BN_get_word(BIGNUM *a)
+BN_ULONG BN_get_word(const BIGNUM *a)
         {
         int i,n;
         BN_ULONG ret=0;
@@ -568,7 +593,6 @@ int BN_set_word(BIGNUM *a, BN_ULONG w)
         return(1);
         }
 
-/* ignore negative */
 BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
         {
         unsigned int i,m;
@@ -589,6 +613,7 @@ BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret)
         i=((n-1)/BN_BYTES)+1;
         m=((n-1)%(BN_BYTES));
         ret->top=i;
+        ret->neg=0;
         while (n-- > 0)
                 {
                 l=(l<<8L)| *(s++);
@@ -743,7 +768,7 @@ int BN_mask_bits(BIGNUM *a, int n)
         return(1);
         }
 
-int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n)
+int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
         {
         int i;
         BN_ULONG aa,bb;
@@ -760,3 +785,34 @@ int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n)
         return(0);
         }
 
+/* Here follows a specialised variants of bn_cmp_words().  It has the
+   property of performing the operation on arrays of different sizes.
+   The sizes of those arrays is expressed through cl, which is the
+   common length ( basicall, min(len(a),len(b)) ), and dl, which is the
+   delta between the two lengths, calculated as len(a)-len(b).
+   All lengths are the number of BN_ULONGs...  */
+
+int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl)
+        {
+        int n,i;
+        n = cl-1;
+
+        if (dl < 0)
+                {
+                for (i=dl; i<0; i++)
+                        {
+                        if (b[n-i] != 0)
+                                return -1; /* a < b */
+                        }
+                }
+        if (dl > 0)
+                {
+                for (i=dl; i>0; i--)
+                        {
+                        if (a[n+i] != 0)
+                                return 1; /* a > b */
+                        }
+                }
+        return bn_cmp_words(a,b,cl);
+        }
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
new file mode 100644
index 0000000000..5cf82480d7
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -0,0 +1,296 @@
+/* crypto/bn/bn_mod.c */
+/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+
+#if 0 /* now just a #define */
+int BN_mod(BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
+        {
+        return(BN_div(NULL,rem,m,d,ctx));
+        /* note that  rem->neg == m->neg  (unless the remainder is zero) */
+        }
+#endif
+
+
+int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx)
+        {
+        /* like BN_mod, but returns non-negative remainder
+         * (i.e.,  0 <= r < |d|  always holds) */
+
+        if (!(BN_mod(r,m,d,ctx)))
+                return 0;
+        if (!r->neg)
+                return 1;
+        /* now   -|d| < r < 0,  so we have to set  r := r + |d| */
+        return (d->neg ? BN_sub : BN_add)(r, r, d);
+}
+
+
+int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
+        {
+        if (!BN_add(r, a, b)) return 0;
+        return BN_nnmod(r, r, m, ctx);
+        }
+
+
+/* BN_mod_add variant that may be used if both  a  and  b  are non-negative
+ * and less than  m */
+int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m)
+        {
+        if (!BN_add(r, a, b)) return 0;
+        if (BN_ucmp(r, m) >= 0)
+                return BN_usub(r, r, m);
+        return 1;
+        }
+
+
+int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx)
+        {
+        if (!BN_sub(r, a, b)) return 0;
+        return BN_nnmod(r, r, m, ctx);
+        }
+
+
+/* BN_mod_sub variant that may be used if both  a  and  b  are non-negative
+ * and less than  m */
+int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m)
+        {
+        if (!BN_sub(r, a, b)) return 0;
+        if (r->neg)
+                return BN_add(r, r, m);
+        return 1;
+        }
+
+
+/* slow but works */
+int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
+        BN_CTX *ctx)
+        {
+        BIGNUM *t;
+        int ret=0;
+
+        bn_check_top(a);
+        bn_check_top(b);
+        bn_check_top(m);
+
+        BN_CTX_start(ctx);
+        if ((t = BN_CTX_get(ctx)) == NULL) goto err;
+        if (a == b)
+                { if (!BN_sqr(t,a,ctx)) goto err; }
+        else
+                { if (!BN_mul(t,a,b,ctx)) goto err; }
+        if (!BN_nnmod(r,t,m,ctx)) goto err;
+        ret=1;
+err:
+        BN_CTX_end(ctx);
+        return(ret);
+        }
+
+
+int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
+        {
+        if (!BN_sqr(r, a, ctx)) return 0;
+        /* r->neg == 0,  thus we don't need BN_nnmod */
+        return BN_mod(r, r, m, ctx);
+        }
+
+
+int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
+        {
+        if (!BN_lshift1(r, a)) return 0;
+        return BN_nnmod(r, r, m, ctx);
+        }
+
+
+/* BN_mod_lshift1 variant that may be used if  a  is non-negative
+ * and less than  m */
+int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m)
+        {
+        if (!BN_lshift1(r, a)) return 0;
+        if (BN_cmp(r, m) >= 0)
+                return BN_sub(r, r, m);
+        return 1;
+        }
+
+
+int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx)
+        {
+        BIGNUM *abs_m = NULL;
+        int ret;
+
+        if (!BN_nnmod(r, a, m, ctx)) return 0;
+
+        if (m->neg)
+                {
+                abs_m = BN_dup(m);
+                if (abs_m == NULL) return 0;
+                abs_m->neg = 0;
+                }
+        
+        ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
+
+        if (abs_m)
+                BN_free(abs_m);
+        return ret;
+        }
+
+
+/* BN_mod_lshift variant that may be used if  a  is non-negative
+ * and less than  m */
+int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m)
+        {
+        if (r != a)
+                {
+                if (BN_copy(r, a) == NULL) return 0;
+                }
+
+        while (n > 0)
+                {
+                int max_shift;
+                
+                /* 0 < r < m */
+                max_shift = BN_num_bits(m) - BN_num_bits(r);
+                /* max_shift >= 0 */
+
+                if (max_shift < 0)
+                        {
+                        BNerr(BN_F_BN_MOD_LSHIFT_QUICK, BN_R_INPUT_NOT_REDUCED);
+                        return 0;
+                        }
+
+                if (max_shift > n)
+                        max_shift = n;
+
+                if (max_shift)
+                        {
+                        if (!BN_lshift(r, r, max_shift)) return 0;
+                        n -= max_shift;
+                        }
+                else
+                        {
+                        if (!BN_lshift1(r, r)) return 0;
+                        --n;
+                        }
+
+                /* BN_num_bits(r) <= BN_num_bits(m) */
+
+                if (BN_cmp(r, m) >= 0) 
+                        {
+                        if (!BN_sub(r, r, m)) return 0;
+                        }
+                }
+        
+        return 1;
+        }
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index 8cf1febacc..82942a4759 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -69,20 +69,17 @@
 
 #define MONT_WORD /* use the faster word-based algorithm */
 
-int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
+int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
                           BN_MONT_CTX *mont, BN_CTX *ctx)
         {
-        BIGNUM *tmp,*tmp2;
+        BIGNUM *tmp;
         int ret=0;
 
         BN_CTX_start(ctx);
         tmp = BN_CTX_get(ctx);
-        tmp2 = BN_CTX_get(ctx);
-        if (tmp == NULL || tmp2 == NULL) goto err;
+        if (tmp == NULL) goto err;
 
         bn_check_top(tmp);
-        bn_check_top(tmp2);
-
         if (a == b)
                 {
                 if (!BN_sqr(tmp,a,ctx)) goto err;
@@ -99,7 +96,7 @@ err:
         return(ret);
         }
 
-int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
+int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
              BN_CTX *ctx)
         {
         int retn=0;
@@ -144,7 +141,7 @@ int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
         n0=mont->n0;
 
 #ifdef BN_COUNT
-        printf("word BN_from_montgomery %d * %d\n",nl,nl);
+        fprintf(stderr,"word BN_from_montgomery %d * %d\n",nl,nl);
 #endif
         for (i=0; i<nl; i++)
                 {
@@ -229,7 +226,7 @@ int BN_from_montgomery(BIGNUM *ret, BIGNUM *a, BN_MONT_CTX *mont,
 
         if (BN_ucmp(ret, &(mont->N)) >= 0)
                 {
-                BN_usub(ret,ret,&(mont->N));
+                if (!BN_usub(ret,ret,&(mont->N))) goto err;
                 }
         retn=1;
  err:
@@ -277,6 +274,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
         BN_init(&Ri);
         R= &(mont->RR);                                 /* grab RR as a temp */
         BN_copy(&(mont->N),mod);                        /* Set N */
+        mont->N.neg = 0;
 
 #ifdef MONT_WORD
                 {
@@ -292,40 +290,45 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                 tmod.d=buf;
                 tmod.top=1;
                 tmod.dmax=2;
-                tmod.neg=mod->neg;
+                tmod.neg=0;
                                                         /* Ri = R^-1 mod N*/
                 if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL)
                         goto err;
-                BN_lshift(&Ri,&Ri,BN_BITS2);            /* R*Ri */
+                if (!BN_lshift(&Ri,&Ri,BN_BITS2)) goto err; /* R*Ri */
                 if (!BN_is_zero(&Ri))
-                        BN_sub_word(&Ri,1);
+                        {
+                        if (!BN_sub_word(&Ri,1)) goto err;
+                        }
                 else /* if N mod word size == 1 */
-                        BN_set_word(&Ri,BN_MASK2);  /* Ri-- (mod word size) */
-                BN_div(&Ri,NULL,&Ri,&tmod,ctx); /* Ni = (R*Ri-1)/N,
-                                                 * keep only least significant word: */
-                mont->n0=Ri.d[0];
+                        {
+                        if (!BN_set_word(&Ri,BN_MASK2)) goto err;  /* Ri-- (mod word size) */
+                        }
+                if (!BN_div(&Ri,NULL,&Ri,&tmod,ctx)) goto err;
+                /* Ni = (R*Ri-1)/N,
+                 * keep only least significant word: */
+                mont->n0 = (Ri.top > 0) ? Ri.d[0] : 0;
                 BN_free(&Ri);
                 }
 #else /* !MONT_WORD */
                 { /* bignum version */
-                mont->ri=BN_num_bits(mod);
-                BN_zero(R);
-                BN_set_bit(R,mont->ri);                 /* R = 2^ri */
-                                                        /* Ri = R^-1 mod N*/
-                if ((BN_mod_inverse(&Ri,R,mod,ctx)) == NULL)
+                mont->ri=BN_num_bits(&mont->N);
+                if (!BN_zero(R)) goto err;
+                if (!BN_set_bit(R,mont->ri)) goto err;  /* R = 2^ri */
+                                                        /* Ri = R^-1 mod N*/
+                if ((BN_mod_inverse(&Ri,R,&mont->N,ctx)) == NULL)
                         goto err;
-                BN_lshift(&Ri,&Ri,mont->ri);            /* R*Ri */
-                BN_sub_word(&Ri,1);
+                if (!BN_lshift(&Ri,&Ri,mont->ri)) goto err; /* R*Ri */
+                if (!BN_sub_word(&Ri,1)) goto err;
                                                         /* Ni = (R*Ri-1) / N */
-                BN_div(&(mont->Ni),NULL,&Ri,mod,ctx);
+                if (!BN_div(&(mont->Ni),NULL,&Ri,&mont->N,ctx)) goto err;
                 BN_free(&Ri);
                 }
 #endif
 
         /* setup RR for conversions */
-        BN_zero(&(mont->RR));
-        BN_set_bit(&(mont->RR),mont->ri*2);
-        BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx);
+        if (!BN_zero(&(mont->RR))) goto err;
+        if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err;
+        if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err;
 
         return(1);
 err:
@@ -336,9 +339,9 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from)
         {
         if (to == from) return(to);
 
-        BN_copy(&(to->RR),&(from->RR));
-        BN_copy(&(to->N),&(from->N));
-        BN_copy(&(to->Ni),&(from->Ni));
+        if (!BN_copy(&(to->RR),&(from->RR))) return NULL;
+        if (!BN_copy(&(to->N),&(from->N))) return NULL;
+        if (!BN_copy(&(to->Ni),&(from->Ni))) return NULL;
         to->ri=from->ri;
         to->n0=from->n0;
         return(to);
diff --git a/src/lib/libcrypto/bn/bn_mpi.c b/src/lib/libcrypto/bn/bn_mpi.c
index 80e1dca6b7..05fa9d1e9a 100644
--- a/src/lib/libcrypto/bn/bn_mpi.c
+++ b/src/lib/libcrypto/bn/bn_mpi.c
@@ -88,7 +88,7 @@ int BN_bn2mpi(const BIGNUM *a, unsigned char *d)
         return(num+4+ext);
         }
 
-BIGNUM *BN_mpi2bn(unsigned char *d, int n, BIGNUM *a)
+BIGNUM *BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a)
         {
         long len;
         int neg=0;
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index 3e8d8b9567..41ea925b8d 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -56,10 +56,325 @@
  * [including the GNU Public Licence.]
  */
 
+#ifndef BN_DEBUG
+# undef NDEBUG /* avoid conflicting definitions */
+# define NDEBUG
+#endif
+
 #include <stdio.h>
+#include <assert.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
+#if defined(OPENSSL_NO_ASM) || !(defined(__i386) || defined(__i386__))/* Assembler implementation exists only for x86 */
+/* Here follows specialised variants of bn_add_words() and
+   bn_sub_words().  They have the property performing operations on
+   arrays of different sizes.  The sizes of those arrays is expressed through
+   cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl,
+   which is the delta between the two lengths, calculated as len(a)-len(b).
+   All lengths are the number of BN_ULONGs...  For the operations that require
+   a result array as parameter, it must have the length cl+abs(dl).
+   These functions should probably end up in bn_asm.c as soon as there are
+   assembler counterparts for the systems that use assembler files.  */
+
+BN_ULONG bn_sub_part_words(BN_ULONG *r,
+        const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl)
+        {
+        BN_ULONG c, t;
+
+        assert(cl >= 0);
+        c = bn_sub_words(r, a, b, cl);
+
+        if (dl == 0)
+                return c;
+
+        r += cl;
+        a += cl;
+        b += cl;
+
+        if (dl < 0)
+                {
+#ifdef BN_COUNT
+                fprintf(stderr, "  bn_sub_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
+#endif
+                for (;;)
+                        {
+                        t = b[0];
+                        r[0] = (0-t-c)&BN_MASK2;
+                        if (t != 0) c=1;
+                        if (++dl >= 0) break;
+
+                        t = b[1];
+                        r[1] = (0-t-c)&BN_MASK2;
+                        if (t != 0) c=1;
+                        if (++dl >= 0) break;
+
+                        t = b[2];
+                        r[2] = (0-t-c)&BN_MASK2;
+                        if (t != 0) c=1;
+                        if (++dl >= 0) break;
+
+                        t = b[3];
+                        r[3] = (0-t-c)&BN_MASK2;
+                        if (t != 0) c=1;
+                        if (++dl >= 0) break;
+
+                        b += 4;
+                        r += 4;
+                        }
+                }
+        else
+                {
+                int save_dl = dl;
+#ifdef BN_COUNT
+                fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c = %d)\n", cl, dl, c);
+#endif
+                while(c)
+                        {
+                        t = a[0];
+                        r[0] = (t-c)&BN_MASK2;
+                        if (t != 0) c=0;
+                        if (--dl <= 0) break;
+
+                        t = a[1];
+                        r[1] = (t-c)&BN_MASK2;
+                        if (t != 0) c=0;
+                        if (--dl <= 0) break;
+
+                        t = a[2];
+                        r[2] = (t-c)&BN_MASK2;
+                        if (t != 0) c=0;
+                        if (--dl <= 0) break;
+
+                        t = a[3];
+                        r[3] = (t-c)&BN_MASK2;
+                        if (t != 0) c=0;
+                        if (--dl <= 0) break;
+
+                        save_dl = dl;
+                        a += 4;
+                        r += 4;
+                        }
+                if (dl > 0)
+                        {
+#ifdef BN_COUNT
+                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
+#endif
+                        if (save_dl > dl)
+                                {
+                                switch (save_dl - dl)
+                                        {
+                                case 1:
+                                        r[1] = a[1];
+                                        if (--dl <= 0) break;
+                                case 2:
+                                        r[2] = a[2];
+                                        if (--dl <= 0) break;
+                                case 3:
+                                        r[3] = a[3];
+                                        if (--dl <= 0) break;
+                                        }
+                                a += 4;
+                                r += 4;
+                                }
+                        }
+                if (dl > 0)
+                        {
+#ifdef BN_COUNT
+                        fprintf(stderr, "  bn_sub_part_words %d + %d (dl > 0, copy)\n", cl, dl);
+#endif
+                        for(;;)
+                                {
+                                r[0] = a[0];
+                                if (--dl <= 0) break;
+                                r[1] = a[1];
+                                if (--dl <= 0) break;
+                                r[2] = a[2];
+                                if (--dl <= 0) break;
+                                r[3] = a[3];
+                                if (--dl <= 0) break;
+
+                                a += 4;
+                                r += 4;
+                                }
+                        }
+                }
+        return c;
+        }
+#endif
+
+BN_ULONG bn_add_part_words(BN_ULONG *r,
+        const BN_ULONG *a, const BN_ULONG *b,
+        int cl, int dl)
+        {
+        BN_ULONG c, l, t;
+
+        assert(cl >= 0);
+        c = bn_add_words(r, a, b, cl);
+
+        if (dl == 0)
+                return c;
+
+        r += cl;
+        a += cl;
+        b += cl;
+
+        if (dl < 0)
+                {
+                int save_dl = dl;
+#ifdef BN_COUNT
+                fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c = %d)\n", cl, dl, c);
+#endif
+                while (c)
+                        {
+                        l=(c+b[0])&BN_MASK2;
+                        c=(l < c);
+                        r[0]=l;
+                        if (++dl >= 0) break;
+
+                        l=(c+b[1])&BN_MASK2;
+                        c=(l < c);
+                        r[1]=l;
+                        if (++dl >= 0) break;
+
+                        l=(c+b[2])&BN_MASK2;
+                        c=(l < c);
+                        r[2]=l;
+                        if (++dl >= 0) break;
+
+                        l=(c+b[3])&BN_MASK2;
+                        c=(l < c);
+                        r[3]=l;
+                        if (++dl >= 0) break;
+
+                        save_dl = dl;
+                        b+=4;
+                        r+=4;
+                        }
+                if (dl < 0)
+                        {
+#ifdef BN_COUNT
+                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, c == 0)\n", cl, dl);
+#endif
+                        if (save_dl < dl)
+                                {
+                                switch (dl - save_dl)
+                                        {
+                                case 1:
+                                        r[1] = b[1];
+                                        if (++dl >= 0) break;
+                                case 2:
+                                        r[2] = b[2];
+                                        if (++dl >= 0) break;
+                                case 3:
+                                        r[3] = b[3];
+                                        if (++dl >= 0) break;
+                                        }
+                                b += 4;
+                                r += 4;
+                                }
+                        }
+                if (dl < 0)
+                        {
+#ifdef BN_COUNT
+                        fprintf(stderr, "  bn_add_part_words %d + %d (dl < 0, copy)\n", cl, dl);
+#endif
+                        for(;;)
+                                {
+                                r[0] = b[0];
+                                if (++dl >= 0) break;
+                                r[1] = b[1];
+                                if (++dl >= 0) break;
+                                r[2] = b[2];
+                                if (++dl >= 0) break;
+                                r[3] = b[3];
+                                if (++dl >= 0) break;
+
+                                b += 4;
+                                r += 4;
+                                }
+                        }
+                }
+        else
+                {
+                int save_dl = dl;
+#ifdef BN_COUNT
+                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0)\n", cl, dl);
+#endif
+                while (c)
+                        {
+                        t=(a[0]+c)&BN_MASK2;
+                        c=(t < c);
+                        r[0]=t;
+                        if (--dl <= 0) break;
+
+                        t=(a[1]+c)&BN_MASK2;
+                        c=(t < c);
+                        r[1]=t;
+                        if (--dl <= 0) break;
+
+                        t=(a[2]+c)&BN_MASK2;
+                        c=(t < c);
+                        r[2]=t;
+                        if (--dl <= 0) break;
+
+                        t=(a[3]+c)&BN_MASK2;
+                        c=(t < c);
+                        r[3]=t;
+                        if (--dl <= 0) break;
+
+                        save_dl = dl;
+                        a+=4;
+                        r+=4;
+                        }
+#ifdef BN_COUNT
+                fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl);
+#endif
+                if (dl > 0)
+                        {
+                        if (save_dl > dl)
+                                {
+                                switch (save_dl - dl)
+                                        {
+                                case 1:
+                                        r[1] = a[1];
+                                        if (--dl <= 0) break;
+                                case 2:
+                                        r[2] = a[2];
+                                        if (--dl <= 0) break;
+                                case 3:
+                                        r[3] = a[3];
+                                        if (--dl <= 0) break;
+                                        }
+                                a += 4;
+                                r += 4;
+                                }
+                        }
+                if (dl > 0)
+                        {
+#ifdef BN_COUNT
+                        fprintf(stderr, "  bn_add_part_words %d + %d (dl > 0, copy)\n", cl, dl);
+#endif
+                        for(;;)
+                                {
+                                r[0] = a[0];
+                                if (--dl <= 0) break;
+                                r[1] = a[1];
+                                if (--dl <= 0) break;
+                                r[2] = a[2];
+                                if (--dl <= 0) break;
+                                r[3] = a[3];
+                                if (--dl <= 0) break;
+
+                                a += 4;
+                                r += 4;
+                                }
+                        }
+                }
+        return c;
+        }
+
 #ifdef BN_RECURSION
 /* Karatsuba recursive multiplication algorithm
  * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
@@ -75,14 +390,15 @@
  * a[1]*b[1]
  */
 void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
-             BN_ULONG *t)
+        int dna, int dnb, BN_ULONG *t)
         {
         int n=n2/2,c1,c2;
+        int tna=n+dna, tnb=n+dnb;
         unsigned int neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        printf(" bn_mul_recursive %d * %d\n",n2,n2);
+        fprintf(stderr," bn_mul_recursive %d * %d\n",n2,n2);
 # endif
 # ifdef BN_MUL_COMBA
 #  if 0
@@ -105,21 +421,21 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 return;
                 }
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_words(a,&(a[n]),n);
-        c2=bn_cmp_words(&(b[n]),b,n);
+        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
+        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_words(t,      &(a[n]),a,      n); /* - */
-                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                 break;
         case -3:
                 zero=1;
                 break;
         case -2:
-                bn_sub_words(t,      &(a[n]),a,      n); /* - */
-                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -128,21 +444,22 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 zero=1;
                 break;
         case 2:
-                bn_sub_words(t,      a,      &(a[n]),n); /* + */
-                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
+                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 break;
         case 4:
-                bn_sub_words(t,      a,      &(a[n]),n);
-                bn_sub_words(&(t[n]),&(b[n]),b,      n);
+                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
+                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
                 break;
                 }
 
 # ifdef BN_MUL_COMBA
-        if (n == 4)
+        if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take
+                                               extra args to do this well */
                 {
                 if (!zero)
                         bn_mul_comba4(&(t[n2]),t,&(t[n]));
@@ -152,7 +469,9 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 bn_mul_comba4(r,a,b);
                 bn_mul_comba4(&(r[n2]),&(a[n]),&(b[n]));
                 }
-        else if (n == 8)
+        else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could
+                                                    take extra args to do this
+                                                    well */
                 {
                 if (!zero)
                         bn_mul_comba8(&(t[n2]),t,&(t[n]));
@@ -167,11 +486,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
                 {
                 p= &(t[n2*2]);
                 if (!zero)
-                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
+                        bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
                 else
                         memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
-                bn_mul_recursive(r,a,b,n,p);
-                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,p);
+                bn_mul_recursive(r,a,b,n,0,0,p);
+                bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),n,dna,dnb,p);
                 }
 
         /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
@@ -220,39 +539,39 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
 
 /* n+tn is the word length
  * t needs to be n*4 is size, as does r */
-void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
-             int n, BN_ULONG *t)
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
+             int tna, int tnb, BN_ULONG *t)
         {
         int i,j,n2=n*2;
         unsigned int c1,c2,neg,zero;
         BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
-        printf(" bn_mul_part_recursive %d * %d\n",tn+n,tn+n);
+        fprintf(stderr," bn_mul_part_recursive (%d+%d) * (%d+%d)\n",
+                tna, n, tnb, n);
 # endif
         if (n < 8)
                 {
-                i=tn+n;
-                bn_mul_normal(r,a,i,b,i);
+                bn_mul_normal(r,a,n+tna,b,n+tnb);
                 return;
                 }
 
         /* r=(a[0]-a[1])*(b[1]-b[0]) */
-        c1=bn_cmp_words(a,&(a[n]),n);
-        c2=bn_cmp_words(&(b[n]),b,n);
+        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
+        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
         zero=neg=0;
         switch (c1*3+c2)
                 {
         case -4:
-                bn_sub_words(t,      &(a[n]),a,      n); /* - */
-                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                 break;
         case -3:
                 zero=1;
                 /* break; */
         case -2:
-                bn_sub_words(t,      &(a[n]),a,      n); /* - */
-                bn_sub_words(&(t[n]),&(b[n]),b,      n); /* + */
+                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
+                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n); /* + */
                 neg=1;
                 break;
         case -1:
@@ -261,16 +580,16 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
                 zero=1;
                 /* break; */
         case 2:
-                bn_sub_words(t,      a,      &(a[n]),n); /* + */
-                bn_sub_words(&(t[n]),b,      &(b[n]),n); /* - */
+                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
+                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                 neg=1;
                 break;
         case 3:
                 zero=1;
                 /* break; */
         case 4:
-                bn_sub_words(t,      a,      &(a[n]),n);
-                bn_sub_words(&(t[n]),&(b[n]),b,      n);
+                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
+                bn_sub_part_words(&(t[n]),&(b[n]),b,      tnb,tnb-n);
                 break;
                 }
                 /* The zero case isn't yet implemented here. The speedup
@@ -289,54 +608,59 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
                 {
                 bn_mul_comba8(&(t[n2]),t,&(t[n]));
                 bn_mul_comba8(r,a,b);
-                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
-                memset(&(r[n2+tn*2]),0,sizeof(BN_ULONG)*(n2-tn*2));
+                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
+                memset(&(r[n2+tna+tnb]),0,sizeof(BN_ULONG)*(n2-tna-tnb));
                 }
         else
                 {
                 p= &(t[n2*2]);
-                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,p);
-                bn_mul_recursive(r,a,b,n,p);
+                bn_mul_recursive(&(t[n2]),t,&(t[n]),n,0,0,p);
+                bn_mul_recursive(r,a,b,n,0,0,p);
                 i=n/2;
                 /* If there is only a bottom half to the number,
                  * just do it */
-                j=tn-i;
+                if (tna > tnb)
+                        j = tna - i;
+                else
+                        j = tnb - i;
                 if (j == 0)
                         {
-                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),i,p);
+                        bn_mul_recursive(&(r[n2]),&(a[n]),&(b[n]),
+                                i,tna-i,tnb-i,p);
                         memset(&(r[n2+i*2]),0,sizeof(BN_ULONG)*(n2-i*2));
                         }
                 else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */
                                 {
                                 bn_mul_part_recursive(&(r[n2]),&(a[n]),&(b[n]),
-                                        j,i,p);
-                                memset(&(r[n2+tn*2]),0,
-                                        sizeof(BN_ULONG)*(n2-tn*2));
+                                        i,tna-i,tnb-i,p);
+                                memset(&(r[n2+tna+tnb]),0,
+                                        sizeof(BN_ULONG)*(n2-tna-tnb));
                                 }
                 else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
                         {
                         memset(&(r[n2]),0,sizeof(BN_ULONG)*n2);
-                        if (tn < BN_MUL_RECURSIVE_SIZE_NORMAL)
+                        if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL
+                                && tnb < BN_MUL_RECURSIVE_SIZE_NORMAL)
                                 {
-                                bn_mul_normal(&(r[n2]),&(a[n]),tn,&(b[n]),tn);
+                                bn_mul_normal(&(r[n2]),&(a[n]),tna,&(b[n]),tnb);
                                 }
                         else
                                 {
                                 for (;;)
                                         {
                                         i/=2;
-                                        if (i < tn)
+                                        if (i < tna && i < tnb)
                                                 {
                                                 bn_mul_part_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        tn-i,i,p);
+                                                        i,tna-i,tnb-i,p);
                                                 break;
                                                 }
-                                        else if (i == tn)
+                                        else if (i <= tna && i <= tnb)
                                                 {
                                                 bn_mul_recursive(&(r[n2]),
                                                         &(a[n]),&(b[n]),
-                                                        i,p);
+                                                        i,tna-i,tnb-i,p);
                                                 break;
                                                 }
                                         }
@@ -397,10 +721,10 @@ void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
         int n=n2/2;
 
 # ifdef BN_COUNT
-        printf(" bn_mul_low_recursive %d * %d\n",n2,n2);
+        fprintf(stderr," bn_mul_low_recursive %d * %d\n",n2,n2);
 # endif
 
-        bn_mul_recursive(r,a,b,n,&(t[0]));
+        bn_mul_recursive(r,a,b,n,0,0,&(t[0]));
         if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL)
                 {
                 bn_mul_low_recursive(&(t[0]),&(a[0]),&(b[n]),n,&(t[n2]));
@@ -431,7 +755,7 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         BN_ULONG ll,lc,*lp,*mp;
 
 # ifdef BN_COUNT
-        printf(" bn_mul_high %d * %d\n",n2,n2);
+        fprintf(stderr," bn_mul_high %d * %d\n",n2,n2);
 # endif
         n=n2/2;
 
@@ -484,8 +808,8 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         else
 # endif
                 {
-                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,&(t[n2]));
-                bn_mul_recursive(r,&(a[n]),&(b[n]),n,&(t[n2]));
+                bn_mul_recursive(&(t[0]),&(r[0]),&(r[n]),n,0,0,&(t[n2]));
+                bn_mul_recursive(r,&(a[n]),&(b[n]),n,0,0,&(t[n2]));
                 }
 
         /* s0 == low(al*bl)
@@ -608,21 +932,21 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
         }
 #endif /* BN_RECURSION */
 
-int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
         {
+        int ret=0;
         int top,al,bl;
         BIGNUM *rr;
-        int ret = 0;
 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION)
         int i;
 #endif
 #ifdef BN_RECURSION
-        BIGNUM *t;
-        int j,k;
+        BIGNUM *t=NULL;
+        int j=0,k;
 #endif
 
 #ifdef BN_COUNT
-        printf("BN_mul %d * %d\n",a->top,b->top);
+        fprintf(stderr,"BN_mul %d * %d\n",a->top,b->top);
 #endif
 
         bn_check_top(a);
@@ -675,17 +999,55 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
 #ifdef BN_RECURSION
         if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL))
                 {
+                if (i >= -1 && i <= 1)
+                        {
+                        int sav_j =0;
+                        /* Find out the power of two lower or equal
+                           to the longest of the two numbers */
+                        if (i >= 0)
+                                {
+                                j = BN_num_bits_word((BN_ULONG)al);
+                                }
+                        if (i == -1)
+                                {
+                                j = BN_num_bits_word((BN_ULONG)bl);
+                                }
+                        sav_j = j;
+                        j = 1<<(j-1);
+                        assert(j <= al || j <= bl);
+                        k = j+j;
+                        t = BN_CTX_get(ctx);
+                        if (al > j || bl > j)
+                                {
+                                bn_wexpand(t,k*4);
+                                bn_wexpand(rr,k*4);
+                                bn_mul_part_recursive(rr->d,a->d,b->d,
+                                        j,al-j,bl-j,t->d);
+                                }
+                        else    /* al <= j || bl <= j */
+                                {
+                                bn_wexpand(t,k*2);
+                                bn_wexpand(rr,k*2);
+                                bn_mul_recursive(rr->d,a->d,b->d,
+                                        j,al-j,bl-j,t->d);
+                                }
+                        rr->top=top;
+                        goto end;
+                        }
+#if 0
                 if (i == 1 && !BN_get_flags(b,BN_FLG_STATIC_DATA))
                         {
-                        bn_wexpand(b,al);
-                        b->d[bl]=0;
+                        BIGNUM *tmp_bn = (BIGNUM *)b;
+                        bn_wexpand(tmp_bn,al);
+                        tmp_bn->d[bl]=0;
                         bl++;
                         i--;
                         }
                 else if (i == -1 && !BN_get_flags(a,BN_FLG_STATIC_DATA))
                         {
-                        bn_wexpand(a,bl);
-                        a->d[al]=0;
+                        BIGNUM *tmp_bn = (BIGNUM *)a;
+                        bn_wexpand(tmp_bn,bl);
+                        tmp_bn->d[al]=0;
                         al++;
                         i++;
                         }
@@ -705,19 +1067,14 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
                                 }
                         else
                                 {
-                                bn_wexpand(a,k);
-                                bn_wexpand(b,k);
                                 bn_wexpand(t,k*4);
                                 bn_wexpand(rr,k*4);
-                                for (i=a->top; i<k; i++)
-                                        a->d[i]=0;
-                                for (i=b->top; i<k; i++)
-                                        b->d[i]=0;
                                 bn_mul_part_recursive(rr->d,a->d,b->d,al-j,j,t->d);
                                 }
                         rr->top=top;
                         goto end;
                         }
+#endif
                 }
 #endif /* BN_RECURSION */
         if (bn_wexpand(rr,top) == NULL) goto err;
@@ -740,7 +1097,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
         BN_ULONG *rr;
 
 #ifdef BN_COUNT
-        printf(" bn_mul_normal %d * %d\n",na,nb);
+        fprintf(stderr," bn_mul_normal %d * %d\n",na,nb);
 #endif
 
         if (na < nb)
@@ -753,7 +1110,13 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 
                 }
         rr= &(r[na]);
-        rr[0]=bn_mul_words(r,a,na,b[0]);
+        if (nb <= 0)
+                {
+                (void)bn_mul_words(r,a,na,0);
+                return;
+                }
+        else
+                rr[0]=bn_mul_words(r,a,na,b[0]);
 
         for (;;)
                 {
@@ -774,7 +1137,7 @@ void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
 void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
         {
 #ifdef BN_COUNT
-        printf(" bn_mul_low_normal %d * %d\n",n,n);
+        fprintf(stderr," bn_mul_low_normal %d * %d\n",n,n);
 #endif
         bn_mul_words(r,a,n,b[0]);
 
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index a5f01b92eb..918b9237c6 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -125,12 +125,13 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1,
         const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont);
 static int probable_prime(BIGNUM *rnd, int bits);
 static int probable_prime_dh(BIGNUM *rnd, int bits,
-        BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+        const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
 static int probable_prime_dh_safe(BIGNUM *rnd, int bits,
-        BIGNUM *add, BIGNUM *rem, BN_CTX *ctx);
+        const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx);
 
-BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, BIGNUM *add,
-             BIGNUM *rem, void (*callback)(int,int,void *), void *cb_arg)
+BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
+        const BIGNUM *add, const BIGNUM *rem,
+        void (*callback)(int,int,void *), void *cb_arg)
         {
         BIGNUM *rnd=NULL;
         BIGNUM t;
@@ -225,12 +226,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
         BN_MONT_CTX *mont = NULL;
         const BIGNUM *A = NULL;
 
+        if (BN_cmp(a, BN_value_one()) <= 0)
+                return 0;
+        
         if (checks == BN_prime_checks)
                 checks = BN_prime_checks_for_size(BN_num_bits(a));
 
         /* first look for small factors */
         if (!BN_is_odd(a))
-                return(0);
+                return 0;
         if (do_trial_division)
                 {
                 for (i = 1; i < NUMPRIMES; i++)
@@ -289,11 +293,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
         
         for (i = 0; i < checks; i++)
                 {
-                if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
+                if (!BN_pseudo_rand_range(check, A1))
                         goto err;
-                if (BN_cmp(check, A1) >= 0)
-                        if (!BN_sub(check, check, A1))
-                                goto err;
                 if (!BN_add_word(check, 1))
                         goto err;
                 /* now 1 <= check < A */
@@ -376,8 +377,8 @@ again:
         return(1);
         }
 
-static int probable_prime_dh(BIGNUM *rnd, int bits, BIGNUM *add, BIGNUM *rem,
-             BN_CTX *ctx)
+static int probable_prime_dh(BIGNUM *rnd, int bits,
+        const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx)
         {
         int i,ret=0;
         BIGNUM *t1;
@@ -413,8 +414,8 @@ err:
         return(ret);
         }
 
-static int probable_prime_dh_safe(BIGNUM *p, int bits, BIGNUM *padd,
-             BIGNUM *rem, BN_CTX *ctx)
+static int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,
+        const BIGNUM *rem, BN_CTX *ctx)
         {
         int i,ret=0;
         BIGNUM *t1,*qadd,*q;
diff --git a/src/lib/libcrypto/bn/bn_print.c b/src/lib/libcrypto/bn/bn_print.c
index 532e66bcc3..5f46b1826c 100644
--- a/src/lib/libcrypto/bn/bn_print.c
+++ b/src/lib/libcrypto/bn/bn_print.c
@@ -277,8 +277,8 @@ err:
         return(0);
         }
 
-#ifndef NO_BIO
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_BIO
+#ifndef OPENSSL_NO_FP_API
 int BN_print_fp(FILE *fp, const BIGNUM *a)
         {
         BIO *b;
@@ -321,7 +321,7 @@ end:
 #endif
 
 #ifdef BN_DEBUG
-void bn_dump1(FILE *o, const char *a, BN_ULONG *b,int n)
+void bn_dump1(FILE *o, const char *a, const BN_ULONG *b,int n)
         {
         int i;
         fprintf(o, "%s=", a);
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index acd0619921..9e08ccd22e 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -55,6 +55,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <time.h>
@@ -171,9 +224,11 @@ int     BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
         }
 #endif
 
+
 /* random number r:  0 <= r < range */
-int     BN_rand_range(BIGNUM *r, BIGNUM *range)
+static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
         {
+        int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
         int n;
 
         if (range->neg || BN_is_zero(range))
@@ -184,26 +239,19 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
 
         n = BN_num_bits(range); /* n > 0 */
 
+        /* BN_is_bit_set(range, n - 1) always holds */
+
         if (n == 1)
                 {
                 if (!BN_zero(r)) return 0;
                 }
-        else if (BN_is_bit_set(range, n - 2))
-                {
-                do
-                        {
-                        /* range = 11..._2, so each iteration succeeds with probability >= .75 */
-                        if (!BN_rand(r, n, -1, 0)) return 0;
-                        }
-                while (BN_cmp(r, range) >= 0);
-                }
-        else
+        else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
                 {
-                /* range = 10..._2,
+                /* range = 100..._2,
                  * so  3*range (= 11..._2)  is exactly one bit longer than  range */
                 do
                         {
-                        if (!BN_rand(r, n + 1, -1, 0)) return 0;
+                        if (!bn_rand(r, n + 1, -1, 0)) return 0;
                         /* If  r < 3*range,  use  r := r MOD range
                          * (which is either  r, r - range,  or  r - 2*range).
                          * Otherwise, iterate once more.
@@ -218,6 +266,26 @@ int	BN_rand_range(BIGNUM *r, BIGNUM *range)
                         }
                 while (BN_cmp(r, range) >= 0);
                 }
+        else
+                {
+                do
+                        {
+                        /* range = 11..._2  or  range = 101..._2 */
+                        if (!bn_rand(r, n, -1, 0)) return 0;
+                        }
+                while (BN_cmp(r, range) >= 0);
+                }
 
         return 1;
         }
+
+
+int     BN_rand_range(BIGNUM *r, BIGNUM *range)
+        {
+        return bn_rand_range(0, r, range);
+        }
+
+int     BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range)
+        {
+        return bn_rand_range(1, r, range);
+        }
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index d019941d6b..ef5fdd4708 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -93,18 +93,19 @@ void BN_RECP_CTX_free(BN_RECP_CTX *recp)
 
 int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
         {
-        BN_copy(&(recp->N),d);
-        BN_zero(&(recp->Nr));
+        if (!BN_copy(&(recp->N),d)) return 0;
+        if (!BN_zero(&(recp->Nr))) return 0;
         recp->num_bits=BN_num_bits(d);
         recp->shift=0;
         return(1);
         }
 
-int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BN_RECP_CTX *recp,
-             BN_CTX *ctx)
+int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
+        BN_RECP_CTX *recp, BN_CTX *ctx)
         {
         int ret=0;
         BIGNUM *a;
+        const BIGNUM *ca;
 
         BN_CTX_start(ctx);
         if ((a = BN_CTX_get(ctx)) == NULL) goto err;
@@ -114,19 +115,19 @@ int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *x, BIGNUM *y, BN_RECP_CTX *recp,
                         { if (!BN_sqr(a,x,ctx)) goto err; }
                 else
                         { if (!BN_mul(a,x,y,ctx)) goto err; }
+                ca = a;
                 }
         else
-                a=x; /* Just do the mod */
+                ca=x; /* Just do the mod */
 
-        BN_div_recp(NULL,r,a,recp,ctx);
-        ret=1;
+        ret = BN_div_recp(NULL,r,ca,recp,ctx);
 err:
         BN_CTX_end(ctx);
         return(ret);
         }
 
-int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
-             BN_CTX *ctx)
+int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+        BN_RECP_CTX *recp, BN_CTX *ctx)
         {
         int i,j,ret=0;
         BIGNUM *a,*b,*d,*r;
@@ -146,8 +147,8 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
 
         if (BN_ucmp(m,&(recp->N)) < 0)
                 {
-                BN_zero(d);
-                BN_copy(r,m);
+                if (!BN_zero(d)) return 0;
+                if (!BN_copy(r,m)) return 0;
                 BN_CTX_end(ctx);
                 return(1);
                 }
@@ -157,20 +158,28 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BN_RECP_CTX *recp,
          * we need multiply ABCDEF by 3 digests of the reciprocal of ab
          *
          */
-        i=BN_num_bits(m);
 
+        /* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */
+        i=BN_num_bits(m);
         j=recp->num_bits<<1;
         if (j>i) i=j;
-        j>>=1;
 
+        /* Nr := round(2^i / N) */
         if (i != recp->shift)
                 recp->shift=BN_reciprocal(&(recp->Nr),&(recp->N),
-                        i,ctx);
+                        i,ctx); /* BN_reciprocal returns i, or -1 for an error */
+        if (recp->shift == -1) goto err;
 
-        if (!BN_rshift(a,m,j)) goto err;
+        /* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i - BN_num_bits(N)))|
+         *    = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i - BN_num_bits(N)))|
+         *   <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
+         *    = |m/N|
+         */
+        if (!BN_rshift(a,m,recp->num_bits)) goto err;
         if (!BN_mul(b,a,&(recp->Nr),ctx)) goto err;
-        if (!BN_rshift(d,b,i-j)) goto err;
+        if (!BN_rshift(d,b,i-recp->num_bits)) goto err;
         d->neg=0;
+
         if (!BN_mul(b,&(recp->N),d,ctx)) goto err;
         if (!BN_usub(r,m,b)) goto err;
         r->neg=0;
@@ -201,20 +210,21 @@ err:
  * We actually calculate with an extra word of precision, so
  * we can do faster division if the remainder is not required.
  */
-int BN_reciprocal(BIGNUM *r, BIGNUM *m, int len, BN_CTX *ctx)
+/* r := 2^len / m */
+int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
         {
         int ret= -1;
         BIGNUM t;
 
         BN_init(&t);
 
-        BN_zero(&t);
+        if (!BN_zero(&t)) goto err;
         if (!BN_set_bit(&t,len)) goto err;
 
         if (!BN_div(r,NULL,&t,m,ctx)) goto err;
+
         ret=len;
 err:
         BN_free(&t);
         return(ret);
         }
-
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index c2608f9f4a..70f785ea18 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include "bn_lcl.h"
 
-int BN_lshift1(BIGNUM *r, BIGNUM *a)
+int BN_lshift1(BIGNUM *r, const BIGNUM *a)
         {
         register BN_ULONG *ap,*rp,t,c;
         int i;
@@ -92,7 +92,7 @@ int BN_lshift1(BIGNUM *r, BIGNUM *a)
         return(1);
         }
 
-int BN_rshift1(BIGNUM *r, BIGNUM *a)
+int BN_rshift1(BIGNUM *r, const BIGNUM *a)
         {
         BN_ULONG *ap,*rp,t,c;
         int i;
@@ -128,8 +128,8 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
         BN_ULONG l;
 
         r->neg=a->neg;
-        if (bn_wexpand(r,a->top+(n/BN_BITS2)+1) == NULL) return(0);
         nw=n/BN_BITS2;
+        if (bn_wexpand(r,a->top+nw+1) == NULL) return(0);
         lb=n%BN_BITS2;
         rb=BN_BITS2-lb;
         f=a->d;
@@ -153,7 +153,7 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
         return(1);
         }
 
-int BN_rshift(BIGNUM *r, BIGNUM *a, int n)
+int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
         {
         int i,j,nw,lb,rb;
         BN_ULONG *t,*f;
diff --git a/src/lib/libcrypto/bn/bn_sqr.c b/src/lib/libcrypto/bn/bn_sqr.c
index 75f4f38392..c1d0cca438 100644
--- a/src/lib/libcrypto/bn/bn_sqr.c
+++ b/src/lib/libcrypto/bn/bn_sqr.c
@@ -62,14 +62,14 @@
 
 /* r must not be a */
 /* I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96 */
-int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx)
+int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
         {
         int max,al;
         int ret = 0;
         BIGNUM *tmp,*rr;
 
 #ifdef BN_COUNT
-printf("BN_sqr %d * %d\n",a->top,a->top);
+        fprintf(stderr,"BN_sqr %d * %d\n",a->top,a->top);
 #endif
         bn_check_top(a);
 
@@ -88,7 +88,6 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
         max=(al+al);
         if (bn_wexpand(rr,max+1) == NULL) goto err;
 
-        r->neg=0;
         if (al == 4)
                 {
 #ifndef BN_SQR_COMBA
@@ -124,7 +123,6 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
                         k=j+j;
                         if (al == j)
                                 {
-                                if (bn_wexpand(a,k*2) == NULL) goto err;
                                 if (bn_wexpand(tmp,k*2) == NULL) goto err;
                                 bn_sqr_recursive(rr->d,a->d,al,tmp->d);
                                 }
@@ -141,6 +139,7 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
                 }
 
         rr->top=max;
+        rr->neg=0;
         if ((max > 0) && (rr->d[max-1] == 0)) rr->top--;
         if (rr != r) BN_copy(r,rr);
         ret = 1;
@@ -150,10 +149,11 @@ printf("BN_sqr %d * %d\n",a->top,a->top);
         }
 
 /* tmp must have 2*n words */
-void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp)
+void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp)
         {
         int i,j,max;
-        BN_ULONG *ap,*rp;
+        const BN_ULONG *ap;
+        BN_ULONG *rp;
 
         max=n*2;
         ap=a;
@@ -197,14 +197,14 @@ void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp)
  * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
  * a[1]*b[1]
  */
-void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *t)
+void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
         {
         int n=n2/2;
         int zero,c1;
         BN_ULONG ln,lo,*p;
 
 #ifdef BN_COUNT
-printf(" bn_sqr_recursive %d * %d\n",n2,n2);
+        fprintf(stderr," bn_sqr_recursive %d * %d\n",n2,n2);
 #endif
         if (n2 == 4)
                 {
@@ -245,7 +245,7 @@ printf(" bn_sqr_recursive %d * %d\n",n2,n2);
         if (!zero)
                 bn_sqr_recursive(&(t[n2]),t,n,p);
         else
-                memset(&(t[n2]),0,n*sizeof(BN_ULONG));
+                memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
         bn_sqr_recursive(r,a,n,p);
         bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
 
diff --git a/src/lib/libcrypto/bn/bn_sqrt.c b/src/lib/libcrypto/bn/bn_sqrt.c
new file mode 100644
index 0000000000..e2a1105dc8
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_sqrt.c
@@ -0,0 +1,387 @@
+/* crypto/bn/bn_mod.c */
+/* Written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * and Bodo Moeller for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include "bn_lcl.h"
+
+
+BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) 
+/* Returns 'ret' such that
+ *      ret^2 == a (mod p),
+ * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course
+ * in Algebraic Computational Number Theory", algorithm 1.5.1).
+ * 'p' must be prime!
+ * If 'a' is not a square, this is not necessarily detected by
+ * the algorithms; a bogus result must be expected in this case.
+ */
+        {
+        BIGNUM *ret = in;
+        int err = 1;
+        int r;
+        BIGNUM *b, *q, *t, *x, *y;
+        int e, i, j;
+        
+        if (!BN_is_odd(p) || BN_abs_is_word(p, 1))
+                {
+                if (BN_abs_is_word(p, 2))
+                        {
+                        if (ret == NULL)
+                                ret = BN_new();
+                        if (ret == NULL)
+                                goto end;
+                        if (!BN_set_word(ret, BN_is_bit_set(a, 0)))
+                                {
+                                BN_free(ret);
+                                return NULL;
+                                }
+                        return ret;
+                        }
+
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                return(NULL);
+                }
+
+        if (BN_is_zero(a) || BN_is_one(a))
+                {
+                if (ret == NULL)
+                        ret = BN_new();
+                if (ret == NULL)
+                        goto end;
+                if (!BN_set_word(ret, BN_is_one(a)))
+                        {
+                        BN_free(ret);
+                        return NULL;
+                        }
+                return ret;
+                }
+
+#if 0 /* if BN_mod_sqrt is used with correct input, this just wastes time */
+        r = BN_kronecker(a, p, ctx);
+        if (r < -1) return NULL;
+        if (r == -1)
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                return(NULL);
+                }
+#endif
+
+        BN_CTX_start(ctx);
+        b = BN_CTX_get(ctx);
+        q = BN_CTX_get(ctx);
+        t = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto end;
+        
+        if (ret == NULL)
+                ret = BN_new();
+        if (ret == NULL) goto end;
+
+        /* now write  |p| - 1  as  2^e*q  where  q  is odd */
+        e = 1;
+        while (!BN_is_bit_set(p, e))
+                e++;
+        /* we'll set  q  later (if needed) */
+
+        if (e == 1)
+                {
+                /* The easy case:  (|p|-1)/2  is odd, so 2 has an inverse
+                 * modulo  (|p|-1)/2,  and square roots can be computed
+                 * directly by modular exponentiation.
+                 * We have
+                 *     2 * (|p|+1)/4 == 1   (mod (|p|-1)/2),
+                 * so we can use exponent  (|p|+1)/4,  i.e.  (|p|-3)/4 + 1.
+                 */
+                if (!BN_rshift(q, p, 2)) goto end;
+                q->neg = 0;
+                if (!BN_add_word(q, 1)) goto end;
+                if (!BN_mod_exp(ret, a, q, p, ctx)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        if (e == 2)
+                {
+                /* |p| == 5  (mod 8)
+                 *
+                 * In this case  2  is always a non-square since
+                 * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime.
+                 * So if  a  really is a square, then  2*a  is a non-square.
+                 * Thus for
+                 *      b := (2*a)^((|p|-5)/8),
+                 *      i := (2*a)*b^2
+                 * we have
+                 *     i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+                 *         = (2*a)^((p-1)/2)
+                 *         = -1;
+                 * so if we set
+                 *      x := a*b*(i-1),
+                 * then
+                 *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+                 *         = a^2 * b^2 * (-2*i)
+                 *         = a*(-i)*(2*a*b^2)
+                 *         = a*(-i)*i
+                 *         = a.
+                 *
+                 * (This is due to A.O.L. Atkin, 
+                 * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+                 * November 1992.)
+                 */
+
+                /* make sure that  a  is reduced modulo p */
+                if (a->neg || BN_ucmp(a, p) >= 0)
+                        {
+                        if (!BN_nnmod(x, a, p, ctx)) goto end;
+                        a = x; /* use x as temporary variable */
+                        }
+
+                /* t := 2*a */
+                if (!BN_mod_lshift1_quick(t, a, p)) goto end;
+
+                /* b := (2*a)^((|p|-5)/8) */
+                if (!BN_rshift(q, p, 3)) goto end;
+                q->neg = 0;
+                if (!BN_mod_exp(b, t, q, p, ctx)) goto end;
+
+                /* y := b^2 */
+                if (!BN_mod_sqr(y, b, p, ctx)) goto end;
+
+                /* t := (2*a)*b^2 - 1*/
+                if (!BN_mod_mul(t, t, y, p, ctx)) goto end;
+                if (!BN_sub_word(t, 1)) goto end;
+
+                /* x = a*b*t */
+                if (!BN_mod_mul(x, a, b, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+
+                if (!BN_copy(ret, x)) goto end;
+                err = 0;
+                goto end;
+                }
+        
+        /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
+         * First, find some  y  that is not a square. */
+        if (!BN_copy(q, p)) goto end; /* use 'q' as temp */
+        q->neg = 0;
+        i = 2;
+        do
+                {
+                /* For efficiency, try small numbers first;
+                 * if this fails, try random numbers.
+                 */
+                if (i < 22)
+                        {
+                        if (!BN_set_word(y, i)) goto end;
+                        }
+                else
+                        {
+                        if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) goto end;
+                        if (BN_ucmp(y, p) >= 0)
+                                {
+                                if (!(p->neg ? BN_add : BN_sub)(y, y, p)) goto end;
+                                }
+                        /* now 0 <= y < |p| */
+                        if (BN_is_zero(y))
+                                if (!BN_set_word(y, i)) goto end;
+                        }
+                
+                r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
+                if (r < -1) goto end;
+                if (r == 0)
+                        {
+                        /* m divides p */
+                        BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                        goto end;
+                        }
+                }
+        while (r == 1 && ++i < 82);
+        
+        if (r != -1)
+                {
+                /* Many rounds and still no non-square -- this is more likely
+                 * a bug than just bad luck.
+                 * Even if  p  is not prime, we should have found some  y
+                 * such that r == -1.
+                 */
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
+                goto end;
+                }
+
+        /* Here's our actual 'q': */
+        if (!BN_rshift(q, q, e)) goto end;
+
+        /* Now that we have some non-square, we can find an element
+         * of order  2^e  by computing its q'th power. */
+        if (!BN_mod_exp(y, y, q, p, ctx)) goto end;
+        if (BN_is_one(y))
+                {
+                BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
+                goto end;
+                }
+
+        /* Now we know that (if  p  is indeed prime) there is an integer
+         * k,  0 <= k < 2^e,  such that
+         *
+         *      a^q * y^k == 1   (mod p).
+         *
+         * As  a^q  is a square and  y  is not,  k  must be even.
+         * q+1  is even, too, so there is an element
+         *
+         *     X := a^((q+1)/2) * y^(k/2),
+         *
+         * and it satisfies
+         *
+         *     X^2 = a^q * a     * y^k
+         *         = a,
+         *
+         * so it is the square root that we are looking for.
+         */
+        
+        /* t := (q-1)/2  (note that  q  is odd) */
+        if (!BN_rshift1(t, q)) goto end;
+        
+        /* x := a^((q-1)/2) */
+        if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
+                {
+                if (!BN_nnmod(t, a, p, ctx)) goto end;
+                if (BN_is_zero(t))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                else
+                        if (!BN_one(x)) goto end;
+                }
+        else
+                {
+                if (!BN_mod_exp(x, a, t, p, ctx)) goto end;
+                if (BN_is_zero(x))
+                        {
+                        /* special case: a == 0  (mod p) */
+                        if (!BN_zero(ret)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+                }
+
+        /* b := a*x^2  (= a^q) */
+        if (!BN_mod_sqr(b, x, p, ctx)) goto end;
+        if (!BN_mod_mul(b, b, a, p, ctx)) goto end;
+        
+        /* x := a*x    (= a^((q+1)/2)) */
+        if (!BN_mod_mul(x, x, a, p, ctx)) goto end;
+
+        while (1)
+                {
+                /* Now  b  is  a^q * y^k  for some even  k  (0 <= k < 2^E
+                 * where  E  refers to the original value of  e,  which we
+                 * don't keep in a variable),  and  x  is  a^((q+1)/2) * y^(k/2).
+                 *
+                 * We have  a*b = x^2,
+                 *    y^2^(e-1) = -1,
+                 *    b^2^(e-1) = 1.
+                 */
+
+                if (BN_is_one(b))
+                        {
+                        if (!BN_copy(ret, x)) goto end;
+                        err = 0;
+                        goto end;
+                        }
+
+
+                /* find smallest  i  such that  b^(2^i) = 1 */
+                i = 1;
+                if (!BN_mod_sqr(t, b, p, ctx)) goto end;
+                while (!BN_is_one(t))
+                        {
+                        i++;
+                        if (i == e)
+                                {
+                                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+                                goto end;
+                                }
+                        if (!BN_mod_mul(t, t, t, p, ctx)) goto end;
+                        }
+                
+
+                /* t := y^2^(e - i - 1) */
+                if (!BN_copy(t, y)) goto end;
+                for (j = e - i - 1; j > 0; j--)
+                        {
+                        if (!BN_mod_sqr(t, t, p, ctx)) goto end;
+                        }
+                if (!BN_mod_mul(y, t, t, p, ctx)) goto end;
+                if (!BN_mod_mul(x, x, t, p, ctx)) goto end;
+                if (!BN_mod_mul(b, b, y, p, ctx)) goto end;
+                e = i;
+                }
+
+ end:
+        if (err)
+                {
+                if (ret != NULL && ret != in)
+                        {
+                        BN_clear_free(ret);
+                        }
+                ret = NULL;
+                }
+        BN_CTX_end(ctx);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/bn/bnspeed.c b/src/lib/libcrypto/bn/bnspeed.c
index 20fc7e08ff..b554ac8cf8 100644
--- a/src/lib/libcrypto/bn/bnspeed.c
+++ b/src/lib/libcrypto/bn/bnspeed.c
@@ -71,7 +71,7 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -87,7 +87,7 @@
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
diff --git a/src/lib/libcrypto/bn/bntest.c b/src/lib/libcrypto/bn/bntest.c
index af0c2629e8..443cf420e5 100644
--- a/src/lib/libcrypto/bn/bntest.c
+++ b/src/lib/libcrypto/bn/bntest.c
@@ -60,7 +60,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/bio.h>
 #include <openssl/bn.h>
@@ -68,7 +68,7 @@
 #include <openssl/x509.h>
 #include <openssl/err.h>
 
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
 #include "../bio/bss_file.c"
 #endif
 
@@ -91,10 +91,12 @@ int test_mod(BIO *bp,BN_CTX *ctx);
 int test_mod_mul(BIO *bp,BN_CTX *ctx);
 int test_mod_exp(BIO *bp,BN_CTX *ctx);
 int test_exp(BIO *bp,BN_CTX *ctx);
+int test_kron(BIO *bp,BN_CTX *ctx);
+int test_sqrt(BIO *bp,BN_CTX *ctx);
 int rand_neg(void);
 static int results=0;
 
-#ifdef NO_STDIO
+#ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #include "bss_file.c"
 #endif
@@ -224,6 +226,14 @@ int main(int argc, char *argv[])
         if (!test_exp(out,ctx)) goto err;
         BIO_flush(out);
 
+        message(out,"BN_kronecker");
+        if (!test_kron(out,ctx)) goto err;
+        BIO_flush(out);
+
+        message(out,"BN_mod_sqrt");
+        if (!test_sqrt(out,ctx)) goto err;
+        BIO_flush(out);
+
         BN_CTX_free(ctx);
         BIO_free(out);
 
@@ -243,7 +253,6 @@ int test_add(BIO *bp)
         {
         BIGNUM a,b,c;
         int i;
-        int j;
 
         BN_init(&a);
         BN_init(&b);
@@ -255,9 +264,6 @@ int test_add(BIO *bp)
                 BN_bntest_rand(&b,450+i,0,0);
                 a.neg=rand_neg();
                 b.neg=rand_neg();
-                if (bp == NULL)
-                        for (j=0; j<10000; j++)
-                                BN_add(&c,&a,&b);
                 BN_add(&c,&a,&b);
                 if (bp != NULL)
                         {
@@ -291,7 +297,6 @@ int test_sub(BIO *bp)
         {
         BIGNUM a,b,c;
         int i;
-        int j;
 
         BN_init(&a);
         BN_init(&b);
@@ -312,9 +317,6 @@ int test_sub(BIO *bp)
                         a.neg=rand_neg();
                         b.neg=rand_neg();
                         }
-                if (bp == NULL)
-                        for (j=0; j<10000; j++)
-                                BN_sub(&c,&a,&b);
                 BN_sub(&c,&a,&b);
                 if (bp != NULL)
                         {
@@ -346,7 +348,6 @@ int test_div(BIO *bp, BN_CTX *ctx)
         {
         BIGNUM a,b,c,d,e;
         int i;
-        int j;
 
         BN_init(&a);
         BN_init(&b);
@@ -367,9 +368,6 @@ int test_div(BIO *bp, BN_CTX *ctx)
                         BN_bntest_rand(&b,50+3*(i-num1),0,0);
                 a.neg=rand_neg();
                 b.neg=rand_neg();
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_div(&d,&c,&a,&b,ctx);
                 BN_div(&d,&c,&a,&b,ctx);
                 if (bp != NULL)
                         {
@@ -415,7 +413,6 @@ int test_div_recp(BIO *bp, BN_CTX *ctx)
         BIGNUM a,b,c,d,e;
         BN_RECP_CTX recp;
         int i;
-        int j;
 
         BN_RECP_CTX_init(&recp);
         BN_init(&a);
@@ -438,9 +435,6 @@ int test_div_recp(BIO *bp, BN_CTX *ctx)
                 a.neg=rand_neg();
                 b.neg=rand_neg();
                 BN_RECP_CTX_set(&recp,&b,ctx);
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_div_recp(&d,&c,&a,&recp,ctx);
                 BN_div_recp(&d,&c,&a,&recp,ctx);
                 if (bp != NULL)
                         {
@@ -491,10 +485,11 @@ int test_mul(BIO *bp)
         {
         BIGNUM a,b,c,d,e;
         int i;
-        int j;
-        BN_CTX ctx;
+        BN_CTX *ctx;
 
-        BN_CTX_init(&ctx);
+        ctx = BN_CTX_new();
+        if (ctx == NULL) exit(1);
+        
         BN_init(&a);
         BN_init(&b);
         BN_init(&c);
@@ -512,10 +507,7 @@ int test_mul(BIO *bp)
                         BN_bntest_rand(&b,i-num1,0,0);
                 a.neg=rand_neg();
                 b.neg=rand_neg();
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_mul(&c,&a,&b,&ctx);
-                BN_mul(&c,&a,&b,&ctx);
+                BN_mul(&c,&a,&b,ctx);
                 if (bp != NULL)
                         {
                         if (!results)
@@ -528,7 +520,7 @@ int test_mul(BIO *bp)
                         BN_print(bp,&c);
                         BIO_puts(bp,"\n");
                         }
-                BN_div(&d,&e,&c,&a,&ctx);
+                BN_div(&d,&e,&c,&a,ctx);
                 BN_sub(&d,&d,&b);
                 if(!BN_is_zero(&d) || !BN_is_zero(&e))
                     {
@@ -541,7 +533,7 @@ int test_mul(BIO *bp)
         BN_free(&c);
         BN_free(&d);
         BN_free(&e);
-        BN_CTX_free(&ctx);
+        BN_CTX_free(ctx);
         return(1);
         }
 
@@ -549,7 +541,6 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
         {
         BIGNUM a,c,d,e;
         int i;
-        int j;
 
         BN_init(&a);
         BN_init(&c);
@@ -560,9 +551,6 @@ int test_sqr(BIO *bp, BN_CTX *ctx)
                 {
                 BN_bntest_rand(&a,40+i*10,0,0);
                 a.neg=rand_neg();
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_sqr(&c,&a,ctx);
                 BN_sqr(&c,&a,ctx);
                 if (bp != NULL)
                         {
@@ -596,7 +584,6 @@ int test_mont(BIO *bp, BN_CTX *ctx)
         BIGNUM a,b,c,d,A,B;
         BIGNUM n;
         int i;
-        int j;
         BN_MONT_CTX *mont;
 
         BN_init(&a);
@@ -620,12 +607,12 @@ int test_mont(BIO *bp, BN_CTX *ctx)
                 BN_bntest_rand(&n,bits,0,1);
                 BN_MONT_CTX_set(mont,&n,ctx);
 
+                BN_nnmod(&a,&a,&n,ctx);
+                BN_nnmod(&b,&b,&n,ctx);
+
                 BN_to_montgomery(&A,&a,mont,ctx);
                 BN_to_montgomery(&B,&b,mont,ctx);
 
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
                 BN_mod_mul_montgomery(&c,&A,&B,mont,ctx);/**/
                 BN_from_montgomery(&A,&c,mont,ctx);/**/
                 if (bp != NULL)
@@ -671,7 +658,6 @@ int test_mod(BIO *bp, BN_CTX *ctx)
         {
         BIGNUM *a,*b,*c,*d,*e;
         int i;
-        int j;
 
         a=BN_new();
         b=BN_new();
@@ -685,9 +671,6 @@ int test_mod(BIO *bp, BN_CTX *ctx)
                 BN_bntest_rand(b,450+i*10,0,0); /**/
                 a->neg=rand_neg();
                 b->neg=rand_neg();
-                if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_mod(c,a,b,ctx);/**/
                 BN_mod(c,a,b,ctx);/**/
                 if (bp != NULL)
                         {
@@ -720,7 +703,7 @@ int test_mod(BIO *bp, BN_CTX *ctx)
 int test_mod_mul(BIO *bp, BN_CTX *ctx)
         {
         BIGNUM *a,*b,*c,*d,*e;
-        int i;
+        int i,j;
 
         a=BN_new();
         b=BN_new();
@@ -728,6 +711,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
         d=BN_new();
         e=BN_new();
 
+        for (j=0; j<3; j++) {
         BN_bntest_rand(c,1024,0,0); /**/
         for (i=0; i<num0; i++)
                 {
@@ -735,10 +719,6 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                 BN_bntest_rand(b,425+i*11,0,0); /**/
                 a->neg=rand_neg();
                 b->neg=rand_neg();
-        /*      if (bp == NULL)
-                        for (j=0; j<100; j++)
-                                BN_mod_mul(d,a,b,c,ctx);*/ /**/
-
                 if (!BN_mod_mul(e,a,b,c,ctx))
                         {
                         unsigned long l;
@@ -757,6 +737,16 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                                 BN_print(bp,b);
                                 BIO_puts(bp," % ");
                                 BN_print(bp,c);
+                                if ((a->neg ^ b->neg) && !BN_is_zero(e))
+                                        {
+                                        /* If  (a*b) % c  is negative,  c  must be added
+                                         * in order to obtain the normalized remainder
+                                         * (new with OpenSSL 0.9.7, previous versions of
+                                         * BN_mod_mul could generate negative results)
+                                         */
+                                        BIO_puts(bp," + ");
+                                        BN_print(bp,c);
+                                        }
                                 BIO_puts(bp," - ");
                                 }
                         BN_print(bp,e);
@@ -768,9 +758,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
                 if(!BN_is_zero(b))
                     {
                     fprintf(stderr,"Modulo multiply test failed!\n");
+                    ERR_print_errors_fp(stderr);
                     return 0;
                     }
                 }
+        }
         BN_free(a);
         BN_free(b);
         BN_free(c);
@@ -880,6 +872,183 @@ int test_exp(BIO *bp, BN_CTX *ctx)
         return(1);
         }
 
+static void genprime_cb(int p, int n, void *arg)
+        {
+        char c='*';
+
+        if (p == 0) c='.';
+        if (p == 1) c='+';
+        if (p == 2) c='*';
+        if (p == 3) c='\n';
+        putc(c, stderr);
+        fflush(stderr);
+        (void)n;
+        (void)arg;
+        }
+
+int test_kron(BIO *bp, BN_CTX *ctx)
+        {
+        BIGNUM *a,*b,*r,*t;
+        int i;
+        int legendre, kronecker;
+        int ret = 0;
+
+        a = BN_new();
+        b = BN_new();
+        r = BN_new();
+        t = BN_new();
+        if (a == NULL || b == NULL || r == NULL || t == NULL) goto err;
+        
+        /* We test BN_kronecker(a, b, ctx) just for  b  odd (Jacobi symbol).
+         * In this case we know that if  b  is prime, then BN_kronecker(a, b, ctx)
+         * is congruent to $a^{(b-1)/2}$, modulo $b$ (Legendre symbol).
+         * So we generate a random prime  b  and compare these values
+         * for a number of random  a's.  (That is, we run the Solovay-Strassen
+         * primality test to confirm that  b  is prime, except that we
+         * don't want to test whether  b  is prime but whether BN_kronecker
+         * works.) */
+
+        if (!BN_generate_prime(b, 512, 0, NULL, NULL, genprime_cb, NULL)) goto err;
+        b->neg = rand_neg();
+        putc('\n', stderr);
+
+        for (i = 0; i < num0; i++)
+                {
+                if (!BN_bntest_rand(a, 512, 0, 0)) goto err;
+                a->neg = rand_neg();
+
+                /* t := (|b|-1)/2  (note that b is odd) */
+                if (!BN_copy(t, b)) goto err;
+                t->neg = 0;
+                if (!BN_sub_word(t, 1)) goto err;
+                if (!BN_rshift1(t, t)) goto err;
+                /* r := a^t mod b */
+                b->neg=0;
+                
+                if (!BN_mod_exp_recp(r, a, t, b, ctx)) goto err; /* XXX should be BN_mod_exp_recp, but ..._recp triggers a bug that must be fixed */
+                b->neg=1;
+
+                if (BN_is_word(r, 1))
+                        legendre = 1;
+                else if (BN_is_zero(r))
+                        legendre = 0;
+                else
+                        {
+                        if (!BN_add_word(r, 1)) goto err;
+                        if (0 != BN_ucmp(r, b))
+                                {
+                                fprintf(stderr, "Legendre symbol computation failed\n");
+                                goto err;
+                                }
+                        legendre = -1;
+                        }
+                
+                kronecker = BN_kronecker(a, b, ctx);
+                if (kronecker < -1) goto err;
+                /* we actually need BN_kronecker(a, |b|) */
+                if (a->neg && b->neg)
+                        kronecker = -kronecker;
+                
+                if (legendre != kronecker)
+                        {
+                        fprintf(stderr, "legendre != kronecker; a = ");
+                        BN_print_fp(stderr, a);
+                        fprintf(stderr, ", b = ");
+                        BN_print_fp(stderr, b);
+                        fprintf(stderr, "\n");
+                        goto err;
+                        }
+
+                putc('.', stderr);
+                fflush(stderr);
+                }
+
+        putc('\n', stderr);
+        fflush(stderr);
+        ret = 1;
+ err:
+        if (a != NULL) BN_free(a);
+        if (b != NULL) BN_free(b);
+        if (r != NULL) BN_free(r);
+        if (t != NULL) BN_free(t);
+        return ret;
+        }
+
+int test_sqrt(BIO *bp, BN_CTX *ctx)
+        {
+        BIGNUM *a,*p,*r;
+        int i, j;
+        int ret = 0;
+
+        a = BN_new();
+        p = BN_new();
+        r = BN_new();
+        if (a == NULL || p == NULL || r == NULL) goto err;
+        
+        for (i = 0; i < 16; i++)
+                {
+                if (i < 8)
+                        {
+                        unsigned primes[8] = { 2, 3, 5, 7, 11, 13, 17, 19 };
+                        
+                        if (!BN_set_word(p, primes[i])) goto err;
+                        }
+                else
+                        {
+                        if (!BN_set_word(a, 32)) goto err;
+                        if (!BN_set_word(r, 2*i + 1)) goto err;
+                
+                        if (!BN_generate_prime(p, 256, 0, a, r, genprime_cb, NULL)) goto err;
+                        putc('\n', stderr);
+                        }
+                p->neg = rand_neg();
+
+                for (j = 0; j < num2; j++)
+                        {
+                        /* construct 'a' such that it is a square modulo p,
+                         * but in general not a proper square and not reduced modulo p */
+                        if (!BN_bntest_rand(r, 256, 0, 3)) goto err;
+                        if (!BN_nnmod(r, r, p, ctx)) goto err;
+                        if (!BN_mod_sqr(r, r, p, ctx)) goto err;
+                        if (!BN_bntest_rand(a, 256, 0, 3)) goto err;
+                        if (!BN_nnmod(a, a, p, ctx)) goto err;
+                        if (!BN_mod_sqr(a, a, p, ctx)) goto err;
+                        if (!BN_mul(a, a, r, ctx)) goto err;
+                        if (rand_neg())
+                                if (!BN_sub(a, a, p)) goto err;
+
+                        if (!BN_mod_sqrt(r, a, p, ctx)) goto err;
+                        if (!BN_mod_sqr(r, r, p, ctx)) goto err;
+
+                        if (!BN_nnmod(a, a, p, ctx)) goto err;
+
+                        if (BN_cmp(a, r) != 0)
+                                {
+                                fprintf(stderr, "BN_mod_sqrt failed: a = ");
+                                BN_print_fp(stderr, a);
+                                fprintf(stderr, ", r = ");
+                                BN_print_fp(stderr, r);
+                                fprintf(stderr, ", p = ");
+                                BN_print_fp(stderr, p);
+                                fprintf(stderr, "\n");
+                                goto err;
+                                }
+
+                        putc('.', stderr);
+                        fflush(stderr);
+                        }
+                
+                putc('\n', stderr);
+                fflush(stderr);
+                }
+        ret = 1;
+ err:
+        if (a != NULL) BN_free(a);
+        if (p != NULL) BN_free(p);
+        if (r != NULL) BN_free(r);
+        return ret;
+        }
+
 int test_lshift(BIO *bp,BN_CTX *ctx,BIGNUM *a_)
         {
         BIGNUM *a,*b,*c,*d;
@@ -1052,7 +1221,7 @@ int test_rshift1(BIO *bp)
                         }
                 BN_sub(c,a,b);
                 BN_sub(c,c,b);
-                if(!BN_is_zero(c) && !BN_is_one(c))
+                if(!BN_is_zero(c) && !BN_abs_is_word(c, 1))
                     {
                     fprintf(stderr,"Right shift one test failed!\n");
                     return 0;
diff --git a/src/lib/libcrypto/bn/expspeed.c b/src/lib/libcrypto/bn/expspeed.c
index 2044ab9bff..07a1bcf51c 100644
--- a/src/lib/libcrypto/bn/expspeed.c
+++ b/src/lib/libcrypto/bn/expspeed.c
@@ -61,6 +61,31 @@
 /* most of this code has been pilfered from my libdes speed.c program */
 
 #define BASENUM 5000
+#define NUM_START 0
+
+
+/* determine timings for modexp, modmul, modsqr, gcd, Kronecker symbol,
+ * modular inverse, or modular square roots */
+#define TEST_EXP
+#undef TEST_MUL
+#undef TEST_SQR
+#undef TEST_GCD
+#undef TEST_KRON
+#undef TEST_INV
+#undef TEST_SQRT
+#define P_MOD_64 9 /* least significant 6 bits for prime to be used for BN_sqrt timings */
+
+#if defined(TEST_EXP) + defined(TEST_MUL) + defined(TEST_SQR) + defined(TEST_GCD) + defined(TEST_KRON) + defined(TEST_INV) +defined(TEST_SQRT) != 1
+#  error "choose one test"
+#endif
+
+#if defined(TEST_INV) || defined(TEST_SQRT)
+#  define C_PRIME
+static void genprime_cb(int p, int n, void *arg);
+#endif
+
+
+
 #undef PROG
 #define PROG bnspeed_main
 
@@ -70,8 +95,9 @@
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/rand.h>
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -87,7 +113,7 @@
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -161,11 +187,16 @@ static double Time_F(int s)
 #endif
         }
 
-#define NUM_SIZES       6
-static int sizes[NUM_SIZES]={256,512,1024,2048,4096,8192};
-static int mul_c[NUM_SIZES]={8*8*8*8*8,8*8*8*8,8*8*8,8*8,8,1};
+#define NUM_SIZES       7
+#if NUM_START > NUM_SIZES
+#   error "NUM_START > NUM_SIZES"
+#endif
+static int sizes[NUM_SIZES]={128,256,512,1024,2048,4096,8192};
+static int mul_c[NUM_SIZES]={8*8*8*8*8*8,8*8*8*8*8,8*8*8*8,8*8*8,8*8,8,1};
 /*static int sizes[NUM_SIZES]={59,179,299,419,539}; */
 
+#define RAND_SEED(string) { const char str[] = string; RAND_seed(string, sizeof str); }
+
 void do_mul_exp(BIGNUM *r,BIGNUM *a,BIGNUM *b,BIGNUM *c,BN_CTX *ctx); 
 
 int main(int argc, char **argv)
@@ -173,13 +204,23 @@ int main(int argc, char **argv)
         BN_CTX *ctx;
         BIGNUM *a,*b,*c,*r;
 
+#if 1
+        if (!CRYPTO_set_mem_debug_functions(0,0,0,0,0))
+                abort();
+#endif
+
         ctx=BN_CTX_new();
         a=BN_new();
         b=BN_new();
         c=BN_new();
         r=BN_new();
 
+        while (!RAND_status())
+                /* not enough bits */
+                RAND_SEED("I demand a manual recount!");
+
         do_mul_exp(r,a,b,c,ctx);
+        return 0;
         }
 
 void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
@@ -187,29 +228,126 @@ void do_mul_exp(BIGNUM *r, BIGNUM *a, BIGNUM *b, BIGNUM *c, BN_CTX *ctx)
         int i,k;
         double tm;
         long num;
-        BN_MONT_CTX m;
-
-        memset(&m,0,sizeof(m));
 
         num=BASENUM;
-        for (i=0; i<NUM_SIZES; i++)
+        for (i=NUM_START; i<NUM_SIZES; i++)
                 {
-                BN_rand(a,sizes[i],1,0);
-                BN_rand(b,sizes[i],1,0);
-                BN_rand(c,sizes[i],1,1);
-                BN_mod(a,a,c,ctx);
-                BN_mod(b,b,c,ctx);
-
-                BN_MONT_CTX_set(&m,c,ctx);
+#ifdef C_PRIME
+#  ifdef TEST_SQRT
+                if (!BN_set_word(a, 64)) goto err;
+                if (!BN_set_word(b, P_MOD_64)) goto err;
+#    define ADD a
+#    define REM b
+#  else
+#    define ADD NULL
+#    define REM NULL
+#  endif
+                if (!BN_generate_prime(c,sizes[i],0,ADD,REM,genprime_cb,NULL)) goto err;
+                putc('\n', stderr);
+                fflush(stderr);
+#endif
 
-                Time_F(START);
                 for (k=0; k<num; k++)
-                        BN_mod_exp_mont(r,a,b,c,ctx,&m);
+                        {
+                        if (k%50 == 0) /* Average over num/50 different choices of random numbers. */
+                                {
+                                if (!BN_pseudo_rand(a,sizes[i],1,0)) goto err;
+
+                                if (!BN_pseudo_rand(b,sizes[i],1,0)) goto err;
+
+#ifndef C_PRIME
+                                if (!BN_pseudo_rand(c,sizes[i],1,1)) goto err;
+#endif
+
+#ifdef TEST_SQRT                                
+                                if (!BN_mod_sqr(a,a,c,ctx)) goto err;
+                                if (!BN_mod_sqr(b,b,c,ctx)) goto err;
+#else
+                                if (!BN_nnmod(a,a,c,ctx)) goto err;
+                                if (!BN_nnmod(b,b,c,ctx)) goto err;
+#endif
+
+                                if (k == 0)
+                                        Time_F(START);
+                                }
+
+#if defined(TEST_EXP)
+                        if (!BN_mod_exp(r,a,b,c,ctx)) goto err;
+#elif defined(TEST_MUL)
+                        {
+                        int i = 0;
+                        for (i = 0; i < 50; i++)
+                                if (!BN_mod_mul(r,a,b,c,ctx)) goto err;
+                        }
+#elif defined(TEST_SQR)
+                        {
+                        int i = 0;
+                        for (i = 0; i < 50; i++)
+                                {
+                                if (!BN_mod_sqr(r,a,c,ctx)) goto err;
+                                if (!BN_mod_sqr(r,b,c,ctx)) goto err;
+                                }
+                        }
+#elif defined(TEST_GCD)
+                        if (!BN_gcd(r,a,b,ctx)) goto err;
+                        if (!BN_gcd(r,b,c,ctx)) goto err;
+                        if (!BN_gcd(r,c,a,ctx)) goto err;
+#elif defined(TEST_KRON)
+                        if (-2 == BN_kronecker(a,b,ctx)) goto err;
+                        if (-2 == BN_kronecker(b,c,ctx)) goto err;
+                        if (-2 == BN_kronecker(c,a,ctx)) goto err;
+#elif defined(TEST_INV)
+                        if (!BN_mod_inverse(r,a,c,ctx)) goto err;
+                        if (!BN_mod_inverse(r,b,c,ctx)) goto err;
+#else /* TEST_SQRT */
+                        if (!BN_mod_sqrt(r,a,c,ctx)) goto err;
+                        if (!BN_mod_sqrt(r,b,c,ctx)) goto err;
+#endif
+                        }
                 tm=Time_F(STOP);
-                printf("mul %4d ^ %4d %% %d -> %8.3fms %5.1f\n",sizes[i],sizes[i],sizes[i],tm*1000.0/num,tm*mul_c[i]/num);
+                printf(
+#if defined(TEST_EXP)
+                        "modexp %4d ^ %4d %% %4d"
+#elif defined(TEST_MUL)
+                        "50*modmul %4d %4d %4d"
+#elif defined(TEST_SQR)
+                        "100*modsqr %4d %4d %4d"
+#elif defined(TEST_GCD)
+                        "3*gcd %4d %4d %4d"
+#elif defined(TEST_KRON)
+                        "3*kronecker %4d %4d %4d"
+#elif defined(TEST_INV)
+                        "2*inv %4d %4d mod %4d"
+#else /* TEST_SQRT */
+                        "2*sqrt [prime == %d (mod 64)] %4d %4d mod %4d"
+#endif
+                        " -> %8.3fms %5.1f (%ld)\n",
+#ifdef TEST_SQRT
+                        P_MOD_64,
+#endif
+                        sizes[i],sizes[i],sizes[i],tm*1000.0/num,tm*mul_c[i]/num, num);
                 num/=7;
                 if (num <= 0) num=1;
                 }
+        return;
 
+ err:
+        ERR_print_errors_fp(stderr);
         }
 
+
+#ifdef C_PRIME
+static void genprime_cb(int p, int n, void *arg)
+        {
+        char c='*';
+
+        if (p == 0) c='.';
+        if (p == 1) c='+';
+        if (p == 2) c='*';
+        if (p == 3) c='\n';
+        putc(c, stderr);
+        fflush(stderr);
+        (void)n;
+        (void)arg;
+        }
+#endif
diff --git a/src/lib/libcrypto/bn/exptest.c b/src/lib/libcrypto/bn/exptest.c
index 3e86f2ea0e..5ca570d1a8 100644
--- a/src/lib/libcrypto/bn/exptest.c
+++ b/src/lib/libcrypto/bn/exptest.c
@@ -63,7 +63,7 @@
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
 #include "../bio/bss_file.c"
 #endif
 
diff --git a/src/lib/libcrypto/bn/vms-helper.c b/src/lib/libcrypto/bn/vms-helper.c
index 0fa79c4edb..4b63149bf3 100644
--- a/src/lib/libcrypto/bn/vms-helper.c
+++ b/src/lib/libcrypto/bn/vms-helper.c
@@ -60,7 +60,7 @@
 bn_div_words_abort(int i)
 {
 #ifdef BN_DEBUG
-#if !defined(NO_STDIO) && !defined(WIN16)
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
         fprintf(stderr,"Division would overflow (%d)\n",i);
 #endif
         abort();
diff --git a/src/lib/libcrypto/buffer/Makefile.ssl b/src/lib/libcrypto/buffer/Makefile.ssl
index a64681fd22..b8b6439503 100644
--- a/src/lib/libcrypto/buffer/Makefile.ssl
+++ b/src/lib/libcrypto/buffer/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    buffer
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,14 +80,15 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 buf_err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-buf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
-buf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
+buf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+buf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+buf_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 buf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-buf_err.o: ../../include/openssl/symhacks.h
-buffer.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-buffer.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+buf_err.o: ../../include/openssl/symhacks.h buf_err.c
+buffer.o: ../../e_os.h ../../include/openssl/bio.h
+buffer.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 buffer.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 buffer.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 buffer.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-buffer.o: ../cryptlib.h
+buffer.o: ../cryptlib.h buffer.c
diff --git a/src/lib/libcrypto/buffer/buf_err.c b/src/lib/libcrypto/buffer/buf_err.c
index 2f971a5f38..5eee653e14 100644
--- a/src/lib/libcrypto/buffer/buf_err.c
+++ b/src/lib/libcrypto/buffer/buf_err.c
@@ -63,7 +63,7 @@
 #include <openssl/buffer.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA BUF_str_functs[]=
         {
 {ERR_PACK(0,BUF_F_BUF_MEM_GROW,0),      "BUF_MEM_grow"},
@@ -86,7 +86,7 @@ void ERR_load_BUF_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_BUF,BUF_str_functs);
                 ERR_load_strings(ERR_LIB_BUF,BUF_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index b76ff3ad7a..9299baba9e 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -118,8 +118,9 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
         else
                 {
                 str->data=ret;
-                str->length=len;
                 str->max=n;
+                memset(&str->data[str->length],0,len-str->length);
+                str->length=len;
                 }
         return(len);
         }
diff --git a/src/lib/libcrypto/buffer/buffer.h b/src/lib/libcrypto/buffer/buffer.h
index bff26bf391..11e2d0359a 100644
--- a/src/lib/libcrypto/buffer/buffer.h
+++ b/src/lib/libcrypto/buffer/buffer.h
@@ -75,12 +75,11 @@ void	BUF_MEM_free(BUF_MEM *a);
 int     BUF_MEM_grow(BUF_MEM *str, int len);
 char *  BUF_strdup(const char *str);
 
-void ERR_load_BUF_strings(void );
-
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_BUF_strings(void);
 
 /* Error codes for the BUF functions. */
 
@@ -95,4 +94,3 @@ void ERR_load_BUF_strings(void );
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/cast/Makefile.ssl b/src/lib/libcrypto/cast/Makefile.ssl
index 1f8b898f7c..a2bf56276b 100644
--- a/src/lib/libcrypto/cast/Makefile.ssl
+++ b/src/lib/libcrypto/cast/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -47,8 +48,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -108,18 +108,18 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-c_cfb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_cfb64.o: ../../e_os.h ../../include/openssl/cast.h
 c_cfb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_cfb64.o: cast_lcl.h
-c_ecb.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_cfb64.o: c_cfb64.c cast_lcl.h
+c_ecb.o: ../../e_os.h ../../include/openssl/cast.h
 c_ecb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_ecb.o: ../../include/openssl/opensslv.h cast_lcl.h
-c_enc.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ecb.o: ../../include/openssl/opensslv.h c_ecb.c cast_lcl.h
+c_enc.o: ../../e_os.h ../../include/openssl/cast.h
 c_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_enc.o: cast_lcl.h
-c_ofb64.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_enc.o: c_enc.c cast_lcl.h
+c_ofb64.o: ../../e_os.h ../../include/openssl/cast.h
 c_ofb64.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_ofb64.o: cast_lcl.h
-c_skey.o: ../../include/openssl/cast.h ../../include/openssl/e_os.h
+c_ofb64.o: c_ofb64.c cast_lcl.h
+c_skey.o: ../../e_os.h ../../include/openssl/cast.h
 c_skey.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-c_skey.o: cast_lcl.h cast_s.h
+c_skey.o: c_skey.c cast_lcl.h cast_s.h
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index e24e133099..b28e4e4f3b 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -63,7 +63,7 @@
 extern "C" {
 #endif
 
-#ifdef NO_CAST
+#ifdef OPENSSL_NO_CAST
 #error CAST is disabled.
 #endif
 
diff --git a/src/lib/libcrypto/cast/cast_lcl.h b/src/lib/libcrypto/cast/cast_lcl.h
index 5fab8a43f6..37f41cc6a4 100644
--- a/src/lib/libcrypto/cast/cast_lcl.h
+++ b/src/lib/libcrypto/cast/cast_lcl.h
@@ -56,12 +56,18 @@
  * [including the GNU Public Licence.]
  */
 
-#ifdef WIN32
+
+#include "e_os.h"
+
+#ifdef OPENSSL_SYS_WIN32
 #include <stdlib.h>
 #endif
 
 
-#include "openssl/e_os.h" /* OPENSSL_EXTERN */
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
 
 #undef c2l
 #define c2l(c,l)        (l =((unsigned long)(*((c)++)))    , \
@@ -151,7 +157,7 @@
                          *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
                          *((c)++)=(unsigned char)(((l)     )&0xff))
 
-#if defined(WIN32) && defined(_MSC_VER)
+#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
 #define ROTL(a,n)     (_lrotl(a,n))
 #else
 #define ROTL(a,n)     ((((a)<<(n))&0xffffffffL)|((a)>>(32-(n))))
diff --git a/src/lib/libcrypto/cast/cast_spd.c b/src/lib/libcrypto/cast/cast_spd.c
index 0af915cf20..76abf50d98 100644
--- a/src/lib/libcrypto/cast/cast_spd.c
+++ b/src/lib/libcrypto/cast/cast_spd.c
@@ -59,7 +59,7 @@
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -268,7 +268,7 @@ int main(int argc, char **argv)
         printf("CAST raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
         printf("CAST cbc     bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/cast/castopts.c b/src/lib/libcrypto/cast/castopts.c
index c783796610..1b858d153b 100644
--- a/src/lib/libcrypto/cast/castopts.c
+++ b/src/lib/libcrypto/cast/castopts.c
@@ -59,7 +59,7 @@
 /* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
  * This is for machines with 64k code segment size restrictions. */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC))
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -332,7 +332,7 @@ int main(int argc, char **argv)
                 break;
                 }
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/cast/casttest.c b/src/lib/libcrypto/cast/casttest.c
index ab2aeac606..099e790886 100644
--- a/src/lib/libcrypto/cast/casttest.c
+++ b/src/lib/libcrypto/cast/casttest.c
@@ -60,7 +60,7 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_CAST
+#ifdef OPENSSL_NO_CAST
 int main(int argc, char *argv[])
 {
     printf("No CAST support\n");
diff --git a/src/lib/libcrypto/comp/Makefile.ssl b/src/lib/libcrypto/comp/Makefile.ssl
index b696ac75fe..5dadb65cd4 100644
--- a/src/lib/libcrypto/comp/Makefile.ssl
+++ b/src/lib/libcrypto/comp/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    comp
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,10 +23,10 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= comp_lib.c \
+LIBSRC= comp_lib.c comp_err.c \
         c_rle.c c_zlib.c
 
-LIBOBJ= comp_lib.o \
+LIBOBJ= comp_lib.o comp_err.o \
         c_rle.o c_zlib.o
 
 SRC= $(LIBSRC)
@@ -42,8 +43,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -84,19 +84,31 @@ clean:
 
 c_rle.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_rle.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/obj_mac.h
-c_rle.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_rle.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-c_rle.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_rle.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+c_rle.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_rle.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_rle.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+c_rle.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h c_rle.c
 c_zlib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_zlib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/obj_mac.h
-c_zlib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_zlib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+c_zlib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_zlib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_zlib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 c_zlib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+c_zlib.o: c_zlib.c
+comp_err.o: ../../include/openssl/bio.h ../../include/openssl/comp.h
+comp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+comp_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+comp_err.o: ../../include/openssl/opensslconf.h
+comp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+comp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+comp_err.o: comp_err.c
 comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
-comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/obj_mac.h
-comp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-comp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+comp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+comp_lib.o: ../../include/openssl/opensslconf.h
+comp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+comp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+comp_lib.o: ../../include/openssl/symhacks.h comp_lib.c
diff --git a/src/lib/libcrypto/comp/c_rle.c b/src/lib/libcrypto/comp/c_rle.c
index 1a819e3737..efd366fa22 100644
--- a/src/lib/libcrypto/comp/c_rle.c
+++ b/src/lib/libcrypto/comp/c_rle.c
@@ -17,6 +17,7 @@ static COMP_METHOD rle_method={
         rle_compress_block,
         rle_expand_block,
         NULL,
+        NULL,
         };
 
 COMP_METHOD *COMP_rle(void)
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index 6684ab4841..cd2f8a491b 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -6,11 +6,10 @@
 
 COMP_METHOD *COMP_zlib(void );
 
-#ifndef ZLIB
-
-static COMP_METHOD zlib_method={
+static COMP_METHOD zlib_method_nozlib={
         NID_undef,
-        "(null)",
+        "(undef)",
+        NULL,
         NULL,
         NULL,
         NULL,
@@ -18,6 +17,8 @@ static COMP_METHOD zlib_method={
         NULL,
         };
 
+#ifndef ZLIB
+#undef ZLIB_SHARED
 #else
 
 #include <zlib.h>
@@ -38,8 +39,56 @@ static COMP_METHOD zlib_method={
         zlib_compress_block,
         zlib_expand_block,
         NULL,
+        NULL,
         };
 
+/* 
+ * When OpenSSL is built on Windows, we do not want to require that
+ * the ZLIB.DLL be available in order for the OpenSSL DLLs to
+ * work.  Therefore, all ZLIB routines are loaded at run time
+ * and we do not link to a .LIB file.
+ */
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+# include <windows.h>
+
+# define Z_CALLCONV _stdcall
+# define ZLIB_SHARED
+#else
+# define Z_CALLCONV
+#endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */
+
+#ifdef ZLIB_SHARED
+#include <openssl/dso.h>
+
+/* Prototypes for built in stubs */
+static int stub_compress(Bytef *dest,uLongf *destLen,
+        const Bytef *source, uLong sourceLen);
+static int stub_inflateEnd(z_streamp strm);
+static int stub_inflate(z_streamp strm, int flush);
+static int stub_inflateInit_(z_streamp strm, const char * version,
+        int stream_size);
+
+/* Function pointers */
+typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen,
+        const Bytef *source, uLong sourceLen);
+typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm);
+typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush);
+typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm,
+        const char * version, int stream_size);
+static compress_ft      p_compress=NULL;
+static inflateEnd_ft    p_inflateEnd=NULL;
+static inflate_ft       p_inflate=NULL;
+static inflateInit__ft  p_inflateInit_=NULL;
+
+static int zlib_loaded = 0;     /* only attempt to init func pts once */
+static DSO *zlib_dso = NULL;
+
+#define compress                stub_compress
+#define inflateEnd              stub_inflateEnd
+#define inflate                 stub_inflate
+#define inflateInit_            stub_inflateInit_
+#endif /* ZLIB_SHARED */
+
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
              unsigned int olen, unsigned char *in, unsigned int ilen)
         {
@@ -66,7 +115,10 @@ static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
                 memcpy(&(out[1]),in,ilen);
                 l=ilen+1;
                 }
-fprintf(stderr,"compress(%4d)->%4d %s\n",ilen,(int)l,(clear)?"clear":"zlib");
+#ifdef DEBUG_ZLIB
+        fprintf(stderr,"compress(%4d)->%4d %s\n",
+                ilen,(int)l,(clear)?"clear":"zlib");
+#endif
         return((int)l);
         }
 
@@ -88,7 +140,10 @@ static int zlib_expand_block(COMP_CTX *ctx, unsigned char *out,
                 memcpy(out,&(in[1]),ilen-1);
                 l=ilen-1;
                 }
-        fprintf(stderr,"expand  (%4d)->%4d %s\n",ilen,(int)l,in[0]?"zlib":"clear");
+#ifdef DEBUG_ZLIB
+        fprintf(stderr,"expand  (%4d)->%4d %s\n",
+                ilen,(int)l,in[0]?"zlib":"clear");
+#endif
         return((int)l);
         }
 
@@ -128,6 +183,78 @@ static int zz_uncompress (Bytef *dest, uLongf *destLen, const Bytef *source,
 
 COMP_METHOD *COMP_zlib(void)
         {
-        return(&zlib_method);
+        COMP_METHOD *meth = &zlib_method_nozlib;
+
+#ifdef ZLIB_SHARED
+        if (!zlib_loaded)
+                {
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+                zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+#else
+                zlib_dso = DSO_load(NULL, "z", NULL, 0);
+#endif
+                if (zlib_dso != NULL)
+                        {
+                        p_compress
+                                = (compress_ft) DSO_bind_func(zlib_dso,
+                                        "compress");
+                        p_inflateEnd
+                                = (inflateEnd_ft) DSO_bind_func(zlib_dso,
+                                        "inflateEnd");
+                        p_inflate
+                                = (inflate_ft) DSO_bind_func(zlib_dso,
+                                        "inflate");
+                        p_inflateInit_
+                                = (inflateInit__ft) DSO_bind_func(zlib_dso,
+                                        "inflateInit_");
+                        zlib_loaded++;
+                        meth = &zlib_method;
+                        }
+                }
+
+#elif defined(ZLIB)
+        meth = &zlib_method;
+#endif
+
+        return(meth);
+        }
+
+#ifdef ZLIB_SHARED
+/* Stubs for each function to be dynamicly loaded */
+static int 
+stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen)
+        {
+        if (p_compress)
+                return(p_compress(dest,destLen,source,sourceLen));
+        else
+                return(Z_MEM_ERROR);
+        }
+
+static int
+stub_inflateEnd(z_streamp strm)
+        {
+        if ( p_inflateEnd )
+                return(p_inflateEnd(strm));
+        else
+                return(Z_MEM_ERROR);
+        }
+
+static int
+stub_inflate(z_streamp strm, int flush)
+        {
+        if ( p_inflate )
+                return(p_inflate(strm,flush));
+        else
+                return(Z_MEM_ERROR);
+        }
+
+static int
+stub_inflateInit_(z_streamp strm, const char * version, int stream_size)
+        {
+        if ( p_inflateInit_ )
+                return(p_inflateInit_(strm,version,stream_size));
+        else
+                return(Z_MEM_ERROR);
         }
 
+#endif /* ZLIB_SHARED */
diff --git a/src/lib/libcrypto/comp/comp.h b/src/lib/libcrypto/comp/comp.h
index 0922609542..ab48b78ae9 100644
--- a/src/lib/libcrypto/comp/comp.h
+++ b/src/lib/libcrypto/comp/comp.h
@@ -39,14 +39,13 @@ int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
 int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
         unsigned char *in, int ilen);
 COMP_METHOD *COMP_rle(void );
-#ifdef ZLIB
 COMP_METHOD *COMP_zlib(void );
-#endif
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_COMP_strings(void);
 
 /* Error codes for the COMP functions. */
 
@@ -58,4 +57,3 @@ COMP_METHOD *COMP_zlib(void );
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/comp/comp_err.c b/src/lib/libcrypto/comp/comp_err.c
index c10282a73c..1652b8c2c4 100644
--- a/src/lib/libcrypto/comp/comp_err.c
+++ b/src/lib/libcrypto/comp/comp_err.c
@@ -63,7 +63,7 @@
 #include <openssl/comp.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA COMP_str_functs[]=
         {
 {0,NULL}
@@ -83,7 +83,7 @@ void ERR_load_COMP_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_COMP,COMP_str_functs);
                 ERR_load_strings(ERR_LIB_COMP,COMP_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/conf/Makefile.ssl b/src/lib/libcrypto/conf/Makefile.ssl
index 9df4fca877..795eec1a01 100644
--- a/src/lib/libcrypto/conf/Makefile.ssl
+++ b/src/lib/libcrypto/conf/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    conf
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,9 +23,11 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= conf_err.c conf_lib.c conf_api.c conf_def.c
+LIBSRC= conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c \
+         conf_mall.c conf_sap.c
 
-LIBOBJ= conf_err.o conf_lib.o conf_api.o conf_def.o
+LIBOBJ= conf_err.o conf_lib.o conf_api.o conf_def.o conf_mod.o \
+        conf_mall.o conf_sap.o
 
 SRC= $(LIBSRC)
 
@@ -40,8 +43,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,30 +82,80 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-conf_api.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
-conf_api.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
-conf_api.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+conf_api.o: ../../e_os.h ../../include/openssl/bio.h
+conf_api.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
+conf_api.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_api.o: conf_api.c
 conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
-conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_def.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+conf_def.o: ../../include/openssl/opensslconf.h
 conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_def.o: conf_def.h
+conf_def.o: conf_def.c conf_def.h
 conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
-conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-conf_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+conf_err.o: ../../include/openssl/opensslconf.h
 conf_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_err.o: conf_err.c
 conf_lib.o: ../../include/openssl/bio.h ../../include/openssl/conf.h
 conf_lib.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
-conf_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-conf_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-conf_lib.o: ../../include/openssl/opensslconf.h
+conf_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+conf_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_lib.o: conf_lib.c
+conf_mall.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mall.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+conf_mall.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_mall.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+conf_mall.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
+conf_mall.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+conf_mall.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+conf_mall.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+conf_mall.o: ../../include/openssl/objects.h
+conf_mall.o: ../../include/openssl/opensslconf.h
+conf_mall.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_mall.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+conf_mall.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+conf_mall.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+conf_mall.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+conf_mall.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_mall.o: ../cryptlib.h conf_mall.c
+conf_mod.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_mod.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+conf_mod.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_mod.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+conf_mod.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
+conf_mod.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+conf_mod.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+conf_mod.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+conf_mod.o: ../../include/openssl/opensslconf.h
+conf_mod.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_mod.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+conf_mod.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+conf_mod.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+conf_mod.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_mod.o: ../cryptlib.h conf_mod.c
+conf_sap.o: ../../e_os.h ../../include/openssl/asn1.h
+conf_sap.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+conf_sap.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+conf_sap.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+conf_sap.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
+conf_sap.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+conf_sap.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+conf_sap.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+conf_sap.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+conf_sap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+conf_sap.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+conf_sap.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+conf_sap.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+conf_sap.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+conf_sap.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+conf_sap.o: ../cryptlib.h conf_sap.c
diff --git a/src/lib/libcrypto/conf/README b/src/lib/libcrypto/conf/README
new file mode 100644
index 0000000000..ca58d0240f
--- /dev/null
+++ b/src/lib/libcrypto/conf/README
@@ -0,0 +1,78 @@
+WARNING WARNING WARNING!!!
+
+This stuff is experimental, may change radically or be deleted altogether
+before OpenSSL 0.9.7 release. You have been warned!
+
+Configuration modules. These are a set of modules which can perform
+various configuration functions.
+
+Currently the routines should be called at most once when an application
+starts up: that is before it starts any threads.
+
+The routines read a configuration file set up like this:
+
+-----
+#default section
+openssl_init=init_section
+
+[init_section]
+
+module1=value1
+#Second instance of module1
+module1.1=valueX
+module2=value2
+module3=dso_literal
+module4=dso_section
+
+[dso_section]
+
+path=/some/path/to/some/dso.so
+other_stuff=other_value
+----
+
+When this file is loaded a configuration module with the specified
+string (module* in the above example) is looked up and its init
+function called as:
+
+int conf_init_func(CONF_IMODULE *md, CONF *cnf);
+
+The function can then take whatever action is appropriate, for example
+further lookups based on the value. Multiple instances of the same 
+config module can be loaded.
+
+When the application closes down the modules are cleaned up by calling
+an optional finish function:
+
+void conf_finish_func(CONF_IMODULE *md);
+
+The finish functions are called in reverse order: that is the last module
+loaded is the first one cleaned up.
+
+If no module exists with a given name then an attempt is made to load
+a DSO with the supplied name. This might mean that "module3" attempts
+to load a DSO called libmodule3.so or module3.dll for example. An explicit
+DSO name can be given by including a separate section as in the module4 example
+above.
+
+The DSO is expected to at least contain an initialization function:
+
+int OPENSSL_init(CONF_IMODULE *md, CONF *cnf);
+
+and may also include a finish function:
+
+void OPENSSL_finish(CONF_IMODULE *md);
+
+Static modules can also be added using,
+
+int CONF_module_add(char *name, dso_mod_init_func *ifunc, dso_mod_finish_func *ffunc);
+
+where "name" is the name in the configuration file this function corresponds to.
+
+A set of builtin modules (currently only an ASN1 non functional test module) can be 
+added by calling OPENSSL_load_builtin_modules(). 
+
+The function OPENSSL_config() is intended as a simple configuration function that
+any application can call to perform various default configuration tasks. It uses the
+file openssl.cnf in the usual locations.
+
+
diff --git a/src/lib/libcrypto/conf/cnf_save.c b/src/lib/libcrypto/conf/cnf_save.c
index e907cc2242..1439487526 100644
--- a/src/lib/libcrypto/conf/cnf_save.c
+++ b/src/lib/libcrypto/conf/cnf_save.c
@@ -59,7 +59,8 @@
 #include <stdio.h>
 #include <openssl/conf.h>
 
-void print_conf(CONF_VALUE *cv);
+static void print_conf(CONF_VALUE *cv);
+static IMPLEMENT_LHASH_DOALL_FN(print_conf, CONF_VALUE *);
 
 main()
         {
@@ -73,11 +74,11 @@ main()
                 exit(1);
                 }
 
-        lh_doall(conf,print_conf);
+        lh_doall(conf,LHASH_DOALL_FN(print_conf));
         }
 
 
-void print_conf(CONF_VALUE *cv)
+static void print_conf(CONF_VALUE *cv)
         {
         int i;
         CONF_VALUE *v;
diff --git a/src/lib/libcrypto/conf/conf.c b/src/lib/libcrypto/conf/conf.c
new file mode 100644
index 0000000000..3031fa3b44
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf.c
@@ -0,0 +1,730 @@
+/* crypto/conf/conf.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#include "cryptlib.h"
+#include <openssl/stack.h>
+#include <openssl/lhash.h>
+#include <openssl/conf.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+
+#include "conf_lcl.h"
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf);
+static void value_free_stack(CONF_VALUE *a,LHASH *conf);
+static unsigned long hash(CONF_VALUE *v);
+static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b);
+static char *eat_ws(char *p);
+static char *eat_alpha_numeric(char *p);
+static void clear_comments(char *p);
+static int str_copy(LHASH *conf,char *section,char **to, char *from);
+static char *scan_quote(char *p);
+static CONF_VALUE *new_section(LHASH *conf,char *section);
+static CONF_VALUE *get_section(LHASH *conf,char *section);
+#define scan_esc(p)     ((((p)[1] == '\0')?(p++):(p+=2)),p)
+
+const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
+
+
+LHASH *CONF_load(LHASH *h, const char *file, long *line)
+        {
+        LHASH *ltmp;
+        BIO *in=NULL;
+
+#ifdef VMS
+        in=BIO_new_file(file, "r");
+#else
+        in=BIO_new_file(file, "rb");
+#endif
+        if (in == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return NULL;
+                }
+
+        ltmp = CONF_load_bio(h, in, line);
+        BIO_free(in);
+
+        return ltmp;
+}
+#ifndef NO_FP_API
+LHASH *CONF_load_fp(LHASH *h, FILE *in, long *line)
+{
+        BIO *btmp;
+        LHASH *ltmp;
+        if(!(btmp = BIO_new_fp(in, BIO_NOCLOSE))) {
+                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ltmp = CONF_load_bio(h, btmp, line);
+        BIO_free(btmp);
+        return ltmp;
+}
+#endif
+
+LHASH *CONF_load_bio(LHASH *h, BIO *in, long *line)
+        {
+        LHASH *ret=NULL;
+#define BUFSIZE 512
+        char btmp[16];
+        int bufnum=0,i,ii;
+        BUF_MEM *buff=NULL;
+        char *s,*p,*end;
+        int again,n;
+        long eline=0;
+        CONF_VALUE *v=NULL,*vv,*tv;
+        CONF_VALUE *sv=NULL;
+        char *section=NULL,*buf;
+        STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
+        char *start,*psection,*pname;
+
+        if ((buff=BUF_MEM_new()) == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                goto err;
+                }
+
+        section=(char *)Malloc(10);
+        if (section == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+        strcpy(section,"default");
+
+        if (h == NULL)
+                {
+                if ((ret=lh_new(hash,cmp_conf)) == NULL)
+                        {
+                        CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        else
+                ret=h;
+
+        sv=new_section(ret,section);
+        if (sv == NULL)
+                {
+                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                goto err;
+                }
+        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+
+        bufnum=0;
+        for (;;)
+                {
+                again=0;
+                if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
+                        {
+                        CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
+                        goto err;
+                        }
+                p= &(buff->data[bufnum]);
+                *p='\0';
+                BIO_gets(in, p, BUFSIZE-1);
+                p[BUFSIZE-1]='\0';
+                ii=i=strlen(p);
+                if (i == 0) break;
+                while (i > 0)
+                        {
+                        if ((p[i-1] != '\r') && (p[i-1] != '\n'))
+                                break;
+                        else
+                                i--;
+                        }
+                /* we removed some trailing stuff so there is a new
+                 * line on the end. */
+                if (i == ii)
+                        again=1; /* long line */
+                else
+                        {
+                        p[i]='\0';
+                        eline++; /* another input line */
+                        }
+
+                /* we now have a line with trailing \r\n removed */
+
+                /* i is the number of bytes */
+                bufnum+=i;
+
+                v=NULL;
+                /* check for line continuation */
+                if (bufnum >= 1)
+                        {
+                        /* If we have bytes and the last char '\\' and
+                         * second last char is not '\\' */
+                        p= &(buff->data[bufnum-1]);
+                        if (    IS_ESC(p[0]) &&
+                                ((bufnum <= 1) || !IS_ESC(p[-1])))
+                                {
+                                bufnum--;
+                                again=1;
+                                }
+                        }
+                if (again) continue;
+                bufnum=0;
+                buf=buff->data;
+
+                clear_comments(buf);
+                n=strlen(buf);
+                s=eat_ws(buf);
+                if (IS_EOF(*s)) continue; /* blank line */
+                if (*s == '[')
+                        {
+                        char *ss;
+
+                        s++;
+                        start=eat_ws(s);
+                        ss=start;
+again:
+                        end=eat_alpha_numeric(ss);
+                        p=eat_ws(end);
+                        if (*p != ']')
+                                {
+                                if (*p != '\0')
+                                        {
+                                        ss=p;
+                                        goto again;
+                                        }
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_MISSING_CLOSE_SQUARE_BRACKET);
+                                goto err;
+                                }
+                        *end='\0';
+                        if (!str_copy(ret,NULL,&section,start)) goto err;
+                        if ((sv=get_section(ret,section)) == NULL)
+                                sv=new_section(ret,section);
+                        if (sv == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                goto err;
+                                }
+                        section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
+                        continue;
+                        }
+                else
+                        {
+                        pname=s;
+                        psection=NULL;
+                        end=eat_alpha_numeric(s);
+                        if ((end[0] == ':') && (end[1] == ':'))
+                                {
+                                *end='\0';
+                                end+=2;
+                                psection=pname;
+                                pname=end;
+                                end=eat_alpha_numeric(end);
+                                }
+                        p=eat_ws(end);
+                        if (*p != '=')
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                CONF_R_MISSING_EQUAL_SIGN);
+                                goto err;
+                                }
+                        *end='\0';
+                        p++;
+                        start=eat_ws(p);
+                        while (!IS_EOF(*p))
+                                p++;
+                        p--;
+                        while ((p != start) && (IS_WS(*p)))
+                                p--;
+                        p++;
+                        *p='\0';
+
+                        if (!(v=(CONF_VALUE *)Malloc(sizeof(CONF_VALUE))))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        if (psection == NULL) psection=section;
+                        v->name=(char *)Malloc(strlen(pname)+1);
+                        v->value=NULL;
+                        if (v->name == NULL)
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        strcpy(v->name,pname);
+                        if (!str_copy(ret,psection,&(v->value),start)) goto err;
+
+                        if (strcmp(psection,section) != 0)
+                                {
+                                if ((tv=get_section(ret,psection))
+                                        == NULL)
+                                        tv=new_section(ret,psection);
+                                if (tv == NULL)
+                                        {
+                                        CONFerr(CONF_F_CONF_LOAD_BIO,
+                                           CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
+                                        goto err;
+                                        }
+                                ts=(STACK_OF(CONF_VALUE) *)tv->value;
+                                }
+                        else
+                                {
+                                tv=sv;
+                                ts=section_sk;
+                                }
+                        v->section=tv->section; 
+                        if (!sk_CONF_VALUE_push(ts,v))
+                                {
+                                CONFerr(CONF_F_CONF_LOAD_BIO,
+                                                        ERR_R_MALLOC_FAILURE);
+                                goto err;
+                                }
+                        vv=(CONF_VALUE *)lh_insert(ret,v);
+                        if (vv != NULL)
+                                {
+                                sk_CONF_VALUE_delete_ptr(ts,vv);
+                                Free(vv->name);
+                                Free(vv->value);
+                                Free(vv);
+                                }
+                        v=NULL;
+                        }
+                }
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) Free(section);
+        return(ret);
+err:
+        if (buff != NULL) BUF_MEM_free(buff);
+        if (section != NULL) Free(section);
+        if (line != NULL) *line=eline;
+        sprintf(btmp,"%ld",eline);
+        ERR_add_error_data(2,"line ",btmp);
+        if ((h != ret) && (ret != NULL)) CONF_free(ret);
+        if (v != NULL)
+                {
+                if (v->name != NULL) Free(v->name);
+                if (v->value != NULL) Free(v->value);
+                if (v != NULL) Free(v);
+                }
+        return(NULL);
+        }
+
+char *CONF_get_string(LHASH *conf, char *section, char *name)
+        {
+        CONF_VALUE *v,vv;
+        char *p;
+
+        if (name == NULL) return(NULL);
+        if (conf != NULL)
+                {
+                if (section != NULL)
+                        {
+                        vv.name=name;
+                        vv.section=section;
+                        v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+                        if (v != NULL) return(v->value);
+                        if (strcmp(section,"ENV") == 0)
+                                {
+                                p=Getenv(name);
+                                if (p != NULL) return(p);
+                                }
+                        }
+                vv.section="default";
+                vv.name=name;
+                v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+                if (v != NULL)
+                        return(v->value);
+                else
+                        return(NULL);
+                }
+        else
+                return(Getenv(name));
+        }
+
+static CONF_VALUE *get_section(LHASH *conf, char *section)
+        {
+        CONF_VALUE *v,vv;
+
+        if ((conf == NULL) || (section == NULL)) return(NULL);
+        vv.name=NULL;
+        vv.section=section;
+        v=(CONF_VALUE *)lh_retrieve(conf,&vv);
+        return(v);
+        }
+
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf, char *section)
+        {
+        CONF_VALUE *v;
+
+        v=get_section(conf,section);
+        if (v != NULL)
+                return((STACK_OF(CONF_VALUE) *)v->value);
+        else
+                return(NULL);
+        }
+
+long CONF_get_number(LHASH *conf, char *section, char *name)
+        {
+        char *str;
+        long ret=0;
+
+        str=CONF_get_string(conf,section,name);
+        if (str == NULL) return(0);
+        for (;;)
+                {
+                if (IS_NUMER(*str))
+                        ret=ret*10+(*str -'0');
+                else
+                        return(ret);
+                str++;
+                }
+        }
+
+void CONF_free(LHASH *conf)
+        {
+        if (conf == NULL) return;
+
+        conf->down_load=0;      /* evil thing to make sure the 'Free()'
+                                 * works as expected */
+        lh_doall_arg(conf,(void (*)())value_free_hash,conf);
+
+        /* We now have only 'section' entries in the hash table.
+         * Due to problems with */
+
+        lh_doall_arg(conf,(void (*)())value_free_stack,conf);
+        lh_free(conf);
+        }
+
+static void value_free_hash(CONF_VALUE *a, LHASH *conf)
+        {
+        if (a->name != NULL)
+                {
+                a=(CONF_VALUE *)lh_delete(conf,a);
+                }
+        }
+
+static void value_free_stack(CONF_VALUE *a, LHASH *conf)
+        {
+        CONF_VALUE *vv;
+        STACK *sk;
+        int i;
+
+        if (a->name != NULL) return;
+
+        sk=(STACK *)a->value;
+        for (i=sk_num(sk)-1; i>=0; i--)
+                {
+                vv=(CONF_VALUE *)sk_value(sk,i);
+                Free(vv->value);
+                Free(vv->name);
+                Free(vv);
+                }
+        if (sk != NULL) sk_free(sk);
+        Free(a->section);
+        Free(a);
+        }
+
+static void clear_comments(char *p)
+        {
+        char *to;
+
+        to=p;
+        for (;;)
+                {
+                if (IS_COMMENT(*p))
+                        {
+                        *p='\0';
+                        return;
+                        }
+                if (IS_QUOTE(*p))
+                        {
+                        p=scan_quote(p);
+                        continue;
+                        }
+                if (IS_ESC(*p))
+                        {
+                        p=scan_esc(p);
+                        continue;
+                        }
+                if (IS_EOF(*p))
+                        return;
+                else
+                        p++;
+                }
+        }
+
+static int str_copy(LHASH *conf, char *section, char **pto, char *from)
+        {
+        int q,r,rr=0,to=0,len=0;
+        char *s,*e,*rp,*p,*rrp,*np,*cp,v;
+        BUF_MEM *buf;
+
+        if ((buf=BUF_MEM_new()) == NULL) return(0);
+
+        len=strlen(from)+1;
+        if (!BUF_MEM_grow(buf,len)) goto err;
+
+        for (;;)
+                {
+                if (IS_QUOTE(*from))
+                        {
+                        q= *from;
+                        from++;
+                        while ((*from != '\0') && (*from != q))
+                                {
+                                if (*from == '\\')
+                                        {
+                                        from++;
+                                        if (*from == '\0') break;
+                                        }
+                                buf->data[to++]= *(from++);
+                                }
+                        }
+                else if (*from == '\\')
+                        {
+                        from++;
+                        v= *(from++);
+                        if (v == '\0') break;
+                        else if (v == 'r') v='\r';
+                        else if (v == 'n') v='\n';
+                        else if (v == 'b') v='\b';
+                        else if (v == 't') v='\t';
+                        buf->data[to++]= v;
+                        }
+                else if (*from == '\0')
+                        break;
+                else if (*from == '$')
+                        {
+                        /* try to expand it */
+                        rrp=NULL;
+                        s= &(from[1]);
+                        if (*s == '{')
+                                q='}';
+                        else if (*s == '(')
+                                q=')';
+                        else q=0;
+
+                        if (q) s++;
+                        cp=section;
+                        e=np=s;
+                        while (IS_ALPHA_NUMERIC(*e))
+                                e++;
+                        if ((e[0] == ':') && (e[1] == ':'))
+                                {
+                                cp=np;
+                                rrp=e;
+                                rr= *e;
+                                *rrp='\0';
+                                e+=2;
+                                np=e;
+                                while (IS_ALPHA_NUMERIC(*e))
+                                        e++;
+                                }
+                        r= *e;
+                        *e='\0';
+                        rp=e;
+                        if (q)
+                                {
+                                if (r != q)
+                                        {
+                                        CONFerr(CONF_F_STR_COPY,CONF_R_NO_CLOSE_BRACE);
+                                        goto err;
+                                        }
+                                e++;
+                                }
+                        /* So at this point we have
+                         * ns which is the start of the name string which is
+                         *   '\0' terminated. 
+                         * cs which is the start of the section string which is
+                         *   '\0' terminated.
+                         * e is the 'next point after'.
+                         * r and s are the chars replaced by the '\0'
+                         * rp and sp is where 'r' and 's' came from.
+                         */
+                        p=CONF_get_string(conf,cp,np);
+                        if (rrp != NULL) *rrp=rr;
+                        *rp=r;
+                        if (p == NULL)
+                                {
+                                CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
+                                goto err;
+                                }
+                        BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
+                        while (*p)
+                                buf->data[to++]= *(p++);
+                        from=e;
+                        }
+                else
+                        buf->data[to++]= *(from++);
+                }
+        buf->data[to]='\0';
+        if (*pto != NULL) Free(*pto);
+        *pto=buf->data;
+        Free(buf);
+        return(1);
+err:
+        if (buf != NULL) BUF_MEM_free(buf);
+        return(0);
+        }
+
+static char *eat_ws(char *p)
+        {
+        while (IS_WS(*p) && (!IS_EOF(*p)))
+                p++;
+        return(p);
+        }
+
+static char *eat_alpha_numeric(char *p)
+        {
+        for (;;)
+                {
+                if (IS_ESC(*p))
+                        {
+                        p=scan_esc(p);
+                        continue;
+                        }
+                if (!IS_ALPHA_NUMERIC_PUNCT(*p))
+                        return(p);
+                p++;
+                }
+        }
+
+static unsigned long hash(CONF_VALUE *v)
+        {
+        return((lh_strhash(v->section)<<2)^lh_strhash(v->name));
+        }
+
+static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
+        {
+        int i;
+
+        if (a->section != b->section)
+                {
+                i=strcmp(a->section,b->section);
+                if (i) return(i);
+                }
+
+        if ((a->name != NULL) && (b->name != NULL))
+                {
+                i=strcmp(a->name,b->name);
+                return(i);
+                }
+        else if (a->name == b->name)
+                return(0);
+        else
+                return((a->name == NULL)?-1:1);
+        }
+
+static char *scan_quote(char *p)
+        {
+        int q= *p;
+
+        p++;
+        while (!(IS_EOF(*p)) && (*p != q))
+                {
+                if (IS_ESC(*p))
+                        {
+                        p++;
+                        if (IS_EOF(*p)) return(p);
+                        }
+                p++;
+                }
+        if (*p == q) p++;
+        return(p);
+        }
+
+static CONF_VALUE *new_section(LHASH *conf, char *section)
+        {
+        STACK *sk=NULL;
+        int ok=0,i;
+        CONF_VALUE *v=NULL,*vv;
+
+        if ((sk=sk_new_null()) == NULL)
+                goto err;
+        if ((v=(CONF_VALUE *)Malloc(sizeof(CONF_VALUE))) == NULL)
+                goto err;
+        i=strlen(section)+1;
+        if ((v->section=(char *)Malloc(i)) == NULL)
+                goto err;
+
+        memcpy(v->section,section,i);
+        v->name=NULL;
+        v->value=(char *)sk;
+        
+        vv=(CONF_VALUE *)lh_insert(conf,v);
+        if (vv != NULL)
+                {
+#if !defined(NO_STDIO) && !defined(WIN16)
+                fprintf(stderr,"internal fault\n");
+#endif
+                abort();
+                }
+        ok=1;
+err:
+        if (!ok)
+                {
+                if (sk != NULL) sk_free(sk);
+                if (v != NULL) Free(v);
+                v=NULL;
+                }
+        return(v);
+        }
+
+IMPLEMENT_STACK_OF(CONF_VALUE)
diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h
index cd40a0db21..3c03fb19c0 100644
--- a/src/lib/libcrypto/conf/conf.h
+++ b/src/lib/libcrypto/conf/conf.h
@@ -63,7 +63,7 @@
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/safestack.h>
-#include <openssl/e_os.h>
+#include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -77,6 +77,8 @@ typedef struct
         } CONF_VALUE;
 
 DECLARE_STACK_OF(CONF_VALUE)
+DECLARE_STACK_OF(CONF_MODULE)
+DECLARE_STACK_OF(CONF_IMODULE)
 
 struct conf_st;
 typedef struct conf_st CONF;
@@ -86,29 +88,47 @@ typedef struct conf_method_st CONF_METHOD;
 struct conf_method_st
         {
         const char *name;
-        CONF *(MS_FAR *create)(CONF_METHOD *meth);
-        int (MS_FAR *init)(CONF *conf);
-        int (MS_FAR *destroy)(CONF *conf);
-        int (MS_FAR *destroy_data)(CONF *conf);
-        int (MS_FAR *load)(CONF *conf, BIO *bp, long *eline);
-        int (MS_FAR *dump)(CONF *conf, BIO *bp);
-        int (MS_FAR *is_number)(CONF *conf, char c);
-        int (MS_FAR *to_int)(CONF *conf, char c);
+        CONF *(*create)(CONF_METHOD *meth);
+        int (*init)(CONF *conf);
+        int (*destroy)(CONF *conf);
+        int (*destroy_data)(CONF *conf);
+        int (*load_bio)(CONF *conf, BIO *bp, long *eline);
+        int (*dump)(const CONF *conf, BIO *bp);
+        int (*is_number)(const CONF *conf, char c);
+        int (*to_int)(const CONF *conf, char c);
+        int (*load)(CONF *conf, const char *name, long *eline);
         };
 
+/* Module definitions */
+
+typedef struct conf_imodule_st CONF_IMODULE;
+typedef struct conf_module_st CONF_MODULE;
+
+/* DSO module function typedefs */
+typedef int conf_init_func(CONF_IMODULE *md, const CONF *cnf);
+typedef void conf_finish_func(CONF_IMODULE *md);
+
+#define CONF_MFLAGS_IGNORE_ERRORS       0x1
+#define CONF_MFLAGS_IGNORE_RETURN_CODES 0x2
+#define CONF_MFLAGS_SILENT              0x4
+#define CONF_MFLAGS_NO_DSO              0x8
+#define CONF_MFLAGS_IGNORE_MISSING_FILE 0x10
+
 int CONF_set_default_method(CONF_METHOD *meth);
+void CONF_set_nconf(CONF *conf,LHASH *hash);
 LHASH *CONF_load(LHASH *conf,const char *file,long *eline);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline);
 #endif
 LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline);
-STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section);
-char *CONF_get_string(LHASH *conf,char *group,char *name);
-long CONF_get_number(LHASH *conf,char *group,char *name);
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,const char *section);
+char *CONF_get_string(LHASH *conf,const char *group,const char *name);
+long CONF_get_number(LHASH *conf,const char *group,const char *name);
 void CONF_free(LHASH *conf);
 int CONF_dump_fp(LHASH *conf, FILE *out);
 int CONF_dump_bio(LHASH *conf, BIO *out);
-void ERR_load_CONF_strings(void );
+
+void OPENSSL_config(const char *config_name);
 
 /* New conf code.  The semantics are different from the functions above.
    If that wasn't the case, the above functions would have been replaced */
@@ -130,21 +150,57 @@ void NCONF_free(CONF *conf);
 void NCONF_free_data(CONF *conf);
 
 int NCONF_load(CONF *conf,const char *file,long *eline);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int NCONF_load_fp(CONF *conf, FILE *fp,long *eline);
 #endif
 int NCONF_load_bio(CONF *conf, BIO *bp,long *eline);
-STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section);
-char *NCONF_get_string(CONF *conf,char *group,char *name);
+STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,const char *section);
+char *NCONF_get_string(const CONF *conf,const char *group,const char *name);
+int NCONF_get_number_e(const CONF *conf,const char *group,const char *name,
+                       long *result);
+int NCONF_dump_fp(const CONF *conf, FILE *out);
+int NCONF_dump_bio(const CONF *conf, BIO *out);
+
+#if 0 /* The following function has no error checking,
+         and should therefore be avoided */
 long NCONF_get_number(CONF *conf,char *group,char *name);
-int NCONF_dump_fp(CONF *conf, FILE *out);
-int NCONF_dump_bio(CONF *conf, BIO *out);
-
+#else
+#define NCONF_get_number(c,g,n,r) NCONF_get_number_e(c,g,n,r)
+#endif
+  
+/* Module functions */
+
+int CONF_modules_load(const CONF *cnf, const char *appname,
+                      unsigned long flags);
+int CONF_modules_load_file(const char *filename, const char *appname,
+                           unsigned long flags);
+void CONF_modules_unload(int all);
+void CONF_modules_finish(void);
+int CONF_module_add(const char *name, conf_init_func *ifunc,
+                    conf_finish_func *ffunc);
+
+const char *CONF_imodule_get_name(const CONF_IMODULE *md);
+const char *CONF_imodule_get_value(const CONF_IMODULE *md);
+void *CONF_imodule_get_usr_data(const CONF_IMODULE *md);
+void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data);
+CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md);
+unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md);
+void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags);
+void *CONF_module_get_usr_data(CONF_MODULE *pmod);
+void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data);
+
+char *CONF_get1_default_config_file(void);
+
+int CONF_parse_list(const char *list, int sep, int nospc,
+        int (*list_cb)(const char *elem, int len, void *usr), void *arg);
+
+void OPENSSL_load_builtin_modules(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_CONF_strings(void);
 
 /* Error codes for the CONF functions. */
 
@@ -153,27 +209,40 @@ int NCONF_dump_bio(CONF *conf, BIO *out);
 #define CONF_F_CONF_LOAD                                 100
 #define CONF_F_CONF_LOAD_BIO                             102
 #define CONF_F_CONF_LOAD_FP                              103
+#define CONF_F_CONF_MODULES_LOAD                         116
+#define CONF_F_MODULE_INIT                               115
+#define CONF_F_MODULE_LOAD_DSO                           117
+#define CONF_F_MODULE_RUN                                118
 #define CONF_F_NCONF_DUMP_BIO                            105
 #define CONF_F_NCONF_DUMP_FP                             106
 #define CONF_F_NCONF_GET_NUMBER                          107
+#define CONF_F_NCONF_GET_NUMBER_E                        112
 #define CONF_F_NCONF_GET_SECTION                         108
 #define CONF_F_NCONF_GET_STRING                          109
+#define CONF_F_NCONF_LOAD                                113
 #define CONF_F_NCONF_LOAD_BIO                            110
+#define CONF_F_NCONF_LOAD_FP                             114
 #define CONF_F_NCONF_NEW                                 111
 #define CONF_F_STR_COPY                                  101
 
 /* Reason codes. */
+#define CONF_R_ERROR_LOADING_DSO                         110
 #define CONF_R_MISSING_CLOSE_SQUARE_BRACKET              100
 #define CONF_R_MISSING_EQUAL_SIGN                        101
+#define CONF_R_MISSING_FINISH_FUNCTION                   111
+#define CONF_R_MISSING_INIT_FUNCTION                     112
+#define CONF_R_MODULE_INITIALIZATION_ERROR               109
 #define CONF_R_NO_CLOSE_BRACE                            102
 #define CONF_R_NO_CONF                                   105
 #define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE           106
 #define CONF_R_NO_SECTION                                107
+#define CONF_R_NO_SUCH_FILE                              114
+#define CONF_R_NO_VALUE                                  108
 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION              103
+#define CONF_R_UNKNOWN_MODULE_NAME                       113
 #define CONF_R_VARIABLE_HAS_NO_VALUE                     104
 
 #ifdef  __cplusplus
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
index d05a778ff6..0032baa711 100644
--- a/src/lib/libcrypto/conf/conf_api.c
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -67,26 +67,34 @@
 #include <string.h>
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
+#include "e_os.h"
 
 static void value_free_hash(CONF_VALUE *a, LHASH *conf);
 static void value_free_stack(CONF_VALUE *a,LHASH *conf);
-static unsigned long hash(CONF_VALUE *v);
-static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b);
+static IMPLEMENT_LHASH_DOALL_ARG_FN(value_free_hash, CONF_VALUE *, LHASH *)
+static IMPLEMENT_LHASH_DOALL_ARG_FN(value_free_stack, CONF_VALUE *, LHASH *)
+/* We don't use function pointer casting or wrapper functions - but cast each
+ * callback parameter inside the callback functions. */
+/* static unsigned long hash(CONF_VALUE *v); */
+static unsigned long hash(const void *v_void);
+/* static int cmp_conf(CONF_VALUE *a,CONF_VALUE *b); */
+static int cmp_conf(const void *a_void,const void *b_void);
 
 /* Up until OpenSSL 0.9.5a, this was get_section */
-CONF_VALUE *_CONF_get_section(CONF *conf, char *section)
+CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section)
         {
         CONF_VALUE *v,vv;
 
         if ((conf == NULL) || (section == NULL)) return(NULL);
         vv.name=NULL;
-        vv.section=section;
+        vv.section=(char *)section;
         v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
         return(v);
         }
 
 /* Up until OpenSSL 0.9.5a, this was CONF_get_section */
-STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section)
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(const CONF *conf,
+                                               const char *section)
         {
         CONF_VALUE *v;
 
@@ -121,7 +129,7 @@ int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value)
         return 1;
         }
 
-char *_CONF_get_string(CONF *conf, char *section, char *name)
+char *_CONF_get_string(const CONF *conf, const char *section, const char *name)
         {
         CONF_VALUE *v,vv;
         char *p;
@@ -131,8 +139,8 @@ char *_CONF_get_string(CONF *conf, char *section, char *name)
                 {
                 if (section != NULL)
                         {
-                        vv.name=name;
-                        vv.section=section;
+                        vv.name=(char *)name;
+                        vv.section=(char *)section;
                         v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
                         if (v != NULL) return(v->value);
                         if (strcmp(section,"ENV") == 0)
@@ -142,7 +150,7 @@ char *_CONF_get_string(CONF *conf, char *section, char *name)
                                 }
                         }
                 vv.section="default";
-                vv.name=name;
+                vv.name=(char *)name;
                 v=(CONF_VALUE *)lh_retrieve(conf->data,&vv);
                 if (v != NULL)
                         return(v->value);
@@ -153,6 +161,9 @@ char *_CONF_get_string(CONF *conf, char *section, char *name)
                 return(Getenv(name));
         }
 
+#if 0 /* There's no way to provide error checking with this function, so
+         force implementors of the higher levels to get a string and read
+         the number themselves. */
 long _CONF_get_number(CONF *conf, char *section, char *name)
         {
         char *str;
@@ -169,6 +180,7 @@ long _CONF_get_number(CONF *conf, char *section, char *name)
                 str++;
                 }
         }
+#endif
 
 int _CONF_new_data(CONF *conf)
         {
@@ -177,7 +189,7 @@ int _CONF_new_data(CONF *conf)
                 return 0;
                 }
         if (conf->data == NULL)
-                if ((conf->data = lh_new(hash,cmp_conf)) == NULL)
+                if ((conf->data = lh_new(hash, cmp_conf)) == NULL)
                         {
                         return 0;
                         }
@@ -190,12 +202,14 @@ void _CONF_free_data(CONF *conf)
 
         conf->data->down_load=0; /* evil thing to make sure the 'OPENSSL_free()'
                                   * works as expected */
-        lh_doall_arg(conf->data,(void (*)())value_free_hash,conf->data);
+        lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(value_free_hash),
+                        conf->data);
 
         /* We now have only 'section' entries in the hash table.
          * Due to problems with */
 
-        lh_doall_arg(conf->data,(void (*)())value_free_stack,conf->data);
+        lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(value_free_stack),
+                        conf->data);
         lh_free(conf->data);
         }
 
@@ -228,14 +242,19 @@ static void value_free_stack(CONF_VALUE *a, LHASH *conf)
         OPENSSL_free(a);
         }
 
-static unsigned long hash(CONF_VALUE *v)
+/* static unsigned long hash(CONF_VALUE *v) */
+static unsigned long hash(const void *v_void)
         {
+        CONF_VALUE *v = (CONF_VALUE *)v_void;
         return((lh_strhash(v->section)<<2)^lh_strhash(v->name));
         }
 
-static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
+/* static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b) */
+static int cmp_conf(const void *a_void,const  void *b_void)
         {
         int i;
+        CONF_VALUE *a = (CONF_VALUE *)a_void;
+        CONF_VALUE *b = (CONF_VALUE *)b_void;
 
         if (a->section != b->section)
                 {
@@ -255,7 +274,7 @@ static int cmp_conf(CONF_VALUE *a, CONF_VALUE *b)
         }
 
 /* Up until OpenSSL 0.9.5a, this was new_section */
-CONF_VALUE *_CONF_new_section(CONF *conf, char *section)
+CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
         {
         STACK *sk=NULL;
         int ok=0,i;
diff --git a/src/lib/libcrypto/conf/conf_api.h b/src/lib/libcrypto/conf/conf_api.h
index a5cc17b233..87a954aff6 100644
--- a/src/lib/libcrypto/conf/conf_api.h
+++ b/src/lib/libcrypto/conf/conf_api.h
@@ -67,15 +67,17 @@ extern "C" {
 #endif
 
 /* Up until OpenSSL 0.9.5a, this was new_section */
-CONF_VALUE *_CONF_new_section(CONF *conf, char *section);
+CONF_VALUE *_CONF_new_section(CONF *conf, const char *section);
 /* Up until OpenSSL 0.9.5a, this was get_section */
-CONF_VALUE *_CONF_get_section(CONF *conf, char *section);
+CONF_VALUE *_CONF_get_section(const CONF *conf, const char *section);
 /* Up until OpenSSL 0.9.5a, this was CONF_get_section */
-STACK_OF(CONF_VALUE) *_CONF_get_section_values(CONF *conf, char *section);
+STACK_OF(CONF_VALUE) *_CONF_get_section_values(const CONF *conf,
+                                               const char *section);
 
 int _CONF_add_string(CONF *conf, CONF_VALUE *section, CONF_VALUE *value);
-char *_CONF_get_string(CONF *conf, char *section, char *name);
-long _CONF_get_number(CONF *conf, char *section, char *name);
+char *_CONF_get_string(const CONF *conf, const char *section,
+                       const char *name);
+long _CONF_get_number(const CONF *conf, const char *section, const char *name);
 
 int _CONF_new_data(CONF *conf);
 void _CONF_free_data(CONF *conf);
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 773df32c68..31f2766246 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -81,10 +81,11 @@ static int def_init_default(CONF *conf);
 static int def_init_WIN32(CONF *conf);
 static int def_destroy(CONF *conf);
 static int def_destroy_data(CONF *conf);
-static int def_load(CONF *conf, BIO *bp, long *eline);
-static int def_dump(CONF *conf, BIO *bp);
-static int def_is_number(CONF *conf, char c);
-static int def_to_int(CONF *conf, char c);
+static int def_load(CONF *conf, const char *name, long *eline);
+static int def_load_bio(CONF *conf, BIO *bp, long *eline);
+static int def_dump(const CONF *conf, BIO *bp);
+static int def_is_number(const CONF *conf, char c);
+static int def_to_int(const CONF *conf, char c);
 
 const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT;
 
@@ -94,10 +95,11 @@ static CONF_METHOD default_method = {
         def_init_default,
         def_destroy,
         def_destroy_data,
-        def_load,
+        def_load_bio,
         def_dump,
         def_is_number,
-        def_to_int
+        def_to_int,
+        def_load
         };
 
 static CONF_METHOD WIN32_method = {
@@ -106,10 +108,11 @@ static CONF_METHOD WIN32_method = {
         def_init_WIN32,
         def_destroy,
         def_destroy_data,
-        def_load,
+        def_load_bio,
         def_dump,
         def_is_number,
-        def_to_int
+        def_to_int,
+        def_load
         };
 
 CONF_METHOD *NCONF_default()
@@ -177,7 +180,32 @@ static int def_destroy_data(CONF *conf)
         return 1;
         }
 
-static int def_load(CONF *conf, BIO *in, long *line)
+static int def_load(CONF *conf, const char *name, long *line)
+        {
+        int ret;
+        BIO *in=NULL;
+
+#ifdef OPENSSL_SYS_VMS
+        in=BIO_new_file(name, "r");
+#else
+        in=BIO_new_file(name, "rb");
+#endif
+        if (in == NULL)
+                {
+                if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
+                        CONFerr(CONF_F_CONF_LOAD,CONF_R_NO_SUCH_FILE);
+                else
+                        CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                return 0;
+                }
+
+        ret = def_load_bio(conf, in, line);
+        BIO_free(in);
+
+        return ret;
+        }
+
+static int def_load_bio(CONF *conf, BIO *in, long *line)
         {
 #define BUFSIZE 512
         char btmp[16];
@@ -418,7 +446,11 @@ err:
         if (line != NULL) *line=eline;
         sprintf(btmp,"%ld",eline);
         ERR_add_error_data(2,"line ",btmp);
-        if ((h != conf->data) && (conf->data != NULL)) CONF_free(conf->data);
+        if ((h != conf->data) && (conf->data != NULL))
+                {
+                CONF_free(conf->data);
+                conf->data=NULL;
+                }
         if (v != NULL)
                 {
                 if (v->name != NULL) OPENSSL_free(v->name);
@@ -685,18 +717,20 @@ static void dump_value(CONF_VALUE *a, BIO *out)
                 BIO_printf(out, "[[%s]]\n", a->section);
         }
 
-static int def_dump(CONF *conf, BIO *out)
+static IMPLEMENT_LHASH_DOALL_ARG_FN(dump_value, CONF_VALUE *, BIO *)
+
+static int def_dump(const CONF *conf, BIO *out)
         {
-        lh_doall_arg(conf->data, (void (*)())dump_value, out);
+        lh_doall_arg(conf->data, LHASH_DOALL_ARG_FN(dump_value), out);
         return 1;
         }
 
-static int def_is_number(CONF *conf, char c)
+static int def_is_number(const CONF *conf, char c)
         {
         return IS_NUMBER(conf,c);
         }
 
-static int def_to_int(CONF *conf, char c)
+static int def_to_int(const CONF *conf, char c)
         {
         return c - '0';
         }
diff --git a/src/lib/libcrypto/conf/conf_def.h b/src/lib/libcrypto/conf/conf_def.h
index 3244d9a331..92a7d8ad77 100644
--- a/src/lib/libcrypto/conf/conf_def.h
+++ b/src/lib/libcrypto/conf/conf_def.h
@@ -71,6 +71,7 @@
 #define CONF_COMMENT            128
 #define CONF_FCOMMENT           2048
 #define CONF_EOF                8
+#define CONF_HIGHBIT            4096
 #define CONF_ALPHA              (CONF_UPPER|CONF_LOWER)
 #define CONF_ALPHA_NUMERIC      (CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
 #define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \
@@ -78,68 +79,102 @@
 
 #define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
 #ifndef CHARSET_EBCDIC
-#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0x7f]&CONF_COMMENT)
-#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0x7f]&CONF_FCOMMENT)
-#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_EOF)
-#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_ESC)
-#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_NUMBER)
-#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0x7f]&CONF_WS)
-#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0xff]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC)
 #define IS_ALPHA_NUMERIC_PUNCT(c,a) \
-                                (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
-#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0x7f]&CONF_QUOTE)
-#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_DQUOTE)
+                                (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_DQUOTE)
+#define IS_HIGHBIT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_HIGHBIT)
 
 #else /*CHARSET_EBCDIC*/
 
-#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_COMMENT)
-#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_FCOMMENT)
-#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_EOF)
-#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ESC)
-#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_NUMBER)
-#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_WS)
-#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC)
 #define IS_ALPHA_NUMERIC_PUNCT(c,a) \
-                                (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
-#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_QUOTE)
-#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_DQUOTE)
+                                (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_DQUOTE)
+#define IS_HIGHBIT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_HIGHBIT)
 #endif /*CHARSET_EBCDIC*/
 
-static unsigned short CONF_type_default[128]={
-        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
-        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x010,0x200,0x040,0x080,0x000,0x200,0x200,0x040,
-        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
-        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
-        0x001,0x001,0x000,0x200,0x000,0x000,0x000,0x200,
-        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x000,0x020,0x000,0x200,0x100,
-        0x040,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+static unsigned short CONF_type_default[256]={
+        0x0008,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0000,0x0010,0x0010,0x0000,0x0000,0x0010,0x0000,0x0000,
+        0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0010,0x0200,0x0040,0x0080,0x0000,0x0200,0x0200,0x0040,
+        0x0000,0x0000,0x0200,0x0200,0x0200,0x0200,0x0200,0x0200,
+        0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,
+        0x0001,0x0001,0x0000,0x0200,0x0000,0x0000,0x0000,0x0200,
+        0x0200,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0000,0x0020,0x0000,0x0200,0x0100,
+        0x0040,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0000,0x0200,0x0000,0x0200,0x0000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
         };
 
-static unsigned short CONF_type_win32[128]={
-        0x008,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x000,0x010,0x010,0x000,0x000,0x010,0x000,0x000,
-        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x000,0x000,0x000,0x000,0x000,0x000,0x000,0x000,
-        0x010,0x200,0x400,0x000,0x000,0x200,0x200,0x000,
-        0x000,0x000,0x200,0x200,0x200,0x200,0x200,0x200,
-        0x001,0x001,0x001,0x001,0x001,0x001,0x001,0x001,
-        0x001,0x001,0x000,0xA00,0x000,0x000,0x000,0x200,
-        0x200,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x002,0x002,0x002,0x002,0x002,
-        0x002,0x002,0x002,0x000,0x000,0x000,0x200,0x100,
-        0x000,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x004,0x004,0x004,0x004,0x004,
-        0x004,0x004,0x004,0x000,0x200,0x000,0x200,0x000,
+static unsigned short CONF_type_win32[256]={
+        0x0008,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0000,0x0010,0x0010,0x0000,0x0000,0x0010,0x0000,0x0000,
+        0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,
+        0x0010,0x0200,0x0400,0x0000,0x0000,0x0200,0x0200,0x0000,
+        0x0000,0x0000,0x0200,0x0200,0x0200,0x0200,0x0200,0x0200,
+        0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,
+        0x0001,0x0001,0x0000,0x0A00,0x0000,0x0000,0x0000,0x0200,
+        0x0200,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,
+        0x0002,0x0002,0x0002,0x0000,0x0000,0x0000,0x0200,0x0100,
+        0x0000,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,
+        0x0004,0x0004,0x0004,0x0000,0x0200,0x0000,0x0200,0x0000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
+        0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,
         };
 
diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c
index 8c2bc6f1c4..ee07bfe9d9 100644
--- a/src/lib/libcrypto/conf/conf_err.c
+++ b/src/lib/libcrypto/conf/conf_err.c
@@ -63,19 +63,26 @@
 #include <openssl/conf.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA CONF_str_functs[]=
         {
 {ERR_PACK(0,CONF_F_CONF_DUMP_FP,0),     "CONF_dump_fp"},
 {ERR_PACK(0,CONF_F_CONF_LOAD,0),        "CONF_load"},
 {ERR_PACK(0,CONF_F_CONF_LOAD_BIO,0),    "CONF_load_bio"},
 {ERR_PACK(0,CONF_F_CONF_LOAD_FP,0),     "CONF_load_fp"},
+{ERR_PACK(0,CONF_F_CONF_MODULES_LOAD,0),        "CONF_modules_load"},
+{ERR_PACK(0,CONF_F_MODULE_INIT,0),      "MODULE_INIT"},
+{ERR_PACK(0,CONF_F_MODULE_LOAD_DSO,0),  "MODULE_LOAD_DSO"},
+{ERR_PACK(0,CONF_F_MODULE_RUN,0),       "MODULE_RUN"},
 {ERR_PACK(0,CONF_F_NCONF_DUMP_BIO,0),   "NCONF_dump_bio"},
 {ERR_PACK(0,CONF_F_NCONF_DUMP_FP,0),    "NCONF_dump_fp"},
 {ERR_PACK(0,CONF_F_NCONF_GET_NUMBER,0), "NCONF_get_number"},
+{ERR_PACK(0,CONF_F_NCONF_GET_NUMBER_E,0),       "NCONF_get_number_e"},
 {ERR_PACK(0,CONF_F_NCONF_GET_SECTION,0),        "NCONF_get_section"},
 {ERR_PACK(0,CONF_F_NCONF_GET_STRING,0), "NCONF_get_string"},
+{ERR_PACK(0,CONF_F_NCONF_LOAD,0),       "NCONF_load"},
 {ERR_PACK(0,CONF_F_NCONF_LOAD_BIO,0),   "NCONF_load_bio"},
+{ERR_PACK(0,CONF_F_NCONF_LOAD_FP,0),    "NCONF_load_fp"},
 {ERR_PACK(0,CONF_F_NCONF_NEW,0),        "NCONF_new"},
 {ERR_PACK(0,CONF_F_STR_COPY,0), "STR_COPY"},
 {0,NULL}
@@ -83,13 +90,20 @@ static ERR_STRING_DATA CONF_str_functs[]=
 
 static ERR_STRING_DATA CONF_str_reasons[]=
         {
+{CONF_R_ERROR_LOADING_DSO                ,"error loading dso"},
 {CONF_R_MISSING_CLOSE_SQUARE_BRACKET     ,"missing close square bracket"},
 {CONF_R_MISSING_EQUAL_SIGN               ,"missing equal sign"},
+{CONF_R_MISSING_FINISH_FUNCTION          ,"missing finish function"},
+{CONF_R_MISSING_INIT_FUNCTION            ,"missing init function"},
+{CONF_R_MODULE_INITIALIZATION_ERROR      ,"module initialization error"},
 {CONF_R_NO_CLOSE_BRACE                   ,"no close brace"},
 {CONF_R_NO_CONF                          ,"no conf"},
 {CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE  ,"no conf or environment variable"},
 {CONF_R_NO_SECTION                       ,"no section"},
+{CONF_R_NO_SUCH_FILE                     ,"no such file"},
+{CONF_R_NO_VALUE                         ,"no value"},
 {CONF_R_UNABLE_TO_CREATE_NEW_SECTION     ,"unable to create new section"},
+{CONF_R_UNKNOWN_MODULE_NAME              ,"unknown module name"},
 {CONF_R_VARIABLE_HAS_NO_VALUE            ,"variable has no value"},
 {0,NULL}
         };
@@ -103,7 +117,7 @@ void ERR_load_CONF_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_CONF,CONF_str_functs);
                 ERR_load_strings(ERR_LIB_CONF,CONF_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
index 11ec639732..7998f34c7b 100644
--- a/src/lib/libcrypto/conf/conf_lib.c
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -67,6 +67,17 @@ const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT;
 
 static CONF_METHOD *default_CONF_method=NULL;
 
+/* Init a 'CONF' structure from an old LHASH */
+
+void CONF_set_nconf(CONF *conf, LHASH *hash)
+        {
+        if (default_CONF_method == NULL)
+                default_CONF_method = NCONF_default();
+
+        default_CONF_method->init(conf);
+        conf->data = hash;
+        }
+
 /* The following section contains the "CONF classic" functions,
    rewritten in terms of the new CONF interface. */
 
@@ -81,7 +92,7 @@ LHASH *CONF_load(LHASH *conf, const char *file, long *eline)
         LHASH *ltmp;
         BIO *in=NULL;
 
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         in=BIO_new_file(file, "r");
 #else
         in=BIO_new_file(file, "rb");
@@ -98,7 +109,7 @@ LHASH *CONF_load(LHASH *conf, const char *file, long *eline)
         return ltmp;
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 LHASH *CONF_load_fp(LHASH *conf, FILE *fp,long *eline)
         {
         BIO *btmp;
@@ -118,18 +129,15 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline)
         CONF ctmp;
         int ret;
 
-        if (default_CONF_method == NULL)
-                default_CONF_method = NCONF_default();
+        CONF_set_nconf(&ctmp, conf);
 
-        default_CONF_method->init(&ctmp);
-        ctmp.data = conf;
         ret = NCONF_load_bio(&ctmp, bp, eline);
         if (ret)
                 return ctmp.data;
         return NULL;
         }
 
-STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
+STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,const char *section)
         {
         if (conf == NULL)
                 {
@@ -138,17 +146,12 @@ STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section)
         else
                 {
                 CONF ctmp;
-
-                if (default_CONF_method == NULL)
-                        default_CONF_method = NCONF_default();
-
-                default_CONF_method->init(&ctmp);
-                ctmp.data = conf;
+                CONF_set_nconf(&ctmp, conf);
                 return NCONF_get_section(&ctmp, section);
                 }
         }
 
-char *CONF_get_string(LHASH *conf,char *group,char *name)
+char *CONF_get_string(LHASH *conf,const char *group,const char *name)
         {
         if (conf == NULL)
                 {
@@ -157,48 +160,43 @@ char *CONF_get_string(LHASH *conf,char *group,char *name)
         else
                 {
                 CONF ctmp;
-
-                if (default_CONF_method == NULL)
-                        default_CONF_method = NCONF_default();
-
-                default_CONF_method->init(&ctmp);
-                ctmp.data = conf;
+                CONF_set_nconf(&ctmp, conf);
                 return NCONF_get_string(&ctmp, group, name);
                 }
         }
 
-long CONF_get_number(LHASH *conf,char *group,char *name)
+long CONF_get_number(LHASH *conf,const char *group,const char *name)
         {
+        int status;
+        long result = 0;
+
         if (conf == NULL)
                 {
-                return NCONF_get_number(NULL, group, name);
+                status = NCONF_get_number_e(NULL, group, name, &result);
                 }
         else
                 {
                 CONF ctmp;
+                CONF_set_nconf(&ctmp, conf);
+                status = NCONF_get_number_e(&ctmp, group, name, &result);
+                }
 
-                if (default_CONF_method == NULL)
-                        default_CONF_method = NCONF_default();
-
-                default_CONF_method->init(&ctmp);
-                ctmp.data = conf;
-                return NCONF_get_number(&ctmp, group, name);
+        if (status == 0)
+                {
+                /* This function does not believe in errors... */
+                ERR_get_error();
                 }
+        return result;
         }
 
 void CONF_free(LHASH *conf)
         {
         CONF ctmp;
-
-        if (default_CONF_method == NULL)
-                default_CONF_method = NCONF_default();
-
-        default_CONF_method->init(&ctmp);
-        ctmp.data = conf;
+        CONF_set_nconf(&ctmp, conf);
         NCONF_free_data(&ctmp);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int CONF_dump_fp(LHASH *conf, FILE *out)
         {
         BIO *btmp;
@@ -217,12 +215,7 @@ int CONF_dump_fp(LHASH *conf, FILE *out)
 int CONF_dump_bio(LHASH *conf, BIO *out)
         {
         CONF ctmp;
-
-        if (default_CONF_method == NULL)
-                default_CONF_method = NCONF_default();
-
-        default_CONF_method->init(&ctmp);
-        ctmp.data = conf;
+        CONF_set_nconf(&ctmp, conf);
         return NCONF_dump_bio(&ctmp, out);
         }
 
@@ -265,34 +258,23 @@ void NCONF_free_data(CONF *conf)
 
 int NCONF_load(CONF *conf, const char *file, long *eline)
         {
-        int ret;
-        BIO *in=NULL;
-
-#ifdef VMS
-        in=BIO_new_file(file, "r");
-#else
-        in=BIO_new_file(file, "rb");
-#endif
-        if (in == NULL)
+        if (conf == NULL)
                 {
-                CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+                CONFerr(CONF_F_NCONF_LOAD,CONF_R_NO_CONF);
                 return 0;
                 }
 
-        ret = NCONF_load_bio(conf, in, eline);
-        BIO_free(in);
-
-        return ret;
+        return conf->meth->load(conf, file, eline);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int NCONF_load_fp(CONF *conf, FILE *fp,long *eline)
         {
         BIO *btmp;
         int ret;
         if(!(btmp = BIO_new_fp(fp, BIO_NOCLOSE)))
                 {
-                CONFerr(CONF_F_CONF_LOAD_FP,ERR_R_BUF_LIB);
+                CONFerr(CONF_F_NCONF_LOAD_FP,ERR_R_BUF_LIB);
                 return 0;
                 }
         ret = NCONF_load_bio(conf, btmp, eline);
@@ -309,10 +291,10 @@ int NCONF_load_bio(CONF *conf, BIO *bp,long *eline)
                 return 0;
                 }
 
-        return conf->meth->load(conf, bp, eline);
+        return conf->meth->load_bio(conf, bp, eline);
         }
 
-STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
+STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,const char *section)
         {
         if (conf == NULL)
                 {
@@ -329,7 +311,7 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section)
         return _CONF_get_section_values(conf, section);
         }
 
-char *NCONF_get_string(CONF *conf,char *group,char *name)
+char *NCONF_get_string(const CONF *conf,const char *group,const char *name)
         {
         char *s = _CONF_get_string(conf, group, name);
 
@@ -343,29 +325,39 @@ char *NCONF_get_string(CONF *conf,char *group,char *name)
                         CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
                 return NULL;
                 }
+        CONFerr(CONF_F_NCONF_GET_STRING,
+                CONF_R_NO_VALUE);
+        ERR_add_error_data(4,"group=",group," name=",name);
         return NULL;
         }
 
-long NCONF_get_number(CONF *conf,char *group,char *name)
+int NCONF_get_number_e(const CONF *conf,const char *group,const char *name,
+                       long *result)
         {
-#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding
-         an environment variable with a suitable name.  Unfortunately, there's
-         no way with the current API to see if we found one or not...
-         The meaning of this is that if a number is not found anywhere, it
-         will always default to 0. */
-        if (conf == NULL)
+        char *str;
+
+        if (result == NULL)
                 {
-                CONFerr(CONF_F_NCONF_GET_NUMBER,
-                        CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE);
+                CONFerr(CONF_F_NCONF_GET_NUMBER_E,ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
                 }
-#endif
-        
-        return _CONF_get_number(conf, group, name);
+
+        str = NCONF_get_string(conf,group,name);
+
+        if (str == NULL)
+                return 0;
+
+        for (*result = 0;conf->meth->is_number(conf, *str);)
+                {
+                *result = (*result)*10 + conf->meth->to_int(conf, *str);
+                str++;
+                }
+
+        return 1;
         }
 
-#ifndef NO_FP_API
-int NCONF_dump_fp(CONF *conf, FILE *out)
+#ifndef OPENSSL_NO_FP_API
+int NCONF_dump_fp(const CONF *conf, FILE *out)
         {
         BIO *btmp;
         int ret;
@@ -379,7 +371,7 @@ int NCONF_dump_fp(CONF *conf, FILE *out)
         }
 #endif
 
-int NCONF_dump_bio(CONF *conf, BIO *out)
+int NCONF_dump_bio(const CONF *conf, BIO *out)
         {
         if (conf == NULL)
                 {
@@ -390,3 +382,19 @@ int NCONF_dump_bio(CONF *conf, BIO *out)
         return conf->meth->dump(conf, out);
         }
 
+/* This function should be avoided */
+#undef NCONF_get_number
+long NCONF_get_number(CONF *conf,char *group,char *name)
+        {
+        int status;
+        long ret=0;
+
+        status = NCONF_get_number_e(conf, group, name, &ret);
+        if (status == 0)
+                {
+                /* This function does not believe in errors... */
+                ERR_get_error();
+                }
+        return ret;
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_mall.c b/src/lib/libcrypto/conf/conf_mall.c
new file mode 100644
index 0000000000..d702af689b
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_mall.c
@@ -0,0 +1,76 @@
+/* conf_mall.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* Load all OpenSSL builtin modules */
+
+void OPENSSL_load_builtin_modules(void)
+        {
+        /* Add builtin modules here */
+        ASN1_add_oid_module();
+        ENGINE_add_conf_module();
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
new file mode 100644
index 0000000000..f92babc2e2
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -0,0 +1,616 @@
+/* conf_mod.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+
+
+#define DSO_mod_init_name "OPENSSL_init"
+#define DSO_mod_finish_name "OPENSSL_finish"
+
+
+/* This structure contains a data about supported modules.
+ * entries in this table correspond to either dynamic or
+ * static modules.
+ */
+
+struct conf_module_st
+        {
+        /* DSO of this module or NULL if static */
+        DSO *dso;
+        /* Name of the module */
+        char *name;
+        /* Init function */
+        conf_init_func *init; 
+        /* Finish function */
+        conf_finish_func *finish;
+        /* Number of successfully initialized modules */
+        int links;
+        void *usr_data;
+        };
+
+
+/* This structure contains information about modules that have been
+ * successfully initialized. There may be more than one entry for a
+ * given module.
+ */
+
+struct conf_imodule_st
+        {
+        CONF_MODULE *pmod;
+        char *name;
+        char *value;
+        unsigned long flags;
+        void *usr_data;
+        };
+
+static STACK_OF(CONF_MODULE) *supported_modules = NULL;
+static STACK_OF(CONF_IMODULE) *initialized_modules = NULL;
+
+static void module_free(CONF_MODULE *md);
+static void module_finish(CONF_IMODULE *imod);
+static int module_run(const CONF *cnf, char *name, char *value,
+                                          unsigned long flags);
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                        conf_init_func *ifunc, conf_finish_func *ffunc);
+static CONF_MODULE *module_find(char *name);
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                                           const CONF *cnf);
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                                                        unsigned long flags);
+
+/* Main function: load modules from a CONF structure */
+
+int CONF_modules_load(const CONF *cnf, const char *appname,
+                      unsigned long flags)
+        {
+        STACK_OF(CONF_VALUE) *values;
+        CONF_VALUE *vl;
+        char *vsection;
+
+        int ret, i;
+
+        if (!cnf)
+                return 1;
+
+        if (appname == NULL)
+                appname = "openssl_conf";
+
+        vsection = NCONF_get_string(cnf, NULL, appname); 
+
+        if (!vsection)
+                {
+                ERR_clear_error();
+                return 1;
+                }
+
+        values = NCONF_get_section(cnf, vsection);
+
+        if (!values)
+                return 0;
+
+        for (i = 0; i < sk_CONF_VALUE_num(values); i++)
+                {
+                vl = sk_CONF_VALUE_value(values, i);
+                ret = module_run(cnf, vl->name, vl->value, flags);
+                if (ret <= 0)
+                        if(!(flags & CONF_MFLAGS_IGNORE_ERRORS))
+                                return ret;
+                }
+
+        return 1;
+
+        }
+
+int CONF_modules_load_file(const char *filename, const char *appname,
+                           unsigned long flags)
+        {
+        char *file = NULL;
+        CONF *conf = NULL;
+        int ret = 0;
+        conf = NCONF_new(NULL);
+        if (!conf)
+                goto err;
+
+        if (filename == NULL)
+                {
+                file = CONF_get1_default_config_file();
+                if (!file)
+                        goto err;
+                }
+        else
+                file = (char *)filename;
+
+        if (NCONF_load(conf, file, NULL) <= 0)
+                {
+                if ((flags & CONF_MFLAGS_IGNORE_MISSING_FILE) &&
+                  (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE))
+                        {
+                        ERR_clear_error();
+                        ret = 1;
+                        }
+                goto err;
+                }
+
+        ret = CONF_modules_load(conf, appname, flags);
+
+        err:
+        if (filename == NULL)
+                OPENSSL_free(file);
+        NCONF_free(conf);
+
+        return ret;
+        }
+
+static int module_run(const CONF *cnf, char *name, char *value,
+                      unsigned long flags)
+        {
+        CONF_MODULE *md;
+        int ret;
+
+        md = module_find(name);
+
+        /* Module not found: try to load DSO */
+        if (!md && !(flags & CONF_MFLAGS_NO_DSO))
+                md = module_load_dso(cnf, name, value, flags);
+
+        if (!md)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        CONFerr(CONF_F_MODULE_RUN, CONF_R_UNKNOWN_MODULE_NAME);
+                        ERR_add_error_data(2, "module=", name);
+                        }
+                return -1;
+                }
+
+        ret = module_init(md, name, value, cnf);
+
+        if (ret <= 0)
+                {
+                if (!(flags & CONF_MFLAGS_SILENT))
+                        {
+                        char rcode[10];
+                        CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);
+                        sprintf(rcode, "%-8d", ret);
+                        ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);
+                        }
+                }
+
+        return ret;
+        }
+
+/* Load a module from a DSO */
+static CONF_MODULE *module_load_dso(const CONF *cnf, char *name, char *value,
+                                    unsigned long flags)
+        {
+        DSO *dso = NULL;
+        conf_init_func *ifunc;
+        conf_finish_func *ffunc;
+        char *path = NULL;
+        int errcode = 0;
+        CONF_MODULE *md;
+        /* Look for alternative path in module section */
+        path = NCONF_get_string(cnf, value, "path");
+        if (!path)
+                {
+                ERR_get_error();
+                path = name;
+                }
+        dso = DSO_load(NULL, path, NULL, 0);
+        if (!dso)
+                {
+                errcode = CONF_R_ERROR_LOADING_DSO;
+                goto err;
+                }
+        ifunc = (conf_init_func *)DSO_bind_func(dso, DSO_mod_init_name);
+        if (!ifunc)
+                {
+                errcode = CONF_R_MISSING_INIT_FUNCTION;
+                goto err;
+                }
+        ffunc = (conf_finish_func *)DSO_bind_func(dso, DSO_mod_finish_name);
+        /* All OK, add module */
+        md = module_add(dso, name, ifunc, ffunc);
+
+        if (!md)
+                goto err;
+
+        return md;
+
+        err:
+        if (dso)
+                DSO_free(dso);
+        CONFerr(CONF_F_MODULE_LOAD_DSO, errcode);
+        ERR_add_error_data(4, "module=", name, ", path=", path);
+        return NULL;
+        }
+
+/* add module to list */
+static CONF_MODULE *module_add(DSO *dso, const char *name,
+                               conf_init_func *ifunc, conf_finish_func *ffunc)
+        {
+        CONF_MODULE *tmod = NULL;
+        if (supported_modules == NULL)
+                supported_modules = sk_CONF_MODULE_new_null();
+        if (supported_modules == NULL)
+                return NULL;
+        tmod = OPENSSL_malloc(sizeof(CONF_MODULE));
+        if (tmod == NULL)
+                return NULL;
+
+        tmod->dso = dso;
+        tmod->name = BUF_strdup(name);
+        tmod->init = ifunc;
+        tmod->finish = ffunc;
+        tmod->links = 0;
+
+        if (!sk_CONF_MODULE_push(supported_modules, tmod))
+                {
+                OPENSSL_free(tmod);
+                return NULL;
+                }
+
+        return tmod;
+        }
+
+/* Find a module from the list. We allow module names of the
+ * form modname.XXXX to just search for modname to allow the
+ * same module to be initialized more than once.
+ */
+
+static CONF_MODULE *module_find(char *name)
+        {
+        CONF_MODULE *tmod;
+        int i, nchar;
+        char *p;
+        p = strrchr(name, '.');
+
+        if (p)
+                nchar = p - name;
+        else 
+                nchar = strlen(name);
+
+        for (i = 0; i < sk_CONF_MODULE_num(supported_modules); i++)
+                {
+                tmod = sk_CONF_MODULE_value(supported_modules, i);
+                if (!strncmp(tmod->name, name, nchar))
+                        return tmod;
+                }
+
+        return NULL;
+
+        }
+
+/* initialize a module */
+static int module_init(CONF_MODULE *pmod, char *name, char *value,
+                       const CONF *cnf)
+        {
+        int ret = 1;
+        int init_called = 0;
+        CONF_IMODULE *imod = NULL;
+
+        /* Otherwise add initialized module to list */
+        imod = OPENSSL_malloc(sizeof(CONF_IMODULE));
+        if (!imod)
+                goto err;
+
+        imod->pmod = pmod;
+        imod->name = BUF_strdup(name);
+        imod->value = BUF_strdup(value);
+        imod->usr_data = NULL;
+
+        if (!imod->name || !imod->value)
+                goto memerr;
+
+        /* Try to initialize module */
+        if(pmod->init)
+                {
+                ret = pmod->init(imod, cnf);
+                init_called = 1;
+                /* Error occurred, exit */
+                if (ret <= 0)
+                        goto err;
+                }
+
+        if (initialized_modules == NULL)
+                {
+                initialized_modules = sk_CONF_IMODULE_new_null();
+                if (!initialized_modules)
+                        {
+                        CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+
+        if (!sk_CONF_IMODULE_push(initialized_modules, imod))
+                {
+                CONFerr(CONF_F_MODULE_INIT, ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        pmod->links++;
+
+        return ret;
+
+        err:
+
+        /* We've started the module so we'd better finish it */
+        if (pmod->finish && init_called)
+                pmod->finish(imod);
+
+        memerr:
+        if (imod)
+                {
+                if (imod->name)
+                        OPENSSL_free(imod->name);
+                if (imod->value)
+                        OPENSSL_free(imod->value);
+                OPENSSL_free(imod);
+                }
+
+        return -1;
+
+        }
+
+/* Unload any dynamic modules that have a link count of zero:
+ * i.e. have no active initialized modules. If 'all' is set
+ * then all modules are unloaded including static ones.
+ */
+
+void CONF_modules_unload(int all)
+        {
+        int i;
+        CONF_MODULE *md;
+        CONF_modules_finish();
+        /* unload modules in reverse order */
+        for (i = sk_CONF_MODULE_num(supported_modules) - 1; i >= 0; i--)
+                {
+                md = sk_CONF_MODULE_value(supported_modules, i);
+                /* If static or in use and 'all' not set ignore it */
+                if (((md->links > 0) || !md->dso) && !all)
+                        continue;
+                /* Since we're working in reverse this is OK */
+                sk_CONF_MODULE_delete(supported_modules, i);
+                module_free(md);
+                }
+        if (sk_CONF_MODULE_num(supported_modules) == 0)
+                {
+                sk_CONF_MODULE_free(supported_modules);
+                supported_modules = NULL;
+                }
+        }
+
+/* unload a single module */
+static void module_free(CONF_MODULE *md)
+        {
+        if (md->dso)
+                DSO_free(md->dso);
+        OPENSSL_free(md->name);
+        OPENSSL_free(md);
+        }
+
+/* finish and free up all modules instances */
+
+void CONF_modules_finish(void)
+        {
+        CONF_IMODULE *imod;
+        while (sk_CONF_IMODULE_num(initialized_modules) > 0)
+                {
+                imod = sk_CONF_IMODULE_pop(initialized_modules);
+                module_finish(imod);
+                }
+        sk_CONF_IMODULE_free(initialized_modules);
+        initialized_modules = NULL;
+        }
+
+/* finish a module instance */
+
+static void module_finish(CONF_IMODULE *imod)
+        {
+        if (imod->pmod->finish)
+                imod->pmod->finish(imod);
+        imod->pmod->links--;
+        OPENSSL_free(imod->name);
+        OPENSSL_free(imod->value);
+        OPENSSL_free(imod);
+        }
+
+/* Add a static module to OpenSSL */
+
+int CONF_module_add(const char *name, conf_init_func *ifunc, 
+                    conf_finish_func *ffunc)
+        {
+        if (module_add(NULL, name, ifunc, ffunc))
+                return 1;
+        else
+                return 0;
+        }
+
+void CONF_modules_free(void)
+        {
+        CONF_modules_finish();
+        CONF_modules_unload(1);
+        }
+
+/* Utility functions */
+
+const char *CONF_imodule_get_name(const CONF_IMODULE *md)
+        {
+        return md->name;
+        }
+
+const char *CONF_imodule_get_value(const CONF_IMODULE *md)
+        {
+        return md->value;
+        }
+
+void *CONF_imodule_get_usr_data(const CONF_IMODULE *md)
+        {
+        return md->usr_data;
+        }
+
+void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data)
+        {
+        md->usr_data = usr_data;
+        }
+
+CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md)
+        {
+        return md->pmod;
+        }
+
+unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md)
+        {
+        return md->flags;
+        }
+
+void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags)
+        {
+        md->flags = flags;
+        }
+
+void *CONF_module_get_usr_data(CONF_MODULE *pmod)
+        {
+        return pmod->usr_data;
+        }
+
+void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data)
+        {
+        pmod->usr_data = usr_data;
+        }
+
+/* Return default config file name */
+
+char *CONF_get1_default_config_file(void)
+        {
+        char *file;
+        int len;
+
+        file = getenv("OPENSSL_CONF");
+        if (file) 
+                return BUF_strdup(file);
+
+        len = strlen(X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        len++;
+#endif
+        len += strlen(OPENSSL_CONF);
+
+        file = OPENSSL_malloc(len + 1);
+
+        if (!file)
+                return NULL;
+        strcpy(file,X509_get_default_cert_area());
+#ifndef OPENSSL_SYS_VMS
+        strcat(file,"/");
+#endif
+        strcat(file,OPENSSL_CONF);
+
+        return file;
+        }
+
+/* This function takes a list separated by 'sep' and calls the
+ * callback function giving the start and length of each member
+ * optionally stripping leading and trailing whitespace. This can
+ * be used to parse comma separated lists for example.
+ */
+
+int CONF_parse_list(const char *list, int sep, int nospc,
+        int (*list_cb)(const char *elem, int len, void *usr), void *arg)
+        {
+        int ret;
+        const char *lstart, *tmpend, *p;
+        lstart = list;
+
+        for(;;)
+                {
+                if (nospc)
+                        {
+                        while(*lstart && isspace((unsigned char)*lstart))
+                                lstart++;
+                        }
+                p = strchr(lstart, sep);
+                if (p == lstart || !*lstart)
+                        ret = list_cb(NULL, 0, arg);
+                else
+                        {
+                        if (p)
+                                tmpend = p - 1;
+                        else 
+                                tmpend = lstart + strlen(lstart) - 1;
+                        if (nospc)
+                                {
+                                while(isspace((unsigned char)*tmpend))
+                                        tmpend--;
+                                }
+                        ret = list_cb(lstart, tmpend - lstart + 1, arg);
+                        }
+                if (ret <= 0)
+                        return ret;
+                if (p == NULL)
+                        return 1;
+                lstart = p + 1;
+                }
+        }
+
diff --git a/src/lib/libcrypto/conf/conf_sap.c b/src/lib/libcrypto/conf/conf_sap.c
new file mode 100644
index 0000000000..97fb174303
--- /dev/null
+++ b/src/lib/libcrypto/conf/conf_sap.c
@@ -0,0 +1,107 @@
+/* conf_sap.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/engine.h>
+
+/* This is the automatic configuration loader: it is called automatically by
+ * OpenSSL when any of a number of standard initialisation functions are called,
+ * unless this is overridden by calling OPENSSL_no_config()
+ */
+
+static int openssl_configured = 0;
+
+void OPENSSL_config(const char *config_name)
+        {
+        if (openssl_configured)
+                return;
+
+        OPENSSL_load_builtin_modules();
+        /* Need to load ENGINEs */
+        ENGINE_load_builtin_engines();
+        /* Add others here? */
+
+
+        ERR_clear_error();
+        if (CONF_modules_load_file(NULL, NULL,
+                                        CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
+                {
+                BIO *bio_err;
+                ERR_load_crypto_strings();
+                if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
+                        {
+                        BIO_printf(bio_err,"Auto configuration failed\n");
+                        ERR_print_errors(bio_err);
+                        BIO_free(bio_err);
+                        }
+                exit(1);
+                }
+
+        return;
+        }
+
+void OPENSSL_no_config()
+        {
+        openssl_configured = 1;
+        }
diff --git a/src/lib/libcrypto/conf/keysets.pl b/src/lib/libcrypto/conf/keysets.pl
index 56669e76ac..50ed67fa52 100644
--- a/src/lib/libcrypto/conf/keysets.pl
+++ b/src/lib/libcrypto/conf/keysets.pl
@@ -12,8 +12,9 @@ $DQUOTE=0x400;
 $COMMENT=0x80;
 $FCOMMENT=0x800;
 $EOF=0x08;
+$HIGHBIT=0x1000;
 
-foreach (0 .. 127)
+foreach (0 .. 255)
         {
         $v=0;
         $c=sprintf("%c",$_);
@@ -27,11 +28,12 @@ foreach (0 .. 127)
         $v|=$QUOTE      if ($c =~ /['`"]/); # for emacs: "`'}/)
         $v|=$COMMENT    if ($c =~ /\#/);
         $v|=$EOF        if ($c =~ /\0/);
+        $v|=$HIGHBIT    if ($c =~/[\x80-\xff]/);
 
         push(@V_def,$v);
         }
 
-foreach (0 .. 127)
+foreach (0 .. 255)
         {
         $v=0;
         $c=sprintf("%c",$_);
@@ -44,6 +46,7 @@ foreach (0 .. 127)
         $v|=$DQUOTE     if ($c =~ /["]/); # for emacs: "}/)
         $v|=$FCOMMENT   if ($c =~ /;/);
         $v|=$EOF        if ($c =~ /\0/);
+        $v|=$HIGHBIT    if ($c =~/[\x80-\xff]/);
 
         push(@V_w32,$v);
         }
@@ -122,6 +125,7 @@ print <<"EOF";
 #define CONF_COMMENT            $COMMENT
 #define CONF_FCOMMENT           $FCOMMENT
 #define CONF_EOF                $EOF
+#define CONF_HIGHBIT            $HIGHBIT
 #define CONF_ALPHA              (CONF_UPPER|CONF_LOWER)
 #define CONF_ALPHA_NUMERIC      (CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
 #define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \\
@@ -129,51 +133,53 @@ print <<"EOF";
 
 #define KEYTYPES(c)             ((unsigned short *)((c)->meth_data))
 #ifndef CHARSET_EBCDIC
-#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0x7f]&CONF_COMMENT)
-#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0x7f]&CONF_FCOMMENT)
-#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_EOF)
-#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0x7f]&CONF_ESC)
-#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_NUMBER)
-#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0x7f]&CONF_WS)
-#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[(a)&0xff]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[(a)&0xff]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[(a)&0xff]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC)
 #define IS_ALPHA_NUMERIC_PUNCT(c,a) \\
-                                (KEYTYPES(c)[(a)&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
-#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0x7f]&CONF_QUOTE)
-#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0x7f]&CONF_DQUOTE)
+                                (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[(a)&0xff]&CONF_DQUOTE)
+#define IS_HIGHBIT(c,a)         (KEYTYPES(c)[(a)&0xff]&CONF_HIGHBIT)
 
 #else /*CHARSET_EBCDIC*/
 
-#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_COMMENT)
-#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_FCOMMENT)
-#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_EOF)
-#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ESC)
-#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_NUMBER)
-#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_WS)
-#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC)
+#define IS_COMMENT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_COMMENT)
+#define IS_FCOMMENT(c,a)        (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_FCOMMENT)
+#define IS_EOF(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_EOF)
+#define IS_ESC(c,a)             (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ESC)
+#define IS_NUMBER(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_NUMBER)
+#define IS_WS(c,a)              (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_WS)
+#define IS_ALPHA_NUMERIC(c,a)   (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC)
 #define IS_ALPHA_NUMERIC_PUNCT(c,a) \\
-                                (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_ALPHA_NUMERIC_PUNCT)
-#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_QUOTE)
-#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0x7f]&CONF_DQUOTE)
+                                (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_ALPHA_NUMERIC_PUNCT)
+#define IS_QUOTE(c,a)           (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_QUOTE)
+#define IS_DQUOTE(c,a)          (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_DQUOTE)
+#define IS_HIGHBIT(c,a)         (KEYTYPES(c)[os_toascii[a]&0xff]&CONF_HIGHBIT)
 #endif /*CHARSET_EBCDIC*/
 
 EOF
 
-print "static unsigned short CONF_type_default[128]={";
+print "static unsigned short CONF_type_default[256]={";
 
-for ($i=0; $i<128; $i++)
+for ($i=0; $i<256; $i++)
         {
         print "\n\t" if ($i % 8) == 0;
-        printf "0x%03X,",$V_def[$i];
+        printf "0x%04X,",$V_def[$i];
         }
 
 print "\n\t};\n\n";
 
-print "static unsigned short CONF_type_win32[128]={";
+print "static unsigned short CONF_type_win32[256]={";
 
-for ($i=0; $i<128; $i++)
+for ($i=0; $i<256; $i++)
         {
         print "\n\t" if ($i % 8) == 0;
-        printf "0x%03X,",$V_w32[$i];
+        printf "0x%04X,",$V_w32[$i];
         }
 
 print "\n\t};\n\n";
diff --git a/src/lib/libcrypto/cpt_err.c b/src/lib/libcrypto/cpt_err.c
index 7018b74ca0..1b4a1cb4d4 100644
--- a/src/lib/libcrypto/cpt_err.c
+++ b/src/lib/libcrypto/cpt_err.c
@@ -63,13 +63,18 @@
 #include <openssl/crypto.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA CRYPTO_str_functs[]=
         {
 {ERR_PACK(0,CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,0),        "CRYPTO_get_ex_new_index"},
 {ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,0),       "CRYPTO_get_new_dynlockid"},
 {ERR_PACK(0,CRYPTO_F_CRYPTO_GET_NEW_LOCKID,0),  "CRYPTO_get_new_lockid"},
 {ERR_PACK(0,CRYPTO_F_CRYPTO_SET_EX_DATA,0),     "CRYPTO_set_ex_data"},
+{ERR_PACK(0,CRYPTO_F_DEF_ADD_INDEX,0),  "DEF_ADD_INDEX"},
+{ERR_PACK(0,CRYPTO_F_DEF_GET_CLASS,0),  "DEF_GET_CLASS"},
+{ERR_PACK(0,CRYPTO_F_INT_DUP_EX_DATA,0),        "INT_DUP_EX_DATA"},
+{ERR_PACK(0,CRYPTO_F_INT_FREE_EX_DATA,0),       "INT_FREE_EX_DATA"},
+{ERR_PACK(0,CRYPTO_F_INT_NEW_EX_DATA,0),        "INT_NEW_EX_DATA"},
 {0,NULL}
         };
 
@@ -88,7 +93,7 @@ void ERR_load_CRYPTO_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_functs);
                 ERR_load_strings(ERR_LIB_CRYPTO,CRYPTO_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index a7a9262133..612b3b93b4 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -62,7 +62,7 @@
 #include <openssl/crypto.h>
 #include <openssl/safestack.h>
 
-#if defined(WIN32) || defined(WIN16)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
 static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
 #endif
 
@@ -74,7 +74,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         {
         "<<ERROR>>",
         "err",
-        "err_hash",
+        "ex_data",
         "x509",
         "x509_info",
         "x509_pkey",
@@ -90,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "ssl_sess_cert",
         "ssl",
         "rand",
+        "rand2",
         "debug_malloc",
         "BIO",
         "gethostbyname",
@@ -101,7 +102,8 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
         "dso",
         "dynlock",
         "engine",
-#if CRYPTO_NUM_LOCKS != 29
+        "ui",
+#if CRYPTO_NUM_LOCKS != 31
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
         };
@@ -133,11 +135,11 @@ int CRYPTO_get_new_lockid(char *name)
         char *str;
         int i;
 
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
         /* A hack to make Visual C++ 5.0 work correctly when linking as
          * a DLL using /MT. Without this, the application cannot use
          * and floating point printf's.
          * It also seems to be needed for Visual C 1.5 (win16) */
-#if defined(WIN32) || defined(WIN16)
         SSLeay_MSVC5_hack=(double)name[0]*(double)name[1];
 #endif
 
@@ -228,7 +230,10 @@ void CRYPTO_destroy_dynlockid(int i)
         CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
 
         if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks))
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
                 return;
+                }
         pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
         if (pointer != NULL)
                 {
@@ -354,9 +359,9 @@ unsigned long CRYPTO_thread_id(void)
 
         if (id_callback == NULL)
                 {
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
                 ret=(unsigned long)GetCurrentTask();
-#elif defined(WIN32)
+#elif defined(OPENSSL_SYS_WIN32)
                 ret=(unsigned long)GetCurrentThreadId();
 #elif defined(GETPID_IS_MEANINGLESS)
                 ret=1L;
@@ -462,7 +467,7 @@ const char *CRYPTO_get_lock_name(int type)
         }
 
 #ifdef _DLL
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 
 /* All we really need to do is remove the 'error' state when a thread
  * detaches */
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 5eff5d3141..a0489e57fc 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/crypto.h>
 #include <openssl/buffer.h> 
@@ -74,7 +74,7 @@
 extern "C" {
 #endif
 
-#ifndef VMS
+#ifndef OPENSSL_SYS_VMS
 #define X509_CERT_AREA          OPENSSLDIR
 #define X509_CERT_DIR           OPENSSLDIR "/certs"
 #define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index 482a136177..ca0247be00 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -88,10 +88,10 @@ $! Define The Different Encryption Types.
 $!
 $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
                   "DES,RC2,RC4,RC5,IDEA,BF,CAST,"+ -
-                  "BN,RSA,DSA,DH,DSO,ENGINE,"+ -
+                  "BN,EC,RSA,DSA,DH,DSO,ENGINE,AES,"+ -
                   "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
                   "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
-                  "CONF,TXT_DB,PKCS7,PKCS12,COMP"
+                  "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5"
 $ ENCRYPT_PROGRAMS = "DES,PKCS7"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
@@ -174,7 +174,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid"
+$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -186,8 +186,9 @@ $ LIB_DES = "set_key,ecb_enc,cbc_enc,"+ -
         "ecb3_enc,cfb64enc,cfb64ede,cfb_enc,ofb64ede,"+ -
         "enc_read,enc_writ,ofb64enc,"+ -
         "ofb_enc,str2key,pcbc_enc,qud_cksm,rand_key,"+ -
-        "des_enc,fcrypt_b,read2pwd,"+ -
-        "fcrypt,xcbc_enc,read_pwd,rpc_enc,cbc_cksm,ede_cbcm_enc"
+        "des_enc,fcrypt_b,"+ -
+        "fcrypt,xcbc_enc,rpc_enc,cbc_cksm,"+ -
+        "ede_cbcm_enc,des_old,des_old2,read2pwd"
 $ LIB_RC2 = "rc2_ecb,rc2_skey,rc2_cbc,rc2cfb64,rc2ofb64"
 $ LIB_RC4 = "rc4_skey,rc4_enc"
 $ LIB_RC5 = "rc5_skey,rc5_ecb,rc5_enc,rc5cfb64,rc5ofb64"
@@ -196,18 +197,26 @@ $ LIB_BF = "bf_skey,bf_ecb,bf_enc,bf_cfb64,bf_ofb64"
 $ LIB_CAST = "c_skey,c_ecb,c_enc,c_cfb64,c_ofb64"
 $ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
 $ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.EQS."AXP" THEN LIB_BN_ASM = "bn_asm"
-$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,"+ -
+$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
         "bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
-        "bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+",bn_recp,bn_mont,"+ -
-        "bn_mpi,bn_exp2"
+        "bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
+        "bn_recp,bn_mont,bn_mpi,bn_exp2"
 $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
-        "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null"
+        "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ -
+        "rsa_asn1"
+$ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_recp,ecp_nist,ec_cvt,ec_mult,"+ -
+        "ec_err"
 $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
-$ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
+$ LIB_DH = "dh_asn1,dh_gen,dh_key,dh_lib,dh_check,dh_err"
 $ LIB_DSO = "dso_dl,dso_dlfcn,dso_err,dso_lib,dso_null,"+ -
         "dso_openssl,dso_win32,dso_vms"
-$ LIB_ENGINE = "engine_err,engine_lib,engine_list,engine_openssl,"+ -
-        "hw_atalla,hw_cswift,hw_ncipher"
+$ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
+        "eng_table,eng_pkey,eng_fat,eng_all,"+ -
+        "tb_rsa,tb_dsa,tb_dh,tb_rand,tb_cipher,tb_digest,"+ -
+        "eng_openssl,eng_dyn,eng_cnf,"+ -
+        "hw_atalla,hw_cswift,hw_ncipher,hw_nuron,hw_ubsec,"+ -
+        "hw_openbsd_dev_crypto,hw_aep,hw_sureware,hw_4758_cca"
+$ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,aes_ctr"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
         "bss_mem,bss_null,bss_fd,"+ -
@@ -217,12 +226,13 @@ $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
         "bf_lbuf"
 $ LIB_STACK = "stack"
 $ LIB_LHASH = "lhash,lh_stats"
-$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,rand_win"
+$ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,"+ -
+        "rand_vms"
 $ LIB_ERR = "err,err_all,err_prn"
 $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
 $ LIB_EVP = "encode,digest,evp_enc,evp_key,"+ -
         "e_des,e_bf,e_idea,e_des3,"+ -
-        "e_rc4,names,"+ -
+        "e_rc4,e_aes,names,"+ -
         "e_xcbc_d,e_rc2,e_cast,e_rc5"
 $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + -
         "m_dss,m_dss1,m_mdc2,m_ripemd,"+ -
@@ -231,43 +241,48 @@ $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + -
         "c_all,c_allc,c_alld,evp_lib,bio_ok,"+-
         "evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
 $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
-        "a_null,a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,a_bmp,"+ -
-        "a_enum,a_vis,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ -
-        "x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,"+ -
-        "x_name,x_cinf,x_x509,x_x509a,x_crl,x_info,x_spki,nsseq,"+ -
-        "d2i_r_pr,i2d_r_pr,d2i_r_pu,i2d_r_pu,"+ -
-        "d2i_s_pr,i2d_s_pr,d2i_s_pu,i2d_s_pu,"+ -
+        "a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,"+ -
+        "a_enum,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ -
+        "x_algor,x_val,x_pubkey,x_sig,x_req,x_attrib,x_bignum,"+ -
+        "x_long,x_name,x_x509,x_x509a,x_crl,x_info,x_spki,nsseq,"+ -
         "d2i_pu,d2i_pr,i2d_pu,i2d_pr"
 $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
-        "p7_i_s,p7_signi,p7_signd,p7_recip,p7_enc_c,p7_evp,"+ -
-        "p7_dgst,p7_s_e,p7_enc,p7_lib,"+ -
-        "f_int,f_string,i2d_dhp,i2d_dsap,d2i_dhp,d2i_dsap,n_pkey,"+ -
+        "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ -
+        "f_int,f_string,n_pkey,"+ -
         "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ -
         "asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
-        "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey"
-$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err"
+        "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid"
+$ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ -
+        "pem_x509,pem_xaux,pem_oth,pem_pk8,pem_pkey"
 $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ -
         "x509_obj,x509_req,x509spki,x509_vfy,"+ -
-        "x509_set,x509rset,x509_err,"+ -
+        "x509_set,x509cset,x509rset,x509_err,"+ -
         "x509name,x509_v3,x509_ext,x509_att,"+ -
         "x509type,x509_lu,x_all,x509_txt,"+ -
         "x509_trs,by_file,by_dir"
 $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ -
         "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ -
-        "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info"
-$ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def"
+        "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ -
+        "v3_ocsp,v3_akeya"
+$ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall"
 $ LIB_TXT_DB = "txt_db"
-$ LIB_PKCS7 = "pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,pk7_mime"
-$ LIB_PKCS12 = "p12_add,p12_attr,p12_bags,p12_crpt,p12_crt,p12_decr,"+ -
-        "p12_init,p12_key,p12_kiss,p12_lib,p12_mac,p12_mutl,"+ -
-        "p12_sbag,p12_utl,p12_npas,pk12err"
+$ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ -
+        "pk7_mime"
+$ LIB_PKCS12 = "p12_add,p12_asn,p12_attr,p12_crpt,p12_crt,p12_decr,"+ -
+        "p12_init,p12_key,p12_kiss,p12_mutl,"+ -
+        "p12_utl,p12_npas,pk12err,p12_p8d,p12_p8e"
 $ LIB_COMP = "comp_lib,"+ -
         "c_rle,c_zlib"
+$ LIB_OCSP = "ocsp_asn,ocsp_ext,ocsp_ht,ocsp_lib,ocsp_cl,"+ -
+        "ocsp_srv,ocsp_prn,ocsp_vfy,ocsp_err"
+$ LIB_UI_COMPAT = ",ui_compat"
+$ LIB_UI = "ui_err,ui_lib,ui_openssl,ui_util"+LIB_UI_COMPAT
+$ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
 $!
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
-$ COMPILEWITH_CC4 = ",a_utctm,bss_log,"
+$ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
 $!
@@ -895,6 +910,7 @@ $ ENDIF
 $!
 $! Check To See If P2 Is Blank.
 $!
+$ P2 = "NORSAREF"
 $ IF (P2.EQS."NORSAREF")
 $ THEN
 $!
@@ -1140,31 +1156,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5',DSO_VMS"
-$ IF F$TRNLNM("OPENSSL_NO_ASM") THEN CCDEFS = CCDEFS + ",NO_ASM"
-$ IF F$TRNLNM("OPENSSL_NO_RSA") THEN CCDEFS = CCDEFS + ",NO_RSA"
-$ IF F$TRNLNM("OPENSSL_NO_DSA") THEN CCDEFS = CCDEFS + ",NO_DSA"
-$ IF F$TRNLNM("OPENSSL_NO_DH") THEN CCDEFS = CCDEFS + ",NO_DH"
-$ IF F$TRNLNM("OPENSSL_NO_MD2") THEN CCDEFS = CCDEFS + ",NO_MD2"
-$ IF F$TRNLNM("OPENSSL_NO_MD5") THEN CCDEFS = CCDEFS + ",NO_MD5"
-$ IF F$TRNLNM("OPENSSL_NO_RIPEMD") THEN CCDEFS = CCDEFS + ",NO_RIPEMD"
-$ IF F$TRNLNM("OPENSSL_NO_SHA") THEN CCDEFS = CCDEFS + ",NO_SHA"
-$ IF F$TRNLNM("OPENSSL_NO_SHA0") THEN CCDEFS = CCDEFS + ",NO_SHA0"
-$ IF F$TRNLNM("OPENSSL_NO_SHA1") THEN CCDEFS = CCDEFS + ",NO_SHA1"
-$ IF F$TRNLNM("OPENSSL_NO_DES")
-$ THEN
-$   CCDEFS = CCDEFS + ",NO_DES,NO_MDC2"
-$ ELSE
-$   IF F$TRNLNM("OPENSSL_NO_MDC2") THEN CCDEFS = CCDEFS + ",NO_MDC2"
-$ ENDIF
-$ IF F$TRNLNM("OPENSSL_NO_RC2") THEN CCDEFS = CCDEFS + ",NO_RC2"
-$ IF F$TRNLNM("OPENSSL_NO_RC4") THEN CCDEFS = CCDEFS + ",NO_RC4"
-$ IF F$TRNLNM("OPENSSL_NO_RC5") THEN CCDEFS = CCDEFS + ",NO_RC5"
-$ IF F$TRNLNM("OPENSSL_NO_IDEA") THEN CCDEFS = CCDEFS + ",NO_IDEA"
-$ IF F$TRNLNM("OPENSSL_NO_BF") THEN CCDEFS = CCDEFS + ",NO_BF"
-$ IF F$TRNLNM("OPENSSL_NO_CAST") THEN CCDEFS = CCDEFS + ",NO_CAST"
-$ IF F$TRNLNM("OPENSSL_NO_HMAC") THEN CCDEFS = CCDEFS + ",NO_HMAC"
-$ IF F$TRNLNM("OPENSSL_NO_SSL2") THEN CCDEFS = CCDEFS + ",NO_SSL2"
+$ CCDEFS = "TCPIP_TYPE_''P5',DSO_VMS"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
@@ -1197,7 +1189,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
          THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
            "/NOLIST/PREFIX=ALL" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP])" + -
            CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -1231,7 +1223,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
            CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1263,7 +1255,7 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+           "/INCLUDE=(SYS$DISK:[],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
            CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
@@ -1462,6 +1454,7 @@ $!
 $! Save directory information
 $!
 $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
+$ __HERE = F$EDIT(__HERE,"UPCASE")
 $ __TOP = __HERE - "CRYPTO]"
 $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
 $!
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 9257673279..fc6ff860af 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -61,7 +61,7 @@
 
 #include <stdlib.h>
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #endif
 
@@ -90,13 +90,14 @@ extern "C" {
 #define SSLEAY_CFLAGS           2
 #define SSLEAY_BUILT_ON         3
 #define SSLEAY_PLATFORM         4
+#define SSLEAY_DIR              5
 
 /* When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock
  * names in cryptlib.c
  */
 
 #define CRYPTO_LOCK_ERR                 1
-#define CRYPTO_LOCK_ERR_HASH            2
+#define CRYPTO_LOCK_EX_DATA             2
 #define CRYPTO_LOCK_X509                3
 #define CRYPTO_LOCK_X509_INFO           4
 #define CRYPTO_LOCK_X509_PKEY           5
@@ -112,25 +113,27 @@ extern "C" {
 #define CRYPTO_LOCK_SSL_SESS_CERT       15
 #define CRYPTO_LOCK_SSL                 16
 #define CRYPTO_LOCK_RAND                17
-#define CRYPTO_LOCK_MALLOC              18
-#define CRYPTO_LOCK_BIO                 19
-#define CRYPTO_LOCK_GETHOSTBYNAME       20
-#define CRYPTO_LOCK_GETSERVBYNAME       21
-#define CRYPTO_LOCK_READDIR             22
-#define CRYPTO_LOCK_RSA_BLINDING        23
-#define CRYPTO_LOCK_DH                  24
-#define CRYPTO_LOCK_MALLOC2             25
-#define CRYPTO_LOCK_DSO                 26
-#define CRYPTO_LOCK_DYNLOCK             27
-#define CRYPTO_LOCK_ENGINE              28
-#define CRYPTO_NUM_LOCKS                29
+#define CRYPTO_LOCK_RAND2               18
+#define CRYPTO_LOCK_MALLOC              19
+#define CRYPTO_LOCK_BIO                 20
+#define CRYPTO_LOCK_GETHOSTBYNAME       21
+#define CRYPTO_LOCK_GETSERVBYNAME       22
+#define CRYPTO_LOCK_READDIR             23
+#define CRYPTO_LOCK_RSA_BLINDING        24
+#define CRYPTO_LOCK_DH                  25
+#define CRYPTO_LOCK_MALLOC2             26
+#define CRYPTO_LOCK_DSO                 27
+#define CRYPTO_LOCK_DYNLOCK             28
+#define CRYPTO_LOCK_ENGINE              29
+#define CRYPTO_LOCK_UI                  30
+#define CRYPTO_NUM_LOCKS                31
 
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
 #define CRYPTO_READ             4
 #define CRYPTO_WRITE            8
 
-#ifndef NO_LOCKING
+#ifndef OPENSSL_NO_LOCKING
 #ifndef CRYPTO_w_lock
 #define CRYPTO_w_lock(type)     \
         CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)
@@ -224,6 +227,16 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
 #define CRYPTO_EX_INDEX_SSL_SESSION     3
 #define CRYPTO_EX_INDEX_X509_STORE      4
 #define CRYPTO_EX_INDEX_X509_STORE_CTX  5
+#define CRYPTO_EX_INDEX_RSA             6
+#define CRYPTO_EX_INDEX_DSA             7
+#define CRYPTO_EX_INDEX_DH              8
+#define CRYPTO_EX_INDEX_ENGINE          9
+#define CRYPTO_EX_INDEX_X509            10
+#define CRYPTO_EX_INDEX_UI              11
+
+/* Dynamically assigned indexes start from this value (don't use directly, use
+ * via CRYPTO_ex_data_new_class). */
+#define CRYPTO_EX_INDEX_USER            100
 
 
 /* This is the default callbacks, but we can have others as well:
@@ -280,14 +293,31 @@ unsigned long SSLeay(void);
 
 int OPENSSL_issetugid(void);
 
-int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
-             CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+/* An opaque type representing an implementation of "ex_data" support */
+typedef struct st_CRYPTO_EX_DATA_IMPL   CRYPTO_EX_DATA_IMPL;
+/* Return an opaque pointer to the current "ex_data" implementation */
+const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void);
+/* Sets the "ex_data" implementation to be used (if it's not too late) */
+int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *i);
+/* Get a new "ex_data" class, and return the corresponding "class_index" */
+int CRYPTO_ex_data_new_class(void);
+/* Within a given class, get/register a new index */
+int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
+                CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+/* Initialise/duplicate/free CRYPTO_EX_DATA variables corresponding to a given
+ * class (invokes whatever per-class callbacks are applicable) */
+int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad);
+int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                CRYPTO_EX_DATA *from);
+void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad);
+/* Get/set data in a CRYPTO_EX_DATA variable corresponding to a particular index
+ * (relative to the class type involved) */
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val);
-void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad,int idx);
-int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
-             CRYPTO_EX_DATA *from);
-void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
-void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad);
+void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad,int idx);
+/* This function cleans up all "ex_data" state. It mustn't be called under
+ * potential race-conditions. */
+void CRYPTO_cleanup_all_ex_data(void);
 
 int CRYPTO_get_new_lockid(char *name);
 
@@ -322,6 +352,11 @@ void (*CRYPTO_get_dynlock_destroy_callback(void))(struct CRYPTO_dynlock_value *l
  * call the latter last if you need different functions */
 int CRYPTO_set_mem_functions(void *(*m)(size_t),void *(*r)(void *,size_t), void (*f)(void *));
 int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*free_func)(void *));
+int CRYPTO_set_mem_ex_functions(void *(*m)(size_t,const char *,int),
+                                void *(*r)(void *,size_t,const char *,int),
+                                void (*f)(void *));
+int CRYPTO_set_locked_mem_ex_functions(void *(*m)(size_t,const char *,int),
+                                       void (*free_func)(void *));
 int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
                                    void (*r)(void *,void *,int,const char *,int,int),
                                    void (*f)(void *,int),
@@ -329,6 +364,11 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
                                    long (*go)(void));
 void CRYPTO_get_mem_functions(void *(**m)(size_t),void *(**r)(void *, size_t), void (**f)(void *));
 void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *));
+void CRYPTO_get_mem_ex_functions(void *(**m)(size_t,const char *,int),
+                                 void *(**r)(void *, size_t,const char *,int),
+                                 void (**f)(void *));
+void CRYPTO_get_locked_mem_ex_functions(void *(**m)(size_t,const char *,int),
+                                        void (**f)(void *));
 void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
                                     void (**r)(void *,void *,int,const char *,int,int),
                                     void (**f)(void *,int),
@@ -351,6 +391,9 @@ int CRYPTO_push_info_(const char *info, const char *file, int line);
 int CRYPTO_pop_info(void);
 int CRYPTO_remove_all_info(void);
 
+
+/* Default debugging functions (enabled by CRYPTO_malloc_debug_init() macro;
+ * used as default in CRYPTO_MDEBUG compilations): */
 /* The last argument has the following significance:
  *
  * 0:   called before the actual memory allocation has taken place
@@ -359,31 +402,32 @@ int CRYPTO_remove_all_info(void);
 void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
 void CRYPTO_dbg_free(void *addr,int before_p);
-
 /* Tell the debugging code about options.  By default, the following values
  * apply:
  *
- * 0:   Clear all options.
- * 1:   Set the "Show Time" option.
- * 2:   Set the "Show Thread Number" option.
- * 3:   1 + 2
+ * 0:                           Clear all options.
+ * V_CRYPTO_MDEBUG_TIME (1):    Set the "Show Time" option.
+ * V_CRYPTO_MDEBUG_THREAD (2):  Set the "Show Thread Number" option.
+ * V_CRYPTO_MDEBUG_ALL (3):     1 + 2
  */
 void CRYPTO_dbg_set_options(long bits);
 long CRYPTO_dbg_get_options(void);
 
-#ifndef NO_FP_API
+
+#ifndef OPENSSL_NO_FP_API
 void CRYPTO_mem_leaks_fp(FILE *);
 #endif
 void CRYPTO_mem_leaks(struct bio_st *bio);
 /* unsigned long order, char *file, int line, int num_bytes, char *addr */
-void CRYPTO_mem_leaks_cb(void (*cb)(unsigned long, const char *, int, int, void *));
+typedef void *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *);
+void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 
-void ERR_load_CRYPTO_strings(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_CRYPTO_strings(void);
 
 /* Error codes for the CRYPTO functions. */
 
@@ -392,6 +436,11 @@ void ERR_load_CRYPTO_strings(void);
 #define CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID                103
 #define CRYPTO_F_CRYPTO_GET_NEW_LOCKID                   101
 #define CRYPTO_F_CRYPTO_SET_EX_DATA                      102
+#define CRYPTO_F_DEF_ADD_INDEX                           104
+#define CRYPTO_F_DEF_GET_CLASS                           105
+#define CRYPTO_F_INT_DUP_EX_DATA                         106
+#define CRYPTO_F_INT_FREE_EX_DATA                        107
+#define CRYPTO_F_INT_NEW_EX_DATA                         108
 
 /* Reason codes. */
 #define CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK              100
@@ -400,4 +449,3 @@ void ERR_load_CRYPTO_strings(void);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/cversion.c b/src/lib/libcrypto/cversion.c
index affdfca98f..f7a1b7a4f0 100644
--- a/src/lib/libcrypto/cversion.c
+++ b/src/lib/libcrypto/cversion.c
@@ -102,6 +102,14 @@ const char *SSLeay_version(int t)
                 return("platform: information not available");
 #endif
                 }
+        if (t == SSLEAY_DIR)
+                {
+#ifdef OPENSSLDIR
+                return "OPENSSLDIR: \"" OPENSSLDIR "\"";
+#else
+                return "OPENSSLDIR: N/A";
+#endif
+                }
         return("not available");
         }
 
diff --git a/src/lib/libcrypto/des/Makefile.ssl b/src/lib/libcrypto/des/Makefile.ssl
index cc5379feb2..04a73a9326 100644
--- a/src/lib/libcrypto/des/Makefile.ssl
+++ b/src/lib/libcrypto/des/Makefile.ssl
@@ -6,13 +6,14 @@ DIR=	des
 TOP=    ../..
 CC=     cc
 CPP=    $(CC) -E
-INCLUDES=-I../../include
+INCLUDES=-I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 RANLIB=         ranlib
@@ -30,22 +31,23 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC= cbc_cksm.c cbc_enc.c  cfb64enc.c cfb_enc.c  \
         ecb3_enc.c ecb_enc.c  enc_read.c enc_writ.c \
         fcrypt.c ofb64enc.c ofb_enc.c  pcbc_enc.c \
-        qud_cksm.c rand_key.c read_pwd.c rpc_enc.c  set_key.c  \
-        des_enc.c fcrypt_b.c read2pwd.c \
+        qud_cksm.c rand_key.c rpc_enc.c  set_key.c  \
+        des_enc.c fcrypt_b.c \
         xcbc_enc.c \
-        str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c
+        str2key.c  cfb64ede.c ofb64ede.c ede_cbcm_enc.c des_old.c des_old2.c \
+        read2pwd.c
 
 LIBOBJ= set_key.o  ecb_enc.o  cbc_enc.o \
         ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o  ofb64ede.o \
         enc_read.o enc_writ.o ofb64enc.o \
         ofb_enc.o  str2key.o  pcbc_enc.o qud_cksm.o rand_key.o \
-        ${DES_ENC} read2pwd.o \
-        fcrypt.o xcbc_enc.o read_pwd.o rpc_enc.o  cbc_cksm.o \
-        ede_cbcm_enc.o
+        ${DES_ENC} \
+        fcrypt.o xcbc_enc.o rpc_enc.o  cbc_cksm.o \
+        ede_cbcm_enc.o des_old.o des_old2.o read2pwd.o
 
 SRC= $(LIBSRC)
 
-EXHEADER= des.h
+EXHEADER= des.h des_old.h
 HEADER= des_locl.h rpc_des.h spr.h des_ver.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -57,8 +59,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 des: des.o cbc3_enc.o lib
@@ -141,72 +142,184 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-cbc_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-cbc_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
-cbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-cbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h ncbc_enc.c
-cfb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-cfb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
-cfb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-cfb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
-cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-cfb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-des_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-des_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_locl.h ncbc_enc.c
-ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-ecb3_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cbc_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cbc_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cbc_cksm.o: ../../include/openssl/opensslconf.h
+cbc_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cbc_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cbc_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+cbc_cksm.o: cbc_cksm.c des_locl.h
+cbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cbc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+cbc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+cbc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+cbc_enc.o: ../../include/openssl/ui_compat.h cbc_enc.c des_locl.h ncbc_enc.c
+cfb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cfb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cfb64ede.o: ../../include/openssl/opensslconf.h
+cfb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cfb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cfb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+cfb64ede.o: cfb64ede.c des_locl.h
+cfb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cfb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cfb64enc.o: ../../include/openssl/opensslconf.h
+cfb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+cfb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+cfb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+cfb64enc.o: cfb64enc.c des_locl.h
+cfb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+cfb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+cfb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+cfb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+cfb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+cfb_enc.o: ../../include/openssl/ui_compat.h cfb_enc.c des_locl.h
+des_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+des_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+des_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+des_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+des_enc.o: ../../include/openssl/ui_compat.h des_enc.c des_locl.h ncbc_enc.c
+des_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+des_old.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+des_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+des_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+des_old.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+des_old.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+des_old.o: ../../include/openssl/ui_compat.h des_old.c
+des_old2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+des_old2.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+des_old2.o: ../../include/openssl/opensslconf.h
+des_old2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+des_old2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+des_old2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+des_old2.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+des_old2.o: des_old2.c
+ecb3_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ecb3_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ecb3_enc.o: ../../include/openssl/opensslconf.h
+ecb3_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ecb3_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecb3_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+ecb3_enc.o: des_locl.h ecb3_enc.c
+ecb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ecb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ecb_enc.o: des_locl.h spr.h
-ede_cbcm_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-ede_cbcm_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-enc_read.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-enc_read.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-enc_read.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-enc_read.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-enc_read.o: ../../include/openssl/opensslconf.h
+ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h ecb_enc.c spr.h
+ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ede_cbcm_enc.o: ../../include/openssl/opensslconf.h
+ede_cbcm_enc.o: ../../include/openssl/opensslv.h
+ede_cbcm_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ede_cbcm_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ede_cbcm_enc.o: ../../include/openssl/ui_compat.h des_locl.h ede_cbcm_enc.c
+enc_read.o: ../../e_os.h ../../include/openssl/bio.h
+enc_read.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+enc_read.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+enc_read.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+enc_read.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 enc_read.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-enc_read.o: ../cryptlib.h des_locl.h
-enc_writ.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-enc_writ.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-enc_writ.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-enc_writ.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-enc_writ.o: ../../include/openssl/opensslconf.h
-enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-enc_writ.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-enc_writ.o: ../../include/openssl/symhacks.h ../cryptlib.h des_locl.h
-fcrypt.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-fcrypt.o: ../../include/openssl/opensslconf.h des_locl.h
-fcrypt_b.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-fcrypt_b.o: ../../include/openssl/opensslconf.h des_locl.h
-ofb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-ofb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
-ofb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-ofb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
-ofb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-ofb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-pcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-pcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
-rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
-read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
-read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-read_pwd.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-read_pwd.o: ../../include/openssl/opensslconf.h
-read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-read_pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-read_pwd.o: ../cryptlib.h des_locl.h
-rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
-set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-set_key.o: ../../include/openssl/opensslconf.h des_locl.h
-str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-str2key.o: ../../include/openssl/opensslconf.h des_locl.h
-xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
-xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+enc_read.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+enc_read.o: ../cryptlib.h des_locl.h enc_read.c
+enc_writ.o: ../../e_os.h ../../include/openssl/bio.h
+enc_writ.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+enc_writ.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+enc_writ.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+enc_writ.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+enc_writ.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+enc_writ.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+enc_writ.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+enc_writ.o: ../cryptlib.h des_locl.h enc_writ.c
+fcrypt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fcrypt.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+fcrypt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+fcrypt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+fcrypt.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+fcrypt.o: ../../include/openssl/ui_compat.h des_locl.h fcrypt.c
+fcrypt_b.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fcrypt_b.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+fcrypt_b.o: ../../include/openssl/opensslconf.h
+fcrypt_b.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+fcrypt_b.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+fcrypt_b.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+fcrypt_b.o: des_locl.h fcrypt_b.c
+ofb64ede.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ofb64ede.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ofb64ede.o: ../../include/openssl/opensslconf.h
+ofb64ede.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ofb64ede.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ofb64ede.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+ofb64ede.o: des_locl.h ofb64ede.c
+ofb64enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ofb64enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ofb64enc.o: ../../include/openssl/opensslconf.h
+ofb64enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ofb64enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ofb64enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+ofb64enc.o: des_locl.h ofb64enc.c
+ofb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+ofb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+ofb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ofb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ofb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ofb_enc.o: ../../include/openssl/ui_compat.h des_locl.h ofb_enc.c
+pcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+pcbc_enc.o: ../../include/openssl/opensslconf.h
+pcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+pcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+pcbc_enc.o: des_locl.h pcbc_enc.c
+qud_cksm.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+qud_cksm.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+qud_cksm.o: ../../include/openssl/opensslconf.h
+qud_cksm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+qud_cksm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+qud_cksm.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+qud_cksm.o: des_locl.h qud_cksm.c
+rand_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rand_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+rand_key.o: ../../include/openssl/opensslconf.h
+rand_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_key.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rand_key.o: rand_key.c
+read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+read2pwd.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+read2pwd.o: ../../include/openssl/opensslconf.h
+read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+read2pwd.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+read2pwd.o: read2pwd.c
+rpc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rpc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+rpc_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rpc_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rpc_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+rpc_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h rpc_des.h
+rpc_enc.o: rpc_enc.c
+set_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+set_key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+set_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+set_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+set_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+set_key.o: ../../include/openssl/ui_compat.h des_locl.h set_key.c
+str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+str2key.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+str2key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+str2key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+str2key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+str2key.o: ../../include/openssl/ui_compat.h des_locl.h str2key.c
+xcbc_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+xcbc_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+xcbc_enc.o: ../../include/openssl/opensslconf.h
+xcbc_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+xcbc_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+xcbc_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+xcbc_enc.o: des_locl.h xcbc_enc.c
diff --git a/src/lib/libcrypto/des/asm/crypt586.pl b/src/lib/libcrypto/des/asm/crypt586.pl
index 197c413ea6..3d41d82f69 100644
--- a/src/lib/libcrypto/des/asm/crypt586.pl
+++ b/src/lib/libcrypto/des/asm/crypt586.pl
@@ -14,7 +14,7 @@ require "x86asm.pl";
 $L="edi";
 $R="esi";
 
-&external_label("des_SPtrans");
+&external_label("DES_SPtrans");
 &fcrypt_body("fcrypt_body");
 &asm_finish();
 
@@ -22,7 +22,7 @@ sub fcrypt_body
         {
         local($name,$do_ip)=@_;
 
-        &function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+        &function_begin($name,"EXTRN   _DES_SPtrans:DWORD");
 
         &comment("");
         &comment("Load the 2 words");
@@ -39,11 +39,11 @@ sub fcrypt_body
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
                 }
          &mov("ebx",    &swtmp(0));
         &mov("eax",     $L);
diff --git a/src/lib/libcrypto/des/asm/des-586.pl b/src/lib/libcrypto/des/asm/des-586.pl
index c890766bc9..0d08e8a3a9 100644
--- a/src/lib/libcrypto/des/asm/des-586.pl
+++ b/src/lib/libcrypto/des/asm/des-586.pl
@@ -19,21 +19,21 @@ require "desboth.pl";
 $L="edi";
 $R="esi";
 
-&external_label("des_SPtrans");
-&des_encrypt("des_encrypt1",1);
-&des_encrypt("des_encrypt2",0);
-&des_encrypt3("des_encrypt3",1);
-&des_encrypt3("des_decrypt3",0);
-&cbc("des_ncbc_encrypt","des_encrypt1","des_encrypt1",0,4,5,3,5,-1);
-&cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);
+&external_label("DES_SPtrans");
+&DES_encrypt("DES_encrypt1",1);
+&DES_encrypt("DES_encrypt2",0);
+&DES_encrypt3("DES_encrypt3",1);
+&DES_encrypt3("DES_decrypt3",0);
+&cbc("DES_ncbc_encrypt","DES_encrypt1","DES_encrypt1",0,4,5,3,5,-1);
+&cbc("DES_ede3_cbc_encrypt","DES_encrypt3","DES_decrypt3",0,6,7,3,4,5);
 
 &asm_finish();
 
-sub des_encrypt
+sub DES_encrypt
         {
         local($name,$do_ip)=@_;
 
-        &function_begin_B($name,"EXTRN   _des_SPtrans:DWORD");
+        &function_begin_B($name,"EXTRN   _DES_SPtrans:DWORD");
 
         &push("esi");
         &push("edi");
@@ -80,11 +80,11 @@ sub des_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT($i+1,$R,$L,($i+1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
                 }
         &jmp(&label("end"));
 
@@ -94,10 +94,10 @@ sub des_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i,$L,$R,$i*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
                 &comment("");
                 &comment("Round ".sprintf("%d",$i-1));
-                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"des_SPtrans","eax","ebx","ecx","edx");
+                &D_ENCRYPT(15-$i+1,$R,$L,($i-1)*2,$ks,"DES_SPtrans","eax","ebx","ecx","edx");
                 }
 
         &set_label("end");
diff --git a/src/lib/libcrypto/des/asm/des686.pl b/src/lib/libcrypto/des/asm/des686.pl
index 84c3e85438..d3ad5d5edd 100644
--- a/src/lib/libcrypto/des/asm/des686.pl
+++ b/src/lib/libcrypto/des/asm/des686.pl
@@ -46,19 +46,19 @@ EOF
 $L="edi";
 $R="esi";
 
-&des_encrypt("des_encrypt1",1);
-&des_encrypt("des_encrypt2",0);
+&DES_encrypt("DES_encrypt1",1);
+&DES_encrypt("DES_encrypt2",0);
 
-&des_encrypt3("des_encrypt3",1);
-&des_encrypt3("des_decrypt3",0);
+&DES_encrypt3("DES_encrypt3",1);
+&DES_encrypt3("DES_decrypt3",0);
 
 &file_end();
 
-sub des_encrypt
+sub DES_encrypt
         {
         local($name,$do_ip)=@_;
 
-        &function_begin($name,"EXTRN   _des_SPtrans:DWORD");
+        &function_begin($name,"EXTRN   _DES_SPtrans:DWORD");
 
         &comment("");
         &comment("Load the 2 words");
@@ -94,11 +94,11 @@ sub des_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+                &D_ENCRYPT($L,$R,$i*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
 
                 &comment("");
                 &comment("Round ".sprintf("%d",$i+1));
-                &D_ENCRYPT($R,$L,($i+1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+                &D_ENCRYPT($R,$L,($i+1)*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
                 }
         &jmp(&label("end"));
 
@@ -108,10 +108,10 @@ sub des_encrypt
                 {
                 &comment("");
                 &comment("Round $i");
-                &D_ENCRYPT($L,$R,$i*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+                &D_ENCRYPT($L,$R,$i*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
                 &comment("");
                 &comment("Round ".sprintf("%d",$i-1));
-                &D_ENCRYPT($R,$L,($i-1)*2,"ebp","des_SPtrans","ecx","edx","eax","ebx");
+                &D_ENCRYPT($R,$L,($i-1)*2,"ebp","DES_SPtrans","ecx","edx","eax","ebx");
                 }
 
         &set_label("end");
diff --git a/src/lib/libcrypto/des/asm/desboth.pl b/src/lib/libcrypto/des/asm/desboth.pl
index d5106414db..eec00886e4 100644
--- a/src/lib/libcrypto/des/asm/desboth.pl
+++ b/src/lib/libcrypto/des/asm/desboth.pl
@@ -3,7 +3,7 @@
 $L="edi";
 $R="esi";
 
-sub des_encrypt3
+sub DES_encrypt3
         {
         local($name,$enc)=@_;
 
@@ -47,15 +47,15 @@ sub des_encrypt3
         &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
         &mov(&swtmp(1), "eax");
         &mov(&swtmp(0), "ebx");
-        &call("des_encrypt2");
+        &call("DES_encrypt2");
         &mov(&swtmp(2), (DWC(($enc)?"0":"1")));
         &mov(&swtmp(1), "edi");
         &mov(&swtmp(0), "ebx");
-        &call("des_encrypt2");
+        &call("DES_encrypt2");
         &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
         &mov(&swtmp(1), "esi");
         &mov(&swtmp(0), "ebx");
-        &call("des_encrypt2");
+        &call("DES_encrypt2");
 
         &stack_pop(3);
         &mov($L,&DWP(0,"ebx","",0));
diff --git a/src/lib/libcrypto/des/cbc3_enc.c b/src/lib/libcrypto/des/cbc3_enc.c
index 527e74f3de..b5db4e14f7 100644
--- a/src/lib/libcrypto/des/cbc3_enc.c
+++ b/src/lib/libcrypto/des/cbc3_enc.c
@@ -59,41 +59,41 @@
 #include "des_locl.h"
 
 /* HAS BUGS! DON'T USE - this is only present for use in des.c */
-void des_3cbc_encrypt(des_cblock *input, des_cblock *output, long length,
-             des_key_schedule ks1, des_key_schedule ks2, des_cblock *iv1,
-             des_cblock *iv2, int enc)
+void DES_3cbc_encrypt(DES_cblock *input, DES_cblock *output, long length,
+             DES_key_schedule ks1, DES_key_schedule ks2, DES_cblock *iv1,
+             DES_cblock *iv2, int enc)
         {
         int off=((int)length-1)/8;
         long l8=((length+7)/8)*8;
-        des_cblock niv1,niv2;
+        DES_cblock niv1,niv2;
 
         if (enc == DES_ENCRYPT)
                 {
-                des_cbc_encrypt((unsigned char*)input,
-                                (unsigned char*)output,length,ks1,iv1,enc);
-                if (length >= sizeof(des_cblock))
-                        memcpy(niv1,output[off],sizeof(des_cblock));
-                des_cbc_encrypt((unsigned char*)output,
-                                (unsigned char*)output,l8,ks2,iv1,!enc);
-                des_cbc_encrypt((unsigned char*)output,
-                                (unsigned char*)output,l8,ks1,iv2,enc);
-                if (length >= sizeof(des_cblock))
-                        memcpy(niv2,output[off],sizeof(des_cblock));
+                DES_cbc_encrypt((unsigned char*)input,
+                                (unsigned char*)output,length,&ks1,iv1,enc);
+                if (length >= sizeof(DES_cblock))
+                        memcpy(niv1,output[off],sizeof(DES_cblock));
+                DES_cbc_encrypt((unsigned char*)output,
+                                (unsigned char*)output,l8,&ks2,iv1,!enc);
+                DES_cbc_encrypt((unsigned char*)output,
+                                (unsigned char*)output,l8,&ks1,iv2,enc);
+                if (length >= sizeof(DES_cblock))
+                        memcpy(niv2,output[off],sizeof(DES_cblock));
                 }
         else
                 {
-                if (length >= sizeof(des_cblock))
-                        memcpy(niv2,input[off],sizeof(des_cblock));
-                des_cbc_encrypt((unsigned char*)input,
-                                (unsigned char*)output,l8,ks1,iv2,enc);
-                des_cbc_encrypt((unsigned char*)output,
-                                (unsigned char*)output,l8,ks2,iv1,!enc);
-                if (length >= sizeof(des_cblock))
-                        memcpy(niv1,output[off],sizeof(des_cblock));
-                des_cbc_encrypt((unsigned char*)output,
-                                (unsigned char*)output,length,ks1,iv1,enc);
+                if (length >= sizeof(DES_cblock))
+                        memcpy(niv2,input[off],sizeof(DES_cblock));
+                DES_cbc_encrypt((unsigned char*)input,
+                                (unsigned char*)output,l8,&ks1,iv2,enc);
+                DES_cbc_encrypt((unsigned char*)output,
+                                (unsigned char*)output,l8,&ks2,iv1,!enc);
+                if (length >= sizeof(DES_cblock))
+                        memcpy(niv1,output[off],sizeof(DES_cblock));
+                DES_cbc_encrypt((unsigned char*)output,
+                                (unsigned char*)output,length,&ks1,iv1,enc);
                 }
-        memcpy(*iv1,niv1,sizeof(des_cblock));
-        memcpy(*iv2,niv2,sizeof(des_cblock));
+        memcpy(*iv1,niv1,sizeof(DES_cblock));
+        memcpy(*iv2,niv2,sizeof(DES_cblock));
         }
 
diff --git a/src/lib/libcrypto/des/cbc_cksm.c b/src/lib/libcrypto/des/cbc_cksm.c
index b857df0985..6c5305b99d 100644
--- a/src/lib/libcrypto/des/cbc_cksm.c
+++ b/src/lib/libcrypto/des/cbc_cksm.c
@@ -58,9 +58,9 @@
 
 #include "des_locl.h"
 
-DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output,
-                long length,
-                des_key_schedule schedule, const_des_cblock *ivec)
+DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output,
+                       long length, DES_key_schedule *schedule,
+                       const_DES_cblock *ivec)
         {
         register DES_LONG tout0,tout1,tin0,tin1;
         register long l=length;
@@ -82,7 +82,7 @@ DES_LONG des_cbc_cksum(const unsigned char *in, des_cblock *output,
                         
                 tin0^=tout0; tin[0]=tin0;
                 tin1^=tout1; tin[1]=tin1;
-                des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
+                DES_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
                 /* fix 15/10/91 eay - thanks to keithr@sco.COM */
                 tout0=tin[0];
                 tout1=tin[1];
diff --git a/src/lib/libcrypto/des/cfb64ede.c b/src/lib/libcrypto/des/cfb64ede.c
index 5362a551bf..60c1aa08db 100644
--- a/src/lib/libcrypto/des/cfb64ede.c
+++ b/src/lib/libcrypto/des/cfb64ede.c
@@ -63,9 +63,10 @@
  * 64bit block we have used is contained in *num;
  */
 
-void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-             long length, des_key_schedule ks1, des_key_schedule ks2,
-             des_key_schedule ks3, des_cblock *ivec, int *num, int enc)
+void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+                            long length, DES_key_schedule *ks1,
+                            DES_key_schedule *ks2, DES_key_schedule *ks3,
+                            DES_cblock *ivec, int *num, int enc)
         {
         register DES_LONG v0,v1;
         register long l=length;
@@ -85,7 +86,7 @@ void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
 
                                 ti[0]=v0;
                                 ti[1]=v1;
-                                des_encrypt3(ti,ks1,ks2,ks3);
+                                DES_encrypt3(ti,ks1,ks2,ks3);
                                 v0=ti[0];
                                 v1=ti[1];
 
@@ -111,7 +112,7 @@ void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
 
                                 ti[0]=v0;
                                 ti[1]=v1;
-                                des_encrypt3(ti,ks1,ks2,ks3);
+                                DES_encrypt3(ti,ks1,ks2,ks3);
                                 v0=ti[0];
                                 v1=ti[1];
 
@@ -132,10 +133,10 @@ void des_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
         }
 
 #ifdef undef /* MACRO */
-void des_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
-             des_key_schedule ks1, des_key_schedule ks2, des_cblock (*ivec),
+void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+             DES_key_schedule ks1, DES_key_schedule ks2, DES_cblock (*ivec),
              int *num, int enc)
         {
-        des_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
+        DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
         }
 #endif
diff --git a/src/lib/libcrypto/des/cfb64enc.c b/src/lib/libcrypto/des/cfb64enc.c
index 105530dfa3..5ec8683e40 100644
--- a/src/lib/libcrypto/des/cfb64enc.c
+++ b/src/lib/libcrypto/des/cfb64enc.c
@@ -63,9 +63,9 @@
  * 64bit block we have used is contained in *num;
  */
 
-void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-             long length, des_key_schedule schedule, des_cblock *ivec,
-             int *num, int enc)
+void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+                       long length, DES_key_schedule *schedule,
+                       DES_cblock *ivec, int *num, int enc)
         {
         register DES_LONG v0,v1;
         register long l=length;
@@ -82,7 +82,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
                                 {
                                 c2l(iv,v0); ti[0]=v0;
                                 c2l(iv,v1); ti[1]=v1;
-                                des_encrypt1(ti,schedule,DES_ENCRYPT);
+                                DES_encrypt1(ti,schedule,DES_ENCRYPT);
                                 iv = &(*ivec)[0];
                                 v0=ti[0]; l2c(v0,iv);
                                 v0=ti[1]; l2c(v0,iv);
@@ -102,7 +102,7 @@ void des_cfb64_encrypt(const unsigned char *in, unsigned char *out,
                                 {
                                 c2l(iv,v0); ti[0]=v0;
                                 c2l(iv,v1); ti[1]=v1;
-                                des_encrypt1(ti,schedule,DES_ENCRYPT);
+                                DES_encrypt1(ti,schedule,DES_ENCRYPT);
                                 iv = &(*ivec)[0];
                                 v0=ti[0]; l2c(v0,iv);
                                 v0=ti[1]; l2c(v0,iv);
diff --git a/src/lib/libcrypto/des/cfb_enc.c b/src/lib/libcrypto/des/cfb_enc.c
index ec4fd4ea67..17bf77ca9e 100644
--- a/src/lib/libcrypto/des/cfb_enc.c
+++ b/src/lib/libcrypto/des/cfb_enc.c
@@ -64,8 +64,8 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
-void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
-             long length, des_key_schedule schedule, des_cblock *ivec, int enc)
+void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+                     long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc)
         {
         register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
         register DES_LONG mask0,mask1;
@@ -100,7 +100,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                         l-=n;
                         ti[0]=v0;
                         ti[1]=v1;
-                        des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
+                        DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
                         c2ln(in,d0,d1,n);
                         in+=n;
                         d0=(d0^ti[0])&mask0;
@@ -132,7 +132,7 @@ void des_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                         l-=n;
                         ti[0]=v0;
                         ti[1]=v1;
-                        des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
+                        DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
                         c2ln(in,d0,d1,n);
                         in+=n;
                         /* 30-08-94 - eay - changed because l>>32 and
diff --git a/src/lib/libcrypto/des/des-lib.com b/src/lib/libcrypto/des/des-lib.com
index 2aea7a0dea..fc2c35a1ce 100644
--- a/src/lib/libcrypto/des/des-lib.com
+++ b/src/lib/libcrypto/des/des-lib.com
@@ -846,8 +846,8 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "VMS=1"
-$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
+$ CCDEFS = ""
+$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
 $ CCDISABLEWARNINGS = ""
diff --git a/src/lib/libcrypto/des/des.c b/src/lib/libcrypto/des/des.c
index 215d7413c0..d8c846b23d 100644
--- a/src/lib/libcrypto/des/des.c
+++ b/src/lib/libcrypto/des/des.c
@@ -59,25 +59,25 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#ifndef MSDOS
-#ifndef VMS
 #include <openssl/opensslconf.h>
+#ifndef OPENSSL_SYS_MSDOS
+#ifndef OPENSSL_SYS_VMS
 #include OPENSSL_UNISTD
-#else /* VMS */
+#else /* OPENSSL_SYS_VMS */
 #ifdef __DECC
 #include <unistd.h>
 #else /* not __DECC */
 #include <math.h>
 #endif /* __DECC */
-#endif /* VMS */
-#else /* MSDOS */
+#endif /* OPENSSL_SYS_VMS */
+#else /* OPENSSL_SYS_MSDOS */
 #include <io.h>
 #endif
 
 #include <time.h>
 #include "des_ver.h"
 
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
 #include <types.h>
 #include <stat.h>
 #else
@@ -88,6 +88,7 @@
 #endif
 #include <openssl/des.h>
 #include <openssl/rand.h>
+#include <openssl/ui_compat.h>
 
 void usage(void);
 void doencryption(void);
@@ -96,10 +97,10 @@ void uufwriteEnd(FILE *fp);
 int uufread(unsigned char *out,int size,unsigned int num,FILE *fp);
 int uuencode(unsigned char *in,int num,unsigned char *out);
 int uudecode(unsigned char *in,int num,unsigned char *out);
-void des_3cbc_encrypt(des_cblock *input,des_cblock *output,long length,
-        des_key_schedule sk1,des_key_schedule sk2,
-        des_cblock *ivec1,des_cblock *ivec2,int enc);
-#ifdef VMS
+void DES_3cbc_encrypt(DES_cblock *input,DES_cblock *output,long length,
+        DES_key_schedule sk1,DES_key_schedule sk2,
+        DES_cblock *ivec1,DES_cblock *ivec2,int enc);
+#ifdef OPENSSL_SYS_VMS
 #define EXIT(a) exit(a&0x10000000L)
 #else
 #define EXIT(a) exit(a)
@@ -119,7 +120,7 @@ int uubufnum=0;
 #define OUTUUBUF        (65*100)
 unsigned char b[OUTUUBUF];
 unsigned char bb[300];
-des_cblock cksum={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
+DES_cblock cksum={0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
 char cksumname[200]="";
 
 int vflag,cflag,eflag,dflag,kflag,bflag,fflag,sflag,uflag,flag3,hflag,error;
@@ -152,12 +153,14 @@ int main(int argc, char **argv)
                                 case 'c':
                                         cflag=1;
                                         strncpy(cksumname,p,200);
+                                        cksumname[sizeof(cksumname)-1]='\0';
                                         p+=strlen(cksumname);
                                         break;
                                 case 'C':
                                         cflag=1;
                                         longk=1;
                                         strncpy(cksumname,p,200);
+                                        cksumname[sizeof(cksumname)-1]='\0';
                                         p+=strlen(cksumname);
                                         break;
                                 case 'e':
@@ -189,6 +192,7 @@ int main(int argc, char **argv)
                                 case 'u':
                                         uflag=1;
                                         strncpy(uuname,p,200);
+                                        uuname[sizeof(uuname)-1]='\0';
                                         p+=strlen(uuname);
                                         break;
                                 case 'h':
@@ -258,12 +262,12 @@ int main(int argc, char **argv)
 #endif                  
         if (    (in != NULL) &&
                 (out != NULL) &&
-#ifndef MSDOS
+#ifndef OPENSSL_SYS_MSDOS
                 (stat(in,&ins) != -1) &&
                 (stat(out,&outs) != -1) &&
                 (ins.st_dev == outs.st_dev) &&
                 (ins.st_ino == outs.st_ino))
-#else /* MSDOS */
+#else /* OPENSSL_SYS_MSDOS */
                 (strcmp(in,out) == 0))
 #endif
                         {
@@ -298,7 +302,7 @@ int main(int argc, char **argv)
                 EXIT(5);
                 }
 
-#ifdef MSDOS
+#ifdef OPENSSL_SYS_MSDOS
         /* This should set the file to binary mode. */
         {
 #include <fcntl.h>
@@ -360,14 +364,14 @@ void doencryption(void)
 #endif
 
         register int i;
-        des_key_schedule ks,ks2;
-        des_cblock iv,iv2;
+        DES_key_schedule ks,ks2;
+        DES_cblock iv,iv2;
         char *p;
         int num=0,j,k,l,rem,ll,len,last,ex=0;
-        des_cblock kk,k2;
+        DES_cblock kk,k2;
         FILE *O;
         int Exit=0;
-#ifndef MSDOS
+#ifndef OPENSSL_SYS_MSDOS
         static unsigned char buf[BUFSIZE+8],obuf[BUFSIZE+8];
 #else
         static unsigned char *buf=NULL,*obuf=NULL;
@@ -422,19 +426,19 @@ void doencryption(void)
                         else
                                 k2[i-8]=k;
                         }
-                des_set_key_unchecked(&k2,ks2);
+                DES_set_key_unchecked(&k2,&ks2);
                 memset(k2,0,sizeof(k2));
                 }
         else if (longk || flag3)
                 {
                 if (flag3)
                         {
-                        des_string_to_2keys(key,&kk,&k2);
-                        des_set_key_unchecked(&k2,ks2);
+                        DES_string_to_2keys(key,&kk,&k2);
+                        DES_set_key_unchecked(&k2,&ks2);
                         memset(k2,0,sizeof(k2));
                         }
                 else
-                        des_string_to_key(key,&kk);
+                        DES_string_to_key(key,&kk);
                 }
         else
                 for (i=0; i<KEYSIZ; i++)
@@ -452,7 +456,7 @@ void doencryption(void)
                                 kk[i]=key[i]|0x80;
                         }
 
-        des_set_key_unchecked(&kk,ks);
+        DES_set_key_unchecked(&kk,&ks);
         memset(key,0,sizeof(key));
         memset(kk,0,sizeof(kk));
         /* woops - A bug that does not showup under unix :-( */
@@ -491,8 +495,8 @@ void doencryption(void)
 
                         if (cflag)
                                 {
-                                des_cbc_cksum(buf,&cksum,
-                                        (long)len,ks,&cksum);
+                                DES_cbc_cksum(buf,&cksum,
+                                        (long)len,&ks,&cksum);
                                 if (!eflag)
                                         {
                                         if (feof(DES_IN)) break;
@@ -502,24 +506,24 @@ void doencryption(void)
 
                         if (bflag && !flag3)
                                 for (i=0; i<l; i+=8)
-                                        des_ecb_encrypt(
-                                                (des_cblock *)&(buf[i]),
-                                                (des_cblock *)&(obuf[i]),
-                                                ks,do_encrypt);
+                                        DES_ecb_encrypt(
+                                                (DES_cblock *)&(buf[i]),
+                                                (DES_cblock *)&(obuf[i]),
+                                                &ks,do_encrypt);
                         else if (flag3 && bflag)
                                 for (i=0; i<l; i+=8)
-                                        des_ecb2_encrypt(
-                                                (des_cblock *)&(buf[i]),
-                                                (des_cblock *)&(obuf[i]),
-                                                ks,ks2,do_encrypt);
+                                        DES_ecb2_encrypt(
+                                                (DES_cblock *)&(buf[i]),
+                                                (DES_cblock *)&(obuf[i]),
+                                                &ks,&ks2,do_encrypt);
                         else if (flag3 && !bflag)
                                 {
                                 char tmpbuf[8];
 
                                 if (rem) memcpy(tmpbuf,&(buf[l]),
                                         (unsigned int)rem);
-                                des_3cbc_encrypt(
-                                        (des_cblock *)buf,(des_cblock *)obuf,
+                                DES_3cbc_encrypt(
+                                        (DES_cblock *)buf,(DES_cblock *)obuf,
                                         (long)l,ks,ks2,&iv,
                                         &iv2,do_encrypt);
                                 if (rem) memcpy(&(buf[l]),tmpbuf,
@@ -527,9 +531,9 @@ void doencryption(void)
                                 }
                         else
                                 {
-                                des_cbc_encrypt(
+                                DES_cbc_encrypt(
                                         buf,obuf,
-                                        (long)l,ks,&iv,do_encrypt);
+                                        (long)l,&ks,&iv,do_encrypt);
                                 if (l >= 8) memcpy(iv,&(obuf[l-8]),8);
                                 }
                         if (rem) memcpy(buf,&(buf[l]),(unsigned int)rem);
@@ -581,28 +585,28 @@ void doencryption(void)
 
                         if (bflag && !flag3)
                                 for (i=0; i<l; i+=8)
-                                        des_ecb_encrypt(
-                                                (des_cblock *)&(buf[i]),
-                                                (des_cblock *)&(obuf[i]),
-                                                ks,do_encrypt);
+                                        DES_ecb_encrypt(
+                                                (DES_cblock *)&(buf[i]),
+                                                (DES_cblock *)&(obuf[i]),
+                                                &ks,do_encrypt);
                         else if (flag3 && bflag)
                                 for (i=0; i<l; i+=8)
-                                        des_ecb2_encrypt(
-                                                (des_cblock *)&(buf[i]),
-                                                (des_cblock *)&(obuf[i]),
-                                                ks,ks2,do_encrypt);
+                                        DES_ecb2_encrypt(
+                                                (DES_cblock *)&(buf[i]),
+                                                (DES_cblock *)&(obuf[i]),
+                                                &ks,&ks2,do_encrypt);
                         else if (flag3 && !bflag)
                                 {
-                                des_3cbc_encrypt(
-                                        (des_cblock *)buf,(des_cblock *)obuf,
+                                DES_3cbc_encrypt(
+                                        (DES_cblock *)buf,(DES_cblock *)obuf,
                                         (long)l,ks,ks2,&iv,
                                         &iv2,do_encrypt);
                                 }
                         else
                                 {
-                                des_cbc_encrypt(
+                                DES_cbc_encrypt(
                                         buf,obuf,
-                                        (long)l,ks,&iv,do_encrypt);
+                                        (long)l,&ks,&iv,do_encrypt);
                                 if (l >= 8) memcpy(iv,&(buf[l-8]),8);
                                 }
 
@@ -627,9 +631,9 @@ void doencryption(void)
                                 l=l-8+last;
                                 }
                         i=0;
-                        if (cflag) des_cbc_cksum(obuf,
-                                (des_cblock *)cksum,(long)l/8*8,ks,
-                                (des_cblock *)cksum);
+                        if (cflag) DES_cbc_cksum(obuf,
+                                (DES_cblock *)cksum,(long)l/8*8,&ks,
+                                (DES_cblock *)cksum);
                         while (i != l)
                                 {
                                 j=fwrite(obuf,1,(unsigned int)l-i,DES_OUT);
@@ -664,8 +668,8 @@ void doencryption(void)
 problems:
         memset(buf,0,sizeof(buf));
         memset(obuf,0,sizeof(obuf));
-        memset(ks,0,sizeof(ks));
-        memset(ks2,0,sizeof(ks2));
+        memset(&ks,0,sizeof(ks));
+        memset(&ks2,0,sizeof(ks2));
         memset(iv,0,sizeof(iv));
         memset(iv2,0,sizeof(iv2));
         memset(kk,0,sizeof(kk));
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index 6b8a7ee11b..dfe5ff64e4 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -59,39 +59,52 @@
 #ifndef HEADER_DES_H
 #define HEADER_DES_H
 
-#ifdef NO_DES
+#ifdef OPENSSL_NO_DES
 #error DES is disabled.
 #endif
 
-#ifdef _KERBEROS_DES_H
-#error <openssl/des.h> replaces <kerberos/des.h>.
-#endif
-
 #include <openssl/opensslconf.h> /* DES_LONG */
 #include <openssl/e_os2.h>      /* OPENSSL_EXTERN */
 
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+#define des_SPtrans DES_SPtrans
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-typedef unsigned char des_cblock[8];
-typedef /* const */ unsigned char const_des_cblock[8];
-/* With "const", gcc 2.8.1 on Solaris thinks that des_cblock *
- * and const_des_cblock * are incompatible pointer types. */
+typedef unsigned char DES_cblock[8];
+typedef /* const */ unsigned char const_DES_cblock[8];
+/* With "const", gcc 2.8.1 on Solaris thinks that DES_cblock *
+ * and const_DES_cblock * are incompatible pointer types. */
 
-typedef struct des_ks_struct
+typedef struct DES_ks
+    {
+    union
         {
-        union   {
-                des_cblock cblock;
-                /* make sure things are correct size on machines with
-                 * 8 byte longs */
-                DES_LONG deslong[2];
-                } ks;
-        int weak_key;
-        } des_key_schedule[16];
+        DES_cblock cblock;
+        /* make sure things are correct size on machines with
+         * 8 byte longs */
+        DES_LONG deslong[2];
+        } ks[16];
+    } DES_key_schedule;
+
+#ifndef OPENSSL_DISABLE_OLD_DES_SUPPORT
+# ifndef OPENSSL_ENABLE_OLD_DES_SUPPORT
+#  define OPENSSL_ENABLE_OLD_DES_SUPPORT
+# endif
+#endif
 
-#define DES_KEY_SZ      (sizeof(des_cblock))
-#define DES_SCHEDULE_SZ (sizeof(des_key_schedule))
+#ifdef OPENSSL_ENABLE_OLD_DES_SUPPORT
+# include <openssl/des_old.h>
+#endif
+
+#define DES_KEY_SZ      (sizeof(DES_cblock))
+#define DES_SCHEDULE_SZ (sizeof(DES_key_schedule))
 
 #define DES_ENCRYPT     1
 #define DES_DECRYPT     0
@@ -99,44 +112,45 @@ typedef struct des_ks_struct
 #define DES_CBC_MODE    0
 #define DES_PCBC_MODE   1
 
-#define des_ecb2_encrypt(i,o,k1,k2,e) \
-        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
-
-#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
-        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
-
-#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
-        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
-
-#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
-        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
-
-OPENSSL_EXTERN int des_check_key;       /* defaults to false */
-OPENSSL_EXTERN int des_rw_mode;         /* defaults to DES_PCBC_MODE */
-OPENSSL_EXTERN int des_set_weak_key_flag; /* set the weak key flag */
-
-const char *des_options(void);
-void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
-                      des_key_schedule ks1,des_key_schedule ks2,
-                      des_key_schedule ks3, int enc);
-DES_LONG des_cbc_cksum(const unsigned char *input,des_cblock *output,
-                       long length,des_key_schedule schedule,
-                       const_des_cblock *ivec);
-/* des_cbc_encrypt does not update the IV!  Use des_ncbc_encrypt instead. */
-void des_cbc_encrypt(const unsigned char *input,unsigned char *output,
-                     long length,des_key_schedule schedule,des_cblock *ivec,
+#define DES_ecb2_encrypt(i,o,k1,k2,e) \
+        DES_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define DES_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        DES_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define DES_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        DES_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define DES_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        DES_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+OPENSSL_DECLARE_GLOBAL(int,DES_check_key);      /* defaults to false */
+#define DES_check_key OPENSSL_GLOBAL_REF(DES_check_key)
+OPENSSL_DECLARE_GLOBAL(int,DES_rw_mode);        /* defaults to DES_PCBC_MODE */
+#define DES_rw_mode OPENSSL_GLOBAL_REF(DES_rw_mode)
+
+const char *DES_options(void);
+void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+                      DES_key_schedule *ks1,DES_key_schedule *ks2,
+                      DES_key_schedule *ks3, int enc);
+DES_LONG DES_cbc_cksum(const unsigned char *input,DES_cblock *output,
+                       long length,DES_key_schedule *schedule,
+                       const_DES_cblock *ivec);
+/* DES_cbc_encrypt does not update the IV!  Use DES_ncbc_encrypt instead. */
+void DES_cbc_encrypt(const unsigned char *input,unsigned char *output,
+                     long length,DES_key_schedule *schedule,DES_cblock *ivec,
                      int enc);
-void des_ncbc_encrypt(const unsigned char *input,unsigned char *output,
-                      long length,des_key_schedule schedule,des_cblock *ivec,
+void DES_ncbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,DES_key_schedule *schedule,DES_cblock *ivec,
                       int enc);
-void des_xcbc_encrypt(const unsigned char *input,unsigned char *output,
-                      long length,des_key_schedule schedule,des_cblock *ivec,
-                      const_des_cblock *inw,const_des_cblock *outw,int enc);
-void des_cfb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
-                     long length,des_key_schedule schedule,des_cblock *ivec,
+void DES_xcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,DES_key_schedule *schedule,DES_cblock *ivec,
+                      const_DES_cblock *inw,const_DES_cblock *outw,int enc);
+void DES_cfb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,DES_key_schedule *schedule,DES_cblock *ivec,
                      int enc);
-void des_ecb_encrypt(const_des_cblock *input,des_cblock *output,
-                     des_key_schedule ks,int enc);
+void DES_ecb_encrypt(const_DES_cblock *input,DES_cblock *output,
+                     DES_key_schedule *ks,int enc);
 
 /*      This is the DES encryption function that gets called by just about
         every other DES routine in the library.  You should not use this
@@ -145,119 +159,81 @@ void des_ecb_encrypt(const_des_cblock *input,des_cblock *output,
         long, and this needs to be done to make sure 'non-aligned' memory
         access do not occur.  The characters are loaded 'little endian'.
         Data is a pointer to 2 unsigned long's and ks is the
-        des_key_schedule to use.  enc, is non zero specifies encryption,
+        DES_key_schedule to use.  enc, is non zero specifies encryption,
         zero if decryption. */
-void des_encrypt1(DES_LONG *data,des_key_schedule ks, int enc);
+void DES_encrypt1(DES_LONG *data,DES_key_schedule *ks, int enc);
 
-/*      This functions is the same as des_encrypt1() except that the DES
+/*      This functions is the same as DES_encrypt1() except that the DES
         initial permutation (IP) and final permutation (FP) have been left
-        out.  As for des_encrypt1(), you should not use this function.
+        out.  As for DES_encrypt1(), you should not use this function.
         It is used by the routines in the library that implement triple DES.
-        IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same
-        as des_encrypt1() des_encrypt1() des_encrypt1() except faster :-). */
-void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc);
-
-void des_encrypt3(DES_LONG *data, des_key_schedule ks1,
-        des_key_schedule ks2, des_key_schedule ks3);
-void des_decrypt3(DES_LONG *data, des_key_schedule ks1,
-        des_key_schedule ks2, des_key_schedule ks3);
-void des_ede3_cbc_encrypt(const unsigned char *input,unsigned char *output, 
+        IP() DES_encrypt2() DES_encrypt2() DES_encrypt2() FP() is the same
+        as DES_encrypt1() DES_encrypt1() DES_encrypt1() except faster :-). */
+void DES_encrypt2(DES_LONG *data,DES_key_schedule *ks, int enc);
+
+void DES_encrypt3(DES_LONG *data, DES_key_schedule *ks1,
+                  DES_key_schedule *ks2, DES_key_schedule *ks3);
+void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
+                  DES_key_schedule *ks2, DES_key_schedule *ks3);
+void DES_ede3_cbc_encrypt(const unsigned char *input,unsigned char *output, 
                           long length,
-                          des_key_schedule ks1,des_key_schedule ks2,
-                          des_key_schedule ks3,des_cblock *ivec,int enc);
-void des_ede3_cbcm_encrypt(const unsigned char *in,unsigned char *out,
+                          DES_key_schedule *ks1,DES_key_schedule *ks2,
+                          DES_key_schedule *ks3,DES_cblock *ivec,int enc);
+void DES_ede3_cbcm_encrypt(const unsigned char *in,unsigned char *out,
                            long length,
-                           des_key_schedule ks1,des_key_schedule ks2,
-                           des_key_schedule ks3,
-                           des_cblock *ivec1,des_cblock *ivec2,
+                           DES_key_schedule *ks1,DES_key_schedule *ks2,
+                           DES_key_schedule *ks3,
+                           DES_cblock *ivec1,DES_cblock *ivec2,
                            int enc);
-void des_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
-                            long length,des_key_schedule ks1,
-                            des_key_schedule ks2,des_key_schedule ks3,
-                            des_cblock *ivec,int *num,int enc);
-void des_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
-                            long length,des_key_schedule ks1,
-                            des_key_schedule ks2,des_key_schedule ks3,
-                            des_cblock *ivec,int *num);
-
-void des_xwhite_in2out(const_des_cblock *des_key,const_des_cblock *in_white,
-                       des_cblock *out_white);
-
-int des_enc_read(int fd,void *buf,int len,des_key_schedule sched,
-                 des_cblock *iv);
-int des_enc_write(int fd,const void *buf,int len,des_key_schedule sched,
-                  des_cblock *iv);
-char *des_fcrypt(const char *buf,const char *salt, char *ret);
-char *des_crypt(const char *buf,const char *salt);
-#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
-char *crypt(const char *buf,const char *salt);
-#endif
-void des_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
-                     long length,des_key_schedule schedule,des_cblock *ivec);
-void des_pcbc_encrypt(const unsigned char *input,unsigned char *output,
-                      long length,des_key_schedule schedule,des_cblock *ivec,
+void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,DES_key_schedule *ks1,
+                            DES_key_schedule *ks2,DES_key_schedule *ks3,
+                            DES_cblock *ivec,int *num,int enc);
+void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
+                            long length,DES_key_schedule *ks1,
+                            DES_key_schedule *ks2,DES_key_schedule *ks3,
+                            DES_cblock *ivec,int *num);
+
+void DES_xwhite_in2out(const_DES_cblock *DES_key,const_DES_cblock *in_white,
+                       DES_cblock *out_white);
+
+int DES_enc_read(int fd,void *buf,int len,DES_key_schedule *sched,
+                 DES_cblock *iv);
+int DES_enc_write(int fd,const void *buf,int len,DES_key_schedule *sched,
+                  DES_cblock *iv);
+char *DES_fcrypt(const char *buf,const char *salt, char *ret);
+char *DES_crypt(const char *buf,const char *salt);
+void DES_ofb_encrypt(const unsigned char *in,unsigned char *out,int numbits,
+                     long length,DES_key_schedule *schedule,DES_cblock *ivec);
+void DES_pcbc_encrypt(const unsigned char *input,unsigned char *output,
+                      long length,DES_key_schedule *schedule,DES_cblock *ivec,
                       int enc);
-DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[],
-                        long length,int out_count,des_cblock *seed);
-void des_random_seed(des_cblock *key);
-int des_random_key(des_cblock *ret);
-int des_read_password(des_cblock *key,const char *prompt,int verify);
-int des_read_2passwords(des_cblock *key1,des_cblock *key2,
-                        const char *prompt,int verify);
-int des_read_pw_string(char *buf,int length,const char *prompt,int verify);
-void des_set_odd_parity(des_cblock *key);
-int des_check_key_parity(const_des_cblock *key);
-int des_is_weak_key(const_des_cblock *key);
-/* des_set_key (= set_key = des_key_sched = key_sched) calls
- * des_set_key_checked if global variable des_check_key is set,
- * des_set_key_unchecked otherwise. */
-int des_set_key(const_des_cblock *key,des_key_schedule schedule);
-int des_key_sched(const_des_cblock *key,des_key_schedule schedule);
-int des_set_key_checked(const_des_cblock *key,des_key_schedule schedule);
-void des_set_key_unchecked(const_des_cblock *key,des_key_schedule schedule);
-void des_string_to_key(const char *str,des_cblock *key);
-void des_string_to_2keys(const char *str,des_cblock *key1,des_cblock *key2);
-void des_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
-                       des_key_schedule schedule,des_cblock *ivec,int *num,
+DES_LONG DES_quad_cksum(const unsigned char *input,DES_cblock output[],
+                        long length,int out_count,DES_cblock *seed);
+int DES_random_key(DES_cblock *ret);
+void DES_set_odd_parity(DES_cblock *key);
+int DES_check_key_parity(const_DES_cblock *key);
+int DES_is_weak_key(const_DES_cblock *key);
+/* DES_set_key (= set_key = DES_key_sched = key_sched) calls
+ * DES_set_key_checked if global variable DES_check_key is set,
+ * DES_set_key_unchecked otherwise. */
+int DES_set_key(const_DES_cblock *key,DES_key_schedule *schedule);
+int DES_key_sched(const_DES_cblock *key,DES_key_schedule *schedule);
+int DES_set_key_checked(const_DES_cblock *key,DES_key_schedule *schedule);
+void DES_set_key_unchecked(const_DES_cblock *key,DES_key_schedule *schedule);
+void DES_string_to_key(const char *str,DES_cblock *key);
+void DES_string_to_2keys(const char *str,DES_cblock *key1,DES_cblock *key2);
+void DES_cfb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       DES_key_schedule *schedule,DES_cblock *ivec,int *num,
                        int enc);
-void des_ofb64_encrypt(const unsigned char *in,unsigned char *out,long length,
-                       des_key_schedule schedule,des_cblock *ivec,int *num);
-int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
-
-/* The following definitions provide compatibility with the MIT Kerberos
- * library. The des_key_schedule structure is not binary compatible. */
+void DES_ofb64_encrypt(const unsigned char *in,unsigned char *out,long length,
+                       DES_key_schedule *schedule,DES_cblock *ivec,int *num);
 
-#define _KERBEROS_DES_H
-
-#define KRBDES_ENCRYPT DES_ENCRYPT
-#define KRBDES_DECRYPT DES_DECRYPT
-
-#ifdef KERBEROS
-#  define ENCRYPT DES_ENCRYPT
-#  define DECRYPT DES_DECRYPT
-#endif
-
-#ifndef NCOMPAT
-#  define C_Block des_cblock
-#  define Key_schedule des_key_schedule
-#  define KEY_SZ DES_KEY_SZ
-#  define string_to_key des_string_to_key
-#  define read_pw_string des_read_pw_string
-#  define random_key des_random_key
-#  define pcbc_encrypt des_pcbc_encrypt
-#  define set_key des_set_key
-#  define key_sched des_key_sched
-#  define ecb_encrypt des_ecb_encrypt
-#  define cbc_encrypt des_cbc_encrypt
-#  define ncbc_encrypt des_ncbc_encrypt
-#  define xcbc_encrypt des_xcbc_encrypt
-#  define cbc_cksum des_cbc_cksum
-#  define quad_cksum des_quad_cksum
-#  define check_parity des_check_key_parity
-#endif
+int DES_read_password(DES_cblock *key, const char *prompt, int verify);
+int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt,
+        int verify);
 
-typedef des_key_schedule bit_64;
-#define des_fixup_key_parity des_set_odd_parity
+#define DES_fixup_key_parity DES_set_odd_parity
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index 0bd9fa39bc..1c37ab96d3 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -58,11 +58,11 @@
 
 #include "des_locl.h"
 
-void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc)
+void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
         {
         register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-        register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+        register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
 #ifndef DES_UNROLL
         register int i;
@@ -75,7 +75,7 @@ void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc)
         IP(r,l);
         /* Things have been modified so that the initial rotate is
          * done outside the loop.  This required the
-         * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+         * DES_SPtrans values in sp.h to be rotated 1 bit to the right.
          * One perl script later and things have a 5% speed up on a sparc2.
          * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
          * for pointing this out. */
@@ -84,7 +84,7 @@ void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc)
         r=ROTATE(r,29)&0xffffffffL;
         l=ROTATE(l,29)&0xffffffffL;
 
-        s=ks->ks.deslong;
+        s=ks->ks->deslong;
         /* I don't know if it is worth the effort of loop unrolling the
          * inner loop */
         if (enc)
@@ -156,11 +156,11 @@ void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc)
         l=r=t=u=0;
         }
 
-void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
+void DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
         {
         register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-        register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+        register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
 #ifndef DES_UNROLL
         register int i;
@@ -172,7 +172,7 @@ void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
 
         /* Things have been modified so that the initial rotate is
          * done outside the loop.  This required the
-         * des_SPtrans values in sp.h to be rotated 1 bit to the right.
+         * DES_SPtrans values in sp.h to be rotated 1 bit to the right.
          * One perl script later and things have a 5% speed up on a sparc2.
          * Thanks to Richard Outerbridge <71755.204@CompuServe.COM>
          * for pointing this out. */
@@ -180,7 +180,7 @@ void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
         r=ROTATE(r,29)&0xffffffffL;
         l=ROTATE(l,29)&0xffffffffL;
 
-        s=ks->ks.deslong;
+        s=ks->ks->deslong;
         /* I don't know if it is worth the effort of loop unrolling the
          * inner loop */
         if (enc)
@@ -247,8 +247,8 @@ void des_encrypt2(DES_LONG *data, des_key_schedule ks, int enc)
         l=r=t=u=0;
         }
 
-void des_encrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
-             des_key_schedule ks3)
+void DES_encrypt3(DES_LONG *data, DES_key_schedule *ks1,
+                  DES_key_schedule *ks2, DES_key_schedule *ks3)
         {
         register DES_LONG l,r;
 
@@ -257,9 +257,9 @@ void des_encrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
         IP(l,r);
         data[0]=l;
         data[1]=r;
-        des_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
-        des_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
-        des_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
+        DES_encrypt2((DES_LONG *)data,ks1,DES_ENCRYPT);
+        DES_encrypt2((DES_LONG *)data,ks2,DES_DECRYPT);
+        DES_encrypt2((DES_LONG *)data,ks3,DES_ENCRYPT);
         l=data[0];
         r=data[1];
         FP(r,l);
@@ -267,8 +267,8 @@ void des_encrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
         data[1]=r;
         }
 
-void des_decrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
-             des_key_schedule ks3)
+void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
+                  DES_key_schedule *ks2, DES_key_schedule *ks3)
         {
         register DES_LONG l,r;
 
@@ -277,9 +277,9 @@ void des_decrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
         IP(l,r);
         data[0]=l;
         data[1]=r;
-        des_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
-        des_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
-        des_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
+        DES_encrypt2((DES_LONG *)data,ks3,DES_DECRYPT);
+        DES_encrypt2((DES_LONG *)data,ks2,DES_ENCRYPT);
+        DES_encrypt2((DES_LONG *)data,ks1,DES_DECRYPT);
         l=data[0];
         r=data[1];
         FP(r,l);
@@ -290,11 +290,12 @@ void des_decrypt3(DES_LONG *data, des_key_schedule ks1, des_key_schedule ks2,
 #ifndef DES_DEFAULT_OPTIONS
 
 #undef CBC_ENC_C__DONT_UPDATE_IV
-#include "ncbc_enc.c" /* des_ncbc_encrypt */
+#include "ncbc_enc.c" /* DES_ncbc_encrypt */
 
-void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
-             long length, des_key_schedule ks1, des_key_schedule ks2,
-             des_key_schedule ks3, des_cblock *ivec, int enc)
+void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
+                          long length, DES_key_schedule *ks1,
+                          DES_key_schedule *ks2, DES_key_schedule *ks3,
+                          DES_cblock *ivec, int enc)
         {
         register DES_LONG tin0,tin1;
         register DES_LONG tout0,tout1,xor0,xor1;
@@ -321,7 +322,7 @@ void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 
                         tin[0]=tin0;
                         tin[1]=tin1;
-                        des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+                        DES_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
                         tout0=tin[0];
                         tout1=tin[1];
 
@@ -336,7 +337,7 @@ void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 
                         tin[0]=tin0;
                         tin[1]=tin1;
-                        des_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+                        DES_encrypt3((DES_LONG *)tin,ks1,ks2,ks3);
                         tout0=tin[0];
                         tout1=tin[1];
 
@@ -363,7 +364,7 @@ void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 
                         tin[0]=tin0;
                         tin[1]=tin1;
-                        des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+                        DES_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
                         tout0=tin[0];
                         tout1=tin[1];
 
@@ -384,7 +385,7 @@ void des_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
 
                         tin[0]=tin0;
                         tin[1]=tin1;
-                        des_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
+                        DES_decrypt3((DES_LONG *)tin,ks1,ks2,ks3);
                         tout0=tin[0];
                         tout1=tin[1];
                 
diff --git a/src/lib/libcrypto/des/des_locl.h b/src/lib/libcrypto/des/des_locl.h
index 1ace8f5930..70e833be3f 100644
--- a/src/lib/libcrypto/des/des_locl.h
+++ b/src/lib/libcrypto/des/des_locl.h
@@ -59,19 +59,19 @@
 #ifndef HEADER_DES_LOCL_H
 #define HEADER_DES_LOCL_H
 
-#if defined(WIN32) || defined(WIN16)
-#ifndef MSDOS
-#define MSDOS
+#include <openssl/e_os2.h>
+
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
+#ifndef OPENSSL_SYS_MSDOS
+#define OPENSSL_SYS_MSDOS
 #endif
 #endif
 
 #include <stdio.h>
 #include <stdlib.h>
 
-#include <openssl/opensslconf.h>
-
-#ifndef MSDOS
-#if !defined(VMS) || defined(__DECC)
+#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_VMS) || defined(__DECC)
 #ifdef OPENSSL_UNISTD
 # include OPENSSL_UNISTD
 #else
@@ -82,17 +82,22 @@
 #endif
 #include <openssl/des.h>
 
-#ifdef MSDOS            /* Visual C++ 2.1 (Windows NT/95) */
+#ifdef OPENSSL_SYS_MSDOS                /* Visual C++ 2.1 (Windows NT/95) */
 #include <stdlib.h>
 #include <errno.h>
 #include <time.h>
 #include <io.h>
 #endif
 
-#if defined(__STDC__) || defined(VMS) || defined(M_XENIX) || defined(MSDOS)
+#if defined(__STDC__) || defined(OPENSSL_SYS_VMS) || defined(M_XENIX) || defined(OPENSSL_SYS_MSDOS)
 #include <string.h>
 #endif
 
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
 #define ITERATIONS 16
 #define HALF_ITERATIONS 8
 
@@ -155,7 +160,7 @@
                                 } \
                         }
 
-#if defined(WIN32) && defined(_MSC_VER)
+#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)
 #define ROTATE(a,n)     (_lrotr(a,n))
 #else
 #define ROTATE(a,n)     (((a)>>(n))+((a)<<(32-(n))))
@@ -278,24 +283,24 @@
         u1=(int)u&0x3f; \
         u2&=0x3f; \
         u>>=16L; \
-        LL^=des_SPtrans[0][u1]; \
-        LL^=des_SPtrans[2][u2]; \
+        LL^=DES_SPtrans[0][u1]; \
+        LL^=DES_SPtrans[2][u2]; \
         u3=(int)u>>8L; \
         u1=(int)u&0x3f; \
         u3&=0x3f; \
-        LL^=des_SPtrans[4][u1]; \
-        LL^=des_SPtrans[6][u3]; \
+        LL^=DES_SPtrans[4][u1]; \
+        LL^=DES_SPtrans[6][u3]; \
         u2=(int)t>>8L; \
         u1=(int)t&0x3f; \
         u2&=0x3f; \
         t>>=16L; \
-        LL^=des_SPtrans[1][u1]; \
-        LL^=des_SPtrans[3][u2]; \
+        LL^=DES_SPtrans[1][u1]; \
+        LL^=DES_SPtrans[3][u2]; \
         u3=(int)t>>8L; \
         u1=(int)t&0x3f; \
         u3&=0x3f; \
-        LL^=des_SPtrans[5][u1]; \
-        LL^=des_SPtrans[7][u3]; }
+        LL^=DES_SPtrans[5][u1]; \
+        LL^=DES_SPtrans[7][u3]; }
 #endif
 #ifdef DES_RISC2
 #define D_ENCRYPT(LL,R,S) {\
@@ -306,25 +311,25 @@
         u2=(int)u>>8L; \
         u1=(int)u&0x3f; \
         u2&=0x3f; \
-        LL^=des_SPtrans[0][u1]; \
-        LL^=des_SPtrans[2][u2]; \
+        LL^=DES_SPtrans[0][u1]; \
+        LL^=DES_SPtrans[2][u2]; \
         s1=(int)u>>16L; \
         s2=(int)u>>24L; \
         s1&=0x3f; \
         s2&=0x3f; \
-        LL^=des_SPtrans[4][s1]; \
-        LL^=des_SPtrans[6][s2]; \
+        LL^=DES_SPtrans[4][s1]; \
+        LL^=DES_SPtrans[6][s2]; \
         u2=(int)t>>8L; \
         u1=(int)t&0x3f; \
         u2&=0x3f; \
-        LL^=des_SPtrans[1][u1]; \
-        LL^=des_SPtrans[3][u2]; \
+        LL^=DES_SPtrans[1][u1]; \
+        LL^=DES_SPtrans[3][u2]; \
         s1=(int)t>>16; \
         s2=(int)t>>24L; \
         s1&=0x3f; \
         s2&=0x3f; \
-        LL^=des_SPtrans[5][s1]; \
-        LL^=des_SPtrans[7][s2]; }
+        LL^=DES_SPtrans[5][s1]; \
+        LL^=DES_SPtrans[7][s2]; }
 #endif
 
 #else
@@ -333,14 +338,14 @@
         LOAD_DATA_tmp(R,S,u,t,E0,E1); \
         t=ROTATE(t,4); \
         LL^=\
-                des_SPtrans[0][(u>> 2L)&0x3f]^ \
-                des_SPtrans[2][(u>>10L)&0x3f]^ \
-                des_SPtrans[4][(u>>18L)&0x3f]^ \
-                des_SPtrans[6][(u>>26L)&0x3f]^ \
-                des_SPtrans[1][(t>> 2L)&0x3f]^ \
-                des_SPtrans[3][(t>>10L)&0x3f]^ \
-                des_SPtrans[5][(t>>18L)&0x3f]^ \
-                des_SPtrans[7][(t>>26L)&0x3f]; }
+                DES_SPtrans[0][(u>> 2L)&0x3f]^ \
+                DES_SPtrans[2][(u>>10L)&0x3f]^ \
+                DES_SPtrans[4][(u>>18L)&0x3f]^ \
+                DES_SPtrans[6][(u>>26L)&0x3f]^ \
+                DES_SPtrans[1][(t>> 2L)&0x3f]^ \
+                DES_SPtrans[3][(t>>10L)&0x3f]^ \
+                DES_SPtrans[5][(t>>18L)&0x3f]^ \
+                DES_SPtrans[7][(t>>26L)&0x3f]; }
 #endif
 #endif
 
@@ -405,8 +410,8 @@
         PERM_OP(l,r,tt, 4,0x0f0f0f0fL); \
         }
 
-OPENSSL_EXTERN const DES_LONG des_SPtrans[8][64];
+OPENSSL_EXTERN const DES_LONG DES_SPtrans[8][64];
 
-void fcrypt_body(DES_LONG *out,des_key_schedule ks,
-        DES_LONG Eswap0, DES_LONG Eswap1);
+void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
+                 DES_LONG Eswap0, DES_LONG Eswap1);
 #endif
diff --git a/src/lib/libcrypto/des/des_old.c b/src/lib/libcrypto/des/des_old.c
new file mode 100644
index 0000000000..7e4cd7180d
--- /dev/null
+++ b/src/lib/libcrypto/des/des_old.c
@@ -0,0 +1,271 @@
+/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with libdes.  OpenSSL now provides
+ * functions where "des_" has been replaced with "DES_" in the names,
+ * to make it possible to make incompatible changes that are needed
+ * for C type security and other stuff.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will dissapear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+const char *_ossl_old_des_options(void)
+        {
+        return DES_options();
+        }
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        des_key_schedule ks1,des_key_schedule ks2,
+        des_key_schedule ks3, int enc)
+        {
+        DES_ecb3_encrypt((const_DES_cblock *)input, output,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, enc);
+        }
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
+        {
+        return DES_cbc_cksum((unsigned char *)input, output, length,
+                (DES_key_schedule *)schedule, ivec);
+        }
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_ncbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+        _ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc)
+        {
+        DES_xcbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, inw, outw, enc);
+        }
+void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
+        long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_cfb_encrypt(in, out, numbits, length,
+                (DES_key_schedule *)schedule, ivec, enc);
+        }
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        des_key_schedule ks,int enc)
+        {
+        DES_ecb_encrypt(input, output, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt(DES_LONG *data,des_key_schedule ks, int enc)
+        {
+        DES_encrypt1(data, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc)
+        {
+        DES_encrypt2(data, (DES_key_schedule *)ks, enc);
+        }
+void _ossl_old_des_encrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3)
+        {
+        DES_encrypt3(data, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3);
+        }
+void _ossl_old_des_decrypt3(DES_LONG *data, des_key_schedule ks1,
+        des_key_schedule ks2, des_key_schedule ks3)
+        {
+        DES_decrypt3(data, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3);
+        }
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
+        long length, des_key_schedule ks1, des_key_schedule ks2, 
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc)
+        {
+        DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, enc);
+        }
+void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc)
+        {
+        DES_ede3_cfb64_encrypt(in, out, length,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, num, enc);
+        }
+void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, des_key_schedule ks1, des_key_schedule ks2,
+        des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num)
+        {
+        DES_ede3_ofb64_encrypt(in, out, length,
+                (DES_key_schedule *)ks1, (DES_key_schedule *)ks2,
+                (DES_key_schedule *)ks3, ivec, num);
+        }
+
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+        _ossl_old_des_cblock (*out_white))
+        {
+        DES_xwhite_in2out(des_key, in_white, out_white);
+        }
+
+int _ossl_old_des_enc_read(int fd,char *buf,int len,des_key_schedule sched,
+        _ossl_old_des_cblock *iv)
+        {
+        return DES_enc_read(fd, buf, len, (DES_key_schedule *)sched, iv);
+        }
+int _ossl_old_des_enc_write(int fd,char *buf,int len,des_key_schedule sched,
+        _ossl_old_des_cblock *iv)
+        {
+        return DES_enc_write(fd, buf, len, (DES_key_schedule *)sched, iv);
+        }
+char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret)
+        {
+        return DES_fcrypt(buf, salt, ret);
+        }
+char *_ossl_old_des_crypt(const char *buf,const char *salt)
+        {
+        return DES_crypt(buf, salt);
+        }
+char *_ossl_old_crypt(const char *buf,const char *salt)
+        {
+        return DES_crypt(buf, salt);
+        }
+void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
+        int numbits,long length,des_key_schedule schedule,_ossl_old_des_cblock *ivec)
+        {
+        DES_ofb_encrypt(in, out, numbits, length, (DES_key_schedule *)schedule,
+                ivec);
+        }
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc)
+        {
+        DES_pcbc_encrypt((unsigned char *)input, (unsigned char *)output,
+                length, (DES_key_schedule *)schedule, ivec, enc);
+        }
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,int out_count,_ossl_old_des_cblock *seed)
+        {
+        return DES_quad_cksum((unsigned char *)input, output, length,
+                out_count, seed);
+        }
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key)
+        {
+        RAND_seed(key, sizeof(_ossl_old_des_cblock));
+        }
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret)
+        {
+        DES_random_key((DES_cblock *)ret);
+        }
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key, const char *prompt,
+                                int verify)
+        {
+        return DES_read_password(key, prompt, verify);
+        }
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1, _ossl_old_des_cblock *key2,
+        const char *prompt, int verify)
+        {
+        return DES_read_2passwords(key1, key2, prompt, verify);
+        }
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key)
+        {
+        DES_set_odd_parity(key);
+        }
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key)
+        {
+        return DES_is_weak_key(key);
+        }
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,des_key_schedule schedule)
+        {
+        return DES_set_key(key, (DES_key_schedule *)schedule);
+        }
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,des_key_schedule schedule)
+        {
+        return DES_key_sched(key, (DES_key_schedule *)schedule);
+        }
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key)
+        {
+        DES_string_to_key(str, key);
+        }
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2)
+        {
+        DES_string_to_2keys(str, key1, key2);
+        }
+void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc)
+        {
+        DES_cfb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
+                ivec, num, enc);
+        }
+void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num)
+        {
+        DES_ofb64_encrypt(in, out, length, (DES_key_schedule *)schedule,
+                ivec, num);
+        }
diff --git a/src/lib/libcrypto/des/des_old.h b/src/lib/libcrypto/des/des_old.h
new file mode 100644
index 0000000000..3778f93c15
--- /dev/null
+++ b/src/lib/libcrypto/des/des_old.h
@@ -0,0 +1,437 @@
+/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with openssl 0.9.6 and older as
+ * well as libdes.  OpenSSL now provides functions where "des_" has
+ * been replaced with "DES_" in the names, to make it possible to
+ * make incompatible changes that are needed for C type security and
+ * other stuff.
+ *
+ * This include files has two compatibility modes:
+ *
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY is defined, you get an API
+ *     that is compatible with libdes and SSLeay.
+ *   - If OPENSSL_DES_LIBDES_COMPATIBILITY isn't defined, you get an
+ *     API that is compatible with OpenSSL 0.9.5x to 0.9.6x.
+ *
+ * Note that these modes break earlier snapshots of OpenSSL, where
+ * libdes compatibility was the only available mode or (later on) the
+ * prefered compatibility mode.  However, after much consideration
+ * (and more or less violent discussions with external parties), it
+ * was concluded that OpenSSL should be compatible with earlier versions
+ * of itself before anything else.  Also, in all honesty, libdes is
+ * an old beast that shouldn't really be used any more.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will disappear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_DES_OLD_H
+#define HEADER_DES_OLD_H
+
+#ifdef OPENSSL_NO_DES
+#error DES is disabled.
+#endif
+
+#ifndef HEADER_DES_H
+#error You must include des.h, not des_old.h directly.
+#endif
+
+#ifdef _KERBEROS_DES_H
+#error <openssl/des_old.h> replaces <kerberos/des.h>.
+#endif
+
+#include <openssl/opensslconf.h> /* DES_LONG */
+#include <openssl/e_os2.h>      /* OPENSSL_EXTERN */
+#include <openssl/symhacks.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+typedef unsigned char _ossl_old_des_cblock[8];
+typedef struct _ossl_old_des_ks_struct
+        {
+        union   {
+                _ossl_old_des_cblock _;
+                /* make sure things are correct size on machines with
+                 * 8 byte longs */
+                DES_LONG pad[2];
+                } ks;
+        } _ossl_old_des_key_schedule[16];
+
+#ifndef OPENSSL_DES_LIBDES_COMPATIBILITY
+#define des_cblock DES_cblock
+#define const_des_cblock const_DES_cblock
+#define des_key_schedule DES_key_schedule
+#define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
+        DES_ecb3_encrypt((i),(o),&(k1),&(k2),&(k3),(e))
+#define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
+        DES_ede3_cbc_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(e))
+#define des_ede3_cbcm_encrypt(i,o,l,k1,k2,k3,iv1,iv2,e)\
+        DES_ede3_cbcm_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv1),(iv2),(e))
+#define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
+        DES_ede3_cfb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n),(e))
+#define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
+        DES_ede3_ofb64_encrypt((i),(o),(l),&(k1),&(k2),&(k3),(iv),(n))
+#define des_options()\
+        DES_options()
+#define des_cbc_cksum(i,o,l,k,iv)\
+        DES_cbc_cksum((i),(o),(l),&(k),(iv))
+#define des_cbc_encrypt(i,o,l,k,iv,e)\
+        DES_cbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_ncbc_encrypt(i,o,l,k,iv,e)\
+        DES_ncbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
+        DES_xcbc_encrypt((i),(o),(l),&(k),(iv),(inw),(outw),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+        DES_cfb_encrypt((i),(o),(n),(l),&(k),(iv),(e))
+#define des_ecb_encrypt(i,o,k,e)\
+        DES_ecb_encrypt((i),(o),&(k),(e))
+#define des_encrypt1(d,k,e)\
+        DES_encrypt1((d),&(k),(e))
+#define des_encrypt2(d,k,e)\
+        DES_encrypt2((d),&(k),(e))
+#define des_encrypt3(d,k1,k2,k3)\
+        DES_encrypt3((d),&(k1),&(k2),&(k3))
+#define des_decrypt3(d,k1,k2,k3)\
+        DES_decrypt3((d),&(k1),&(k2),&(k3))
+#define des_xwhite_in2out(k,i,o)\
+        DES_xwhite_in2out((k),(i),(o))
+#define des_enc_read(f,b,l,k,iv)\
+        DES_enc_read((f),(b),(l),&(k),(iv))
+#define des_enc_write(f,b,l,k,iv)\
+        DES_enc_write((f),(b),(l),&(k),(iv))
+#define des_fcrypt(b,s,r)\
+        DES_fcrypt((b),(s),(r))
+#define des_crypt(b,s)\
+        DES_crypt((b),(s))
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+#define crypt(b,s)\
+        DES_crypt((b),(s))
+#endif
+#define des_ofb_encrypt(i,o,n,l,k,iv)\
+        DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv))
+#define des_pcbc_encrypt(i,o,l,k,iv,e)\
+        DES_pcbc_encrypt((i),(o),(l),&(k),(iv),(e))
+#define des_quad_cksum(i,o,l,c,s)\
+        DES_quad_cksum((i),(o),(l),(c),(s))
+#define des_random_seed(k)\
+        _ossl_096_des_random_seed((k))
+#define des_random_key(r)\
+        DES_random_key((r))
+#define des_read_password(k,p,v) \
+        DES_read_password((k),(p),(v))
+#define des_read_2passwords(k1,k2,p,v) \
+        DES_read_2passwords((k1),(k2),(p),(v))
+#define des_set_odd_parity(k)\
+        DES_set_odd_parity((k))
+#define des_check_key_parity(k)\
+        DES_check_key_parity((k))
+#define des_is_weak_key(k)\
+        DES_is_weak_key((k))
+#define des_set_key(k,ks)\
+        DES_set_key((k),&(ks))
+#define des_key_sched(k,ks)\
+        DES_key_sched((k),&(ks))
+#define des_set_key_checked(k,ks)\
+        DES_set_key_checked((k),&(ks))
+#define des_set_key_unchecked(k,ks)\
+        DES_set_key_unchecked((k),&(ks))
+#define des_string_to_key(s,k)\
+        DES_string_to_key((s),(k))
+#define des_string_to_2keys(s,k1,k2)\
+        DES_string_to_2keys((s),(k1),(k2))
+#define des_cfb64_encrypt(i,o,l,ks,iv,n,e)\
+        DES_cfb64_encrypt((i),(o),(l),&(ks),(iv),(n),(e))
+#define des_ofb64_encrypt(i,o,l,ks,iv,n)\
+        DES_ofb64_encrypt((i),(o),(l),&(ks),(iv),(n))
+                
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define des_check_key DES_check_key
+#define des_rw_mode DES_rw_mode
+#else /* libdes compatibility */
+/* Map all symbol names to _ossl_old_des_* form, so we avoid all
+   clashes with libdes */
+#define des_cblock _ossl_old_des_cblock
+#define des_key_schedule _ossl_old_des_key_schedule
+#define des_ecb3_encrypt(i,o,k1,k2,k3,e)\
+        _ossl_old_des_ecb3_encrypt((i),(o),(k1),(k2),(k3),(e))
+#define des_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e)\
+        _ossl_old_des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(e))
+#define des_ede3_cfb64_encrypt(i,o,l,k1,k2,k3,iv,n,e)\
+        _ossl_old_des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n),(e))
+#define des_ede3_ofb64_encrypt(i,o,l,k1,k2,k3,iv,n)\
+        _ossl_old_des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k3),(iv),(n))
+#define des_options()\
+        _ossl_old_des_options()
+#define des_cbc_cksum(i,o,l,k,iv)\
+        _ossl_old_des_cbc_cksum((i),(o),(l),(k),(iv))
+#define des_cbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_cbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_ncbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_ncbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_xcbc_encrypt(i,o,l,k,iv,inw,outw,e)\
+        _ossl_old_des_xcbc_encrypt((i),(o),(l),(k),(iv),(inw),(outw),(e))
+#define des_cfb_encrypt(i,o,n,l,k,iv,e)\
+        _ossl_old_des_cfb_encrypt((i),(o),(n),(l),(k),(iv),(e))
+#define des_ecb_encrypt(i,o,k,e)\
+        _ossl_old_des_ecb_encrypt((i),(o),(k),(e))
+#define des_encrypt(d,k,e)\
+        _ossl_old_des_encrypt((d),(k),(e))
+#define des_encrypt2(d,k,e)\
+        _ossl_old_des_encrypt2((d),(k),(e))
+#define des_encrypt3(d,k1,k2,k3)\
+        _ossl_old_des_encrypt3((d),(k1),(k2),(k3))
+#define des_decrypt3(d,k1,k2,k3)\
+        _ossl_old_des_decrypt3((d),(k1),(k2),(k3))
+#define des_xwhite_in2out(k,i,o)\
+        _ossl_old_des_xwhite_in2out((k),(i),(o))
+#define des_enc_read(f,b,l,k,iv)\
+        _ossl_old_des_enc_read((f),(b),(l),(k),(iv))
+#define des_enc_write(f,b,l,k,iv)\
+        _ossl_old_des_enc_write((f),(b),(l),(k),(iv))
+#define des_fcrypt(b,s,r)\
+        _ossl_old_des_fcrypt((b),(s),(r))
+#define des_crypt(b,s)\
+        _ossl_old_des_crypt((b),(s))
+#define crypt(b,s)\
+        _ossl_old_crypt((b),(s))
+#define des_ofb_encrypt(i,o,n,l,k,iv)\
+        _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv))
+#define des_pcbc_encrypt(i,o,l,k,iv,e)\
+        _ossl_old_des_pcbc_encrypt((i),(o),(l),(k),(iv),(e))
+#define des_quad_cksum(i,o,l,c,s)\
+        _ossl_old_des_quad_cksum((i),(o),(l),(c),(s))
+#define des_random_seed(k)\
+        _ossl_old_des_random_seed((k))
+#define des_random_key(r)\
+        _ossl_old_des_random_key((r))
+#define des_read_password(k,p,v) \
+        _ossl_old_des_read_password((k),(p),(v))
+#define des_read_2passwords(k1,k2,p,v) \
+        _ossl_old_des_read_2passwords((k1),(k2),(p),(v))
+#define des_set_odd_parity(k)\
+        _ossl_old_des_set_odd_parity((k))
+#define des_is_weak_key(k)\
+        _ossl_old_des_is_weak_key((k))
+#define des_set_key(k,ks)\
+        _ossl_old_des_set_key((k),(ks))
+#define des_key_sched(k,ks)\
+        _ossl_old_des_key_sched((k),(ks))
+#define des_string_to_key(s,k)\
+        _ossl_old_des_string_to_key((s),(k))
+#define des_string_to_2keys(s,k1,k2)\
+        _ossl_old_des_string_to_2keys((s),(k1),(k2))
+#define des_cfb64_encrypt(i,o,l,ks,iv,n,e)\
+        _ossl_old_des_cfb64_encrypt((i),(o),(l),(ks),(iv),(n),(e))
+#define des_ofb64_encrypt(i,o,l,ks,iv,n)\
+        _ossl_old_des_ofb64_encrypt((i),(o),(l),(ks),(iv),(n))
+                
+
+#define des_ecb2_encrypt(i,o,k1,k2,e) \
+        des_ecb3_encrypt((i),(o),(k1),(k2),(k1),(e))
+
+#define des_ede2_cbc_encrypt(i,o,l,k1,k2,iv,e) \
+        des_ede3_cbc_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(e))
+
+#define des_ede2_cfb64_encrypt(i,o,l,k1,k2,iv,n,e) \
+        des_ede3_cfb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n),(e))
+
+#define des_ede2_ofb64_encrypt(i,o,l,k1,k2,iv,n) \
+        des_ede3_ofb64_encrypt((i),(o),(l),(k1),(k2),(k1),(iv),(n))
+
+#define des_check_key DES_check_key
+#define des_rw_mode DES_rw_mode
+#endif
+
+const char *_ossl_old_des_options(void);
+void _ossl_old_des_ecb3_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        _ossl_old_des_key_schedule ks1,_ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, int enc);
+DES_LONG _ossl_old_des_cbc_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_cbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ncbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_xcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,
+        _ossl_old_des_cblock *inw,_ossl_old_des_cblock *outw,int enc);
+void _ossl_old_des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,
+        long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+void _ossl_old_des_ecb_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        _ossl_old_des_key_schedule ks,int enc);
+void _ossl_old_des_encrypt(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt2(DES_LONG *data,_ossl_old_des_key_schedule ks, int enc);
+void _ossl_old_des_encrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+        _ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_decrypt3(DES_LONG *data, _ossl_old_des_key_schedule ks1,
+        _ossl_old_des_key_schedule ks2, _ossl_old_des_key_schedule ks3);
+void _ossl_old_des_ede3_cbc_encrypt(_ossl_old_des_cblock *input, _ossl_old_des_cblock *output, 
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2, 
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int enc);
+void _ossl_old_des_ede3_cfb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num, int enc);
+void _ossl_old_des_ede3_ofb64_encrypt(unsigned char *in, unsigned char *out,
+        long length, _ossl_old_des_key_schedule ks1, _ossl_old_des_key_schedule ks2,
+        _ossl_old_des_key_schedule ks3, _ossl_old_des_cblock *ivec, int *num);
+
+void _ossl_old_des_xwhite_in2out(_ossl_old_des_cblock (*des_key), _ossl_old_des_cblock (*in_white),
+        _ossl_old_des_cblock (*out_white));
+
+int _ossl_old_des_enc_read(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+        _ossl_old_des_cblock *iv);
+int _ossl_old_des_enc_write(int fd,char *buf,int len,_ossl_old_des_key_schedule sched,
+        _ossl_old_des_cblock *iv);
+char *_ossl_old_des_fcrypt(const char *buf,const char *salt, char *ret);
+char *_ossl_old_des_crypt(const char *buf,const char *salt);
+#if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT)
+char *_ossl_old_crypt(const char *buf,const char *salt);
+#endif
+void _ossl_old_des_ofb_encrypt(unsigned char *in,unsigned char *out,
+        int numbits,long length,_ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec);
+void _ossl_old_des_pcbc_encrypt(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,long length,
+        _ossl_old_des_key_schedule schedule,_ossl_old_des_cblock *ivec,int enc);
+DES_LONG _ossl_old_des_quad_cksum(_ossl_old_des_cblock *input,_ossl_old_des_cblock *output,
+        long length,int out_count,_ossl_old_des_cblock *seed);
+void _ossl_old_des_random_seed(_ossl_old_des_cblock key);
+void _ossl_old_des_random_key(_ossl_old_des_cblock ret);
+int _ossl_old_des_read_password(_ossl_old_des_cblock *key,const char *prompt,int verify);
+int _ossl_old_des_read_2passwords(_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2,
+        const char *prompt,int verify);
+void _ossl_old_des_set_odd_parity(_ossl_old_des_cblock *key);
+int _ossl_old_des_is_weak_key(_ossl_old_des_cblock *key);
+int _ossl_old_des_set_key(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+int _ossl_old_des_key_sched(_ossl_old_des_cblock *key,_ossl_old_des_key_schedule schedule);
+void _ossl_old_des_string_to_key(char *str,_ossl_old_des_cblock *key);
+void _ossl_old_des_string_to_2keys(char *str,_ossl_old_des_cblock *key1,_ossl_old_des_cblock *key2);
+void _ossl_old_des_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        _ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num, int enc);
+void _ossl_old_des_ofb64_encrypt(unsigned char *in, unsigned char *out, long length,
+        _ossl_old_des_key_schedule schedule, _ossl_old_des_cblock *ivec, int *num);
+
+void _ossl_096_des_random_seed(des_cblock *key);
+
+/* The following definitions provide compatibility with the MIT Kerberos
+ * library. The _ossl_old_des_key_schedule structure is not binary compatible. */
+
+#define _KERBEROS_DES_H
+
+#define KRBDES_ENCRYPT DES_ENCRYPT
+#define KRBDES_DECRYPT DES_DECRYPT
+
+#ifdef KERBEROS
+#  define ENCRYPT DES_ENCRYPT
+#  define DECRYPT DES_DECRYPT
+#endif
+
+#ifndef NCOMPAT
+#  define C_Block des_cblock
+#  define Key_schedule des_key_schedule
+#  define KEY_SZ DES_KEY_SZ
+#  define string_to_key des_string_to_key
+#  define read_pw_string des_read_pw_string
+#  define random_key des_random_key
+#  define pcbc_encrypt des_pcbc_encrypt
+#  define set_key des_set_key
+#  define key_sched des_key_sched
+#  define ecb_encrypt des_ecb_encrypt
+#  define cbc_encrypt des_cbc_encrypt
+#  define ncbc_encrypt des_ncbc_encrypt
+#  define xcbc_encrypt des_xcbc_encrypt
+#  define cbc_cksum des_cbc_cksum
+#  define quad_cksum des_quad_cksum
+#  define check_parity des_check_key_parity
+#endif
+
+#define des_fixup_key_parity DES_fixup_key_parity
+
+#ifdef  __cplusplus
+}
+#endif
+
+/* for DES_read_pw_string et al */
+#include <openssl/ui_compat.h>
+
+#endif
diff --git a/src/lib/libcrypto/des/des_old2.c b/src/lib/libcrypto/des/des_old2.c
new file mode 100644
index 0000000000..c8fa3ee135
--- /dev/null
+++ b/src/lib/libcrypto/des/des_old2.c
@@ -0,0 +1,82 @@
+/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */
+
+/* WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ *
+ * The function names in here are deprecated and are only present to
+ * provide an interface compatible with OpenSSL 0.9.6c.  OpenSSL now
+ * provides functions where "des_" has been replaced with "DES_" in
+ * the names, to make it possible to make incompatible changes that
+ * are needed for C type security and other stuff.
+ *
+ * Please consider starting to use the DES_ functions rather than the
+ * des_ ones.  The des_ functions will dissapear completely before
+ * OpenSSL 1.0!
+ *
+ * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
+ */
+
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#undef OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#include <openssl/rand.h>
+
+void _ossl_096_des_random_seed(DES_cblock *key)
+        {
+        RAND_seed(key, sizeof(DES_cblock));
+        }
diff --git a/src/lib/libcrypto/des/des_opts.c b/src/lib/libcrypto/des/des_opts.c
index 138ee1c6b4..79278b920e 100644
--- a/src/lib/libcrypto/des/des_opts.c
+++ b/src/lib/libcrypto/des/des_opts.c
@@ -59,12 +59,12 @@
 /* define PART1, PART2, PART3 or PART4 to build only with a few of the options.
  * This is for machines with 64k code segment size restrictions. */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
 #include <stdio.h>
-#ifndef MSDOS
+#ifndef OPENSSL_SYS_MSDOS
 #include <openssl/e_os2.h>
 #include OPENSSL_UNISTD
 #else
@@ -84,7 +84,7 @@ extern void exit();
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -118,10 +118,10 @@ extern void exit();
 #undef DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#define des_encrypt1 des_encrypt_u4_cisc_idx
-#define des_encrypt2 des_encrypt2_u4_cisc_idx
-#define des_encrypt3 des_encrypt3_u4_cisc_idx
-#define des_decrypt3 des_decrypt3_u4_cisc_idx
+#define DES_encrypt1 des_encrypt_u4_cisc_idx
+#define DES_encrypt2 des_encrypt2_u4_cisc_idx
+#define DES_encrypt3 des_encrypt3_u4_cisc_idx
+#define DES_decrypt3 des_decrypt3_u4_cisc_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -130,14 +130,14 @@ extern void exit();
 #undef DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_cisc_idx
-#define des_encrypt2 des_encrypt2_u16_cisc_idx
-#define des_encrypt3 des_encrypt3_u16_cisc_idx
-#define des_decrypt3 des_decrypt3_u16_cisc_idx
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_cisc_idx
+#define DES_encrypt2 des_encrypt2_u16_cisc_idx
+#define DES_encrypt3 des_encrypt3_u16_cisc_idx
+#define DES_decrypt3 des_decrypt3_u16_cisc_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -146,14 +146,14 @@ extern void exit();
 #undef DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u4_risc1_idx
-#define des_encrypt2 des_encrypt2_u4_risc1_idx
-#define des_encrypt3 des_encrypt3_u4_risc1_idx
-#define des_decrypt3 des_decrypt3_u4_risc1_idx
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u4_risc1_idx
+#define DES_encrypt2 des_encrypt2_u4_risc1_idx
+#define DES_encrypt3 des_encrypt3_u4_risc1_idx
+#define DES_decrypt3 des_decrypt3_u4_risc1_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -166,14 +166,14 @@ extern void exit();
 #define DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u4_risc2_idx
-#define des_encrypt2 des_encrypt2_u4_risc2_idx
-#define des_encrypt3 des_encrypt3_u4_risc2_idx
-#define des_decrypt3 des_decrypt3_u4_risc2_idx
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u4_risc2_idx
+#define DES_encrypt2 des_encrypt2_u4_risc2_idx
+#define DES_encrypt3 des_encrypt3_u4_risc2_idx
+#define DES_decrypt3 des_decrypt3_u4_risc2_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -182,14 +182,14 @@ extern void exit();
 #undef DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_risc1_idx
-#define des_encrypt2 des_encrypt2_u16_risc1_idx
-#define des_encrypt3 des_encrypt3_u16_risc1_idx
-#define des_decrypt3 des_decrypt3_u16_risc1_idx
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_risc1_idx
+#define DES_encrypt2 des_encrypt2_u16_risc1_idx
+#define DES_encrypt3 des_encrypt3_u16_risc1_idx
+#define DES_decrypt3 des_decrypt3_u16_risc1_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -198,14 +198,14 @@ extern void exit();
 #define DES_RISC2
 #undef DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_risc2_idx
-#define des_encrypt2 des_encrypt2_u16_risc2_idx
-#define des_encrypt3 des_encrypt3_u16_risc2_idx
-#define des_decrypt3 des_decrypt3_u16_risc2_idx
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_risc2_idx
+#define DES_encrypt2 des_encrypt2_u16_risc2_idx
+#define DES_encrypt3 des_encrypt3_u16_risc2_idx
+#define DES_decrypt3 des_decrypt3_u16_risc2_idx
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -218,14 +218,14 @@ extern void exit();
 #undef DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u4_cisc_ptr
-#define des_encrypt2 des_encrypt2_u4_cisc_ptr
-#define des_encrypt3 des_encrypt3_u4_cisc_ptr
-#define des_decrypt3 des_decrypt3_u4_cisc_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u4_cisc_ptr
+#define DES_encrypt2 des_encrypt2_u4_cisc_ptr
+#define DES_encrypt3 des_encrypt3_u4_cisc_ptr
+#define DES_decrypt3 des_decrypt3_u4_cisc_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -234,14 +234,14 @@ extern void exit();
 #undef DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_cisc_ptr
-#define des_encrypt2 des_encrypt2_u16_cisc_ptr
-#define des_encrypt3 des_encrypt3_u16_cisc_ptr
-#define des_decrypt3 des_decrypt3_u16_cisc_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_cisc_ptr
+#define DES_encrypt2 des_encrypt2_u16_cisc_ptr
+#define DES_encrypt3 des_encrypt3_u16_cisc_ptr
+#define DES_decrypt3 des_decrypt3_u16_cisc_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -250,14 +250,14 @@ extern void exit();
 #undef DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u4_risc1_ptr
-#define des_encrypt2 des_encrypt2_u4_risc1_ptr
-#define des_encrypt3 des_encrypt3_u4_risc1_ptr
-#define des_decrypt3 des_decrypt3_u4_risc1_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u4_risc1_ptr
+#define DES_encrypt2 des_encrypt2_u4_risc1_ptr
+#define DES_encrypt3 des_encrypt3_u4_risc1_ptr
+#define DES_decrypt3 des_decrypt3_u4_risc1_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -270,14 +270,14 @@ extern void exit();
 #define DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u4_risc2_ptr
-#define des_encrypt2 des_encrypt2_u4_risc2_ptr
-#define des_encrypt3 des_encrypt3_u4_risc2_ptr
-#define des_decrypt3 des_decrypt3_u4_risc2_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u4_risc2_ptr
+#define DES_encrypt2 des_encrypt2_u4_risc2_ptr
+#define DES_encrypt3 des_encrypt3_u4_risc2_ptr
+#define DES_decrypt3 des_decrypt3_u4_risc2_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -286,14 +286,14 @@ extern void exit();
 #undef DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_risc1_ptr
-#define des_encrypt2 des_encrypt2_u16_risc1_ptr
-#define des_encrypt3 des_encrypt3_u16_risc1_ptr
-#define des_decrypt3 des_decrypt3_u16_risc1_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_risc1_ptr
+#define DES_encrypt2 des_encrypt2_u16_risc1_ptr
+#define DES_encrypt3 des_encrypt3_u16_risc1_ptr
+#define DES_decrypt3 des_decrypt3_u16_risc1_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -302,14 +302,14 @@ extern void exit();
 #define DES_RISC2
 #define DES_PTR
 #undef D_ENCRYPT
-#undef des_encrypt1
-#undef des_encrypt2
-#undef des_encrypt3
-#undef des_decrypt3
-#define des_encrypt1 des_encrypt_u16_risc2_ptr
-#define des_encrypt2 des_encrypt2_u16_risc2_ptr
-#define des_encrypt3 des_encrypt3_u16_risc2_ptr
-#define des_decrypt3 des_decrypt3_u16_risc2_ptr
+#undef DES_encrypt1
+#undef DES_encrypt2
+#undef DES_encrypt3
+#undef DES_decrypt3
+#define DES_encrypt1 des_encrypt_u16_risc2_ptr
+#define DES_encrypt2 des_encrypt2_u16_risc2_ptr
+#define DES_encrypt3 des_encrypt3_u16_risc2_ptr
+#define DES_decrypt3 des_decrypt3_u16_risc2_ptr
 #undef HEADER_DES_LOCL_H
 #include "des_enc.c"
 
@@ -401,7 +401,7 @@ double Time_F(int s)
         for (count=0,run=1; COND(cb); count++) \
                 { \
                 unsigned long d[2]; \
-                func(d,&(sch[0]),DES_ENCRYPT); \
+                func(d,&sch,DES_ENCRYPT); \
                 } \
         tm[index]=Time_F(STOP); \
         fprintf(stderr,"%ld %s's in %.2f second\n",count,name,tm[index]); \
@@ -415,10 +415,10 @@ int main(int argc, char **argv)
         {
         long count;
         static unsigned char buf[BUFSIZE];
-        static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-        static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-        static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
-        des_key_schedule sch,sch2,sch3;
+        static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+        static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+        static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+        DES_key_schedule sch,sch2,sch3;
         double d,tm[16],max=0;
         int rank[16];
         char *str[16];
@@ -438,13 +438,13 @@ int main(int argc, char **argv)
         fprintf(stderr,"program when this computer is idle.\n");
 #endif
 
-        des_set_key_unchecked(&key,sch);
-        des_set_key_unchecked(&key2,sch2);
-        des_set_key_unchecked(&key3,sch3);
+        DES_set_key_unchecked(&key,&sch);
+        DES_set_key_unchecked(&key2,&sch2);
+        DES_set_key_unchecked(&key3,&sch3);
 
 #ifndef SIGALRM
         fprintf(stderr,"First we calculate the approximate speed ...\n");
-        des_set_key_unchecked(&key,sch);
+        DES_set_key_unchecked(&key,sch);
         count=10;
         do      {
                 long i;
@@ -453,7 +453,7 @@ int main(int argc, char **argv)
                 count*=2;
                 Time_F(START);
                 for (i=count; i; i--)
-                        des_encrypt1(data,&(sch[0]),DES_ENCRYPT);
+                        DES_encrypt1(data,&(sch[0]),DES_ENCRYPT);
                 d=Time_F(STOP);
                 } while (d < 3.0);
         ca=count;
@@ -598,7 +598,7 @@ int main(int argc, char **argv)
                 break;
                 }
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/des/des_ver.h b/src/lib/libcrypto/des/des_ver.h
index de3c02f110..0fa94d5368 100644
--- a/src/lib/libcrypto/des/des_ver.h
+++ b/src/lib/libcrypto/des/des_ver.h
@@ -57,5 +57,11 @@
  */
 
 #include <openssl/e_os2.h>
+
+#ifdef OPENSSL_BUILD_SHLIBCRYPTO
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
+
 OPENSSL_EXTERN char *DES_version;       /* SSLeay version string */
 OPENSSL_EXTERN char *libdes_version;    /* old libdes version string */
diff --git a/src/lib/libcrypto/des/destest.c b/src/lib/libcrypto/des/destest.c
index df0d615d6b..58e8c35dcb 100644
--- a/src/lib/libcrypto/des/destest.c
+++ b/src/lib/libcrypto/des/destest.c
@@ -56,25 +56,26 @@
  * [including the GNU Public Licence.]
  */
 
-#if defined(WIN32) || defined(WIN16) || defined(WINDOWS)
-#ifndef MSDOS
-#define MSDOS
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/e_os2.h>
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_WINDOWS)
+#ifndef OPENSSL_SYS_MSDOS
+#define OPENSSL_SYS_MSDOS
 #endif
 #endif
 
-#include <stdio.h>
-#include <stdlib.h>
-#ifndef MSDOS
-#if !defined(VMS) || defined(__DECC)
-#include <openssl/opensslconf.h>
+#ifndef OPENSSL_SYS_MSDOS
+#if !defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VMS_DECC)
 #include OPENSSL_UNISTD
-#endif /* VMS */
+#endif
 #else
 #include <io.h>
 #endif
 #include <string.h>
 
-#ifdef NO_DES
+#ifdef OPENSSL_NO_DES
 int main(int argc, char *argv[])
 {
     printf("No DES support\n");
@@ -83,7 +84,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/des.h>
 
-#if defined(PERL5) || defined(__FreeBSD__)
+#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT)
 #define crypt(c,s) (des_crypt((c),(s)))
 #endif
 
@@ -348,19 +349,19 @@ int main(int argc, char *argv[])
         int num;
         char *str;
 
-#ifndef NO_DESCBCM
+#ifndef OPENSSL_NO_DESCBCM
         printf("Doing cbcm\n");
-        if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+        if ((j=DES_set_key_checked(&cbc_key,&ks)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
                 }
-        if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
+        if ((j=DES_set_key_checked(&cbc2_key,&ks2)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
                 }
-        if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
+        if ((j=DES_set_key_checked(&cbc3_key,&ks3)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
@@ -372,9 +373,9 @@ int main(int argc, char *argv[])
         memcpy(iv3,cbc_iv,sizeof(cbc_iv));
         memset(iv2,'\0',sizeof iv2);
 
-        des_ede3_cbcm_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,&iv2,
+        DES_ede3_cbcm_encrypt(cbc_data,cbc_out,16L,&ks,&ks2,&ks3,&iv3,&iv2,
                               DES_ENCRYPT);
-        des_ede3_cbcm_encrypt(&cbc_data[16],&cbc_out[16],i-16,ks,ks2,ks3,
+        DES_ede3_cbcm_encrypt(&cbc_data[16],&cbc_out[16],i-16,&ks,&ks2,&ks3,
                               &iv3,&iv2,DES_ENCRYPT);
         /*      if (memcmp(cbc_out,cbc3_ok,
                 (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
@@ -385,7 +386,7 @@ int main(int argc, char *argv[])
         */
         memcpy(iv3,cbc_iv,sizeof(cbc_iv));
         memset(iv2,'\0',sizeof iv2);
-        des_ede3_cbcm_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,&iv2,DES_DECRYPT);
+        DES_ede3_cbcm_encrypt(cbc_out,cbc_in,i,&ks,&ks2,&ks3,&iv3,&iv2,DES_DECRYPT);
         if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
                 {
                 int n;
@@ -404,7 +405,7 @@ int main(int argc, char *argv[])
         printf("Doing ecb\n");
         for (i=0; i<NUM_TESTS; i++)
                 {
-                des_set_key_unchecked(&key_data[i],ks);
+                DES_set_key_unchecked(&key_data[i],&ks);
                 memcpy(in,plain_data[i],8);
                 memset(out,0,8);
                 memset(outin,0,8);
@@ -430,9 +431,9 @@ int main(int argc, char *argv[])
         printf("Doing ede ecb\n");
         for (i=0; i<(NUM_TESTS-1); i++)
                 {
-                des_set_key_unchecked(&key_data[i],ks);
-                des_set_key_unchecked(&key_data[i+1],ks2);
-                des_set_key_unchecked(&key_data[i+2],ks3);
+                DES_set_key_unchecked(&key_data[i],&ks);
+                DES_set_key_unchecked(&key_data[i+1],&ks2);
+                DES_set_key_unchecked(&key_data[i+2],&ks3);
                 memcpy(in,plain_data[i],8);
                 memset(out,0,8);
                 memset(outin,0,8);
@@ -456,7 +457,7 @@ int main(int argc, char *argv[])
 #endif
 
         printf("Doing cbc\n");
-        if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+        if ((j=DES_set_key_checked(&cbc_key,&ks)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
@@ -483,7 +484,7 @@ int main(int argc, char *argv[])
 
 #ifndef LIBDES_LIT
         printf("Doing desx cbc\n");
-        if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+        if ((j=DES_set_key_checked(&cbc_key,&ks)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
@@ -509,17 +510,17 @@ int main(int argc, char *argv[])
 #endif
 
         printf("Doing ede cbc\n");
-        if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+        if ((j=DES_set_key_checked(&cbc_key,&ks)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
                 }
-        if ((j=des_set_key_checked(&cbc2_key,ks2)) != 0)
+        if ((j=DES_set_key_checked(&cbc2_key,&ks2)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
                 }
-        if ((j=des_set_key_checked(&cbc3_key,ks3)) != 0)
+        if ((j=DES_set_key_checked(&cbc3_key,&ks3)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
@@ -530,13 +531,22 @@ int main(int argc, char *argv[])
         /* i=((i+7)/8)*8; */
         memcpy(iv3,cbc_iv,sizeof(cbc_iv));
 
-        des_ede3_cbc_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,DES_ENCRYPT);
+        des_ede3_cbc_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,&iv3,
+                             DES_ENCRYPT);
         des_ede3_cbc_encrypt(&(cbc_data[16]),&(cbc_out[16]),i-16,ks,ks2,ks3,
                              &iv3,DES_ENCRYPT);
         if (memcmp(cbc_out,cbc3_ok,
                 (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
                 {
+                int n;
+
                 printf("des_ede3_cbc_encrypt encrypt error\n");
+                for(n=0 ; n < i ; ++n)
+                    printf(" %02x",cbc_out[n]);
+                printf("\n");
+                for(n=0 ; n < i ; ++n)
+                    printf(" %02x",cbc3_ok[n]);
+                printf("\n");
                 err=1;
                 }
 
@@ -544,13 +554,21 @@ int main(int argc, char *argv[])
         des_ede3_cbc_encrypt(cbc_out,cbc_in,i,ks,ks2,ks3,&iv3,DES_DECRYPT);
         if (memcmp(cbc_in,cbc_data,strlen((char *)cbc_data)+1) != 0)
                 {
+                int n;
+
                 printf("des_ede3_cbc_encrypt decrypt error\n");
+                for(n=0 ; n < i ; ++n)
+                    printf(" %02x",cbc_data[n]);
+                printf("\n");
+                for(n=0 ; n < i ; ++n)
+                    printf(" %02x",cbc_in[n]);
+                printf("\n");
                 err=1;
                 }
 
 #ifndef LIBDES_LIT
         printf("Doing pcbc\n");
-        if ((j=des_set_key_checked(&cbc_key,ks)) != 0)
+        if ((j=DES_set_key_checked(&cbc_key,&ks)) != 0)
                 {
                 printf("Key error %d\n",j);
                 err=1;
@@ -613,7 +631,7 @@ int main(int argc, char *argv[])
         printf("done\n");
 
         printf("Doing ofb\n");
-        des_set_key_checked(&ofb_key,ks);
+        DES_set_key_checked(&ofb_key,&ks);
         memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
         des_ofb_encrypt(plain,ofb_buf1,64,sizeof(plain)/8,ks,&ofb_tmp);
         if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
@@ -642,7 +660,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
 
         printf("Doing ofb64\n");
-        des_set_key_checked(&ofb_key,ks);
+        DES_set_key_checked(&ofb_key,&ks);
         memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
         memset(ofb_buf1,0,sizeof(ofb_buf1));
         memset(ofb_buf2,0,sizeof(ofb_buf1));
@@ -659,7 +677,8 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
         memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
         num=0;
-        des_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,&ofb_tmp,&num);
+        des_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,&ofb_tmp,
+                          &num);
         if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
                 {
                 printf("ofb64_encrypt decrypt error\n");
@@ -667,15 +686,15 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
 
         printf("Doing ede_ofb64\n");
-        des_set_key_checked(&ofb_key,ks);
+        DES_set_key_checked(&ofb_key,&ks);
         memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
         memset(ofb_buf1,0,sizeof(ofb_buf1));
         memset(ofb_buf2,0,sizeof(ofb_buf1));
         num=0;
         for (i=0; i<sizeof(plain); i++)
                 {
-                des_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,ks,ks,
-                                       &ofb_tmp,&num);
+                des_ede3_ofb64_encrypt(&(plain[i]),&(ofb_buf1[i]),1,ks,ks,
+                                       ks,&ofb_tmp,&num);
                 }
         if (memcmp(ofb_cipher,ofb_buf1,sizeof(ofb_buf1)) != 0)
                 {
@@ -684,8 +703,8 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
         memcpy(ofb_tmp,ofb_iv,sizeof(ofb_iv));
         num=0;
-        des_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,
-                               ks,ks,&ofb_tmp,&num);
+        des_ede3_ofb64_encrypt(ofb_buf1,ofb_buf2,sizeof(ofb_buf1),ks,ks,ks,
+                               &ofb_tmp,&num);
         if (memcmp(plain,ofb_buf2,sizeof(ofb_buf2)) != 0)
                 {
                 printf("ede_ofb64_encrypt decrypt error\n");
@@ -693,7 +712,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
 
         printf("Doing cbc_cksum\n");
-        des_set_key_checked(&cbc_key,ks);
+        DES_set_key_checked(&cbc_key,&ks);
         cs=des_cbc_cksum(cbc_data,&cret,strlen((char *)cbc_data),ks,&cbc_iv);
         if (cs != cbc_cksum_ret)
                 {
@@ -708,7 +727,7 @@ plain[8+4], plain[8+5], plain[8+6], plain[8+7]);
                 }
 
         printf("Doing quad_cksum\n");
-        cs=quad_cksum(cbc_data,(des_cblock *)lqret,
+        cs=des_quad_cksum(cbc_data,(des_cblock *)lqret,
                 (long)strlen((char *)cbc_data),2,(des_cblock *)cbc_iv);
         if (cs != 0x70d7a63aL)
                 {
@@ -829,7 +848,7 @@ static int cfb_test(int bits, unsigned char *cfb_cipher)
         des_key_schedule ks;
         int i,err=0;
 
-        des_set_key_checked(&cfb_key,ks);
+        DES_set_key_checked(&cfb_key,&ks);
         memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
         des_cfb_encrypt(plain,cfb_buf1,bits,sizeof(plain),ks,&cfb_tmp,
                         DES_ENCRYPT);
@@ -858,7 +877,7 @@ static int cfb64_test(unsigned char *cfb_cipher)
         des_key_schedule ks;
         int err=0,i,n;
 
-        des_set_key_checked(&cfb_key,ks);
+        DES_set_key_checked(&cfb_key,&ks);
         memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
         n=0;
         des_cfb64_encrypt(plain,cfb_buf1,12,ks,&cfb_tmp,&n,DES_ENCRYPT);
@@ -891,7 +910,7 @@ static int ede_cfb64_test(unsigned char *cfb_cipher)
         des_key_schedule ks;
         int err=0,i,n;
 
-        des_set_key_checked(&cfb_key,ks);
+        DES_set_key_checked(&cfb_key,&ks);
         memcpy(cfb_tmp,cfb_iv,sizeof(cfb_iv));
         n=0;
         des_ede3_cfb64_encrypt(plain,cfb_buf1,12,ks,ks,ks,&cfb_tmp,&n,
diff --git a/src/lib/libcrypto/des/ecb3_enc.c b/src/lib/libcrypto/des/ecb3_enc.c
index fb28b97e1a..c3437bc606 100644
--- a/src/lib/libcrypto/des/ecb3_enc.c
+++ b/src/lib/libcrypto/des/ecb3_enc.c
@@ -58,8 +58,9 @@
 
 #include "des_locl.h"
 
-void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
-             des_key_schedule ks1, des_key_schedule ks2, des_key_schedule ks3,
+void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
+                      DES_key_schedule *ks1, DES_key_schedule *ks2,
+                      DES_key_schedule *ks3,
              int enc)
         {
         register DES_LONG l0,l1;
@@ -72,9 +73,9 @@ void des_ecb3_encrypt(const_des_cblock *input, des_cblock *output,
         ll[0]=l0;
         ll[1]=l1;
         if (enc)
-                des_encrypt3(ll,ks1,ks2,ks3);
+                DES_encrypt3(ll,ks1,ks2,ks3);
         else
-                des_decrypt3(ll,ks1,ks2,ks3);
+                DES_decrypt3(ll,ks1,ks2,ks3);
         l0=ll[0];
         l1=ll[1];
         l2c(l0,out);
diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c
index d481327ef3..4650f2fa0f 100644
--- a/src/lib/libcrypto/des/ecb_enc.c
+++ b/src/lib/libcrypto/des/ecb_enc.c
@@ -63,7 +63,7 @@
 OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT;
 OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT;
 
-const char *des_options(void)
+const char *DES_options(void)
         {
         static int init=1;
         static char buf[32];
@@ -103,9 +103,8 @@ const char *des_options(void)
         }
                 
 
-void des_ecb_encrypt(const_des_cblock *input, des_cblock *output,
-             des_key_schedule ks,
-             int enc)
+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+                     DES_key_schedule *ks, int enc)
         {
         register DES_LONG l;
         DES_LONG ll[2];
@@ -114,9 +113,8 @@ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output,
 
         c2l(in,l); ll[0]=l;
         c2l(in,l); ll[1]=l;
-        des_encrypt1(ll,ks,enc);
+        DES_encrypt1(ll,ks,enc);
         l=ll[0]; l2c(l,out);
         l=ll[1]; l2c(l,out);
         l=ll[0]=ll[1]=0;
         }
-
diff --git a/src/lib/libcrypto/des/ede_cbcm_enc.c b/src/lib/libcrypto/des/ede_cbcm_enc.c
index b98f7e17af..fa45aa272b 100644
--- a/src/lib/libcrypto/des/ede_cbcm_enc.c
+++ b/src/lib/libcrypto/des/ede_cbcm_enc.c
@@ -68,12 +68,12 @@ http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
 
 */
 
-#ifndef NO_DESCBCM
+#ifndef OPENSSL_NO_DESCBCM
 #include "des_locl.h"
 
-void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
-             long length, des_key_schedule ks1, des_key_schedule ks2,
-             des_key_schedule ks3, des_cblock *ivec1, des_cblock *ivec2,
+void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
+             long length, DES_key_schedule *ks1, DES_key_schedule *ks2,
+             DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2,
              int enc)
     {
     register DES_LONG tin0,tin1;
@@ -95,7 +95,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
             {
             tin[0]=m0;
             tin[1]=m1;
-            des_encrypt1(tin,ks3,1);
+            DES_encrypt1(tin,ks3,1);
             m0=tin[0];
             m1=tin[1];
 
@@ -113,13 +113,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
 
             tin[0]=tin0;
             tin[1]=tin1;
-            des_encrypt1(tin,ks1,1);
+            DES_encrypt1(tin,ks1,1);
             tin[0]^=m0;
             tin[1]^=m1;
-            des_encrypt1(tin,ks2,0);
+            DES_encrypt1(tin,ks2,0);
             tin[0]^=m0;
             tin[1]^=m1;
-            des_encrypt1(tin,ks1,1);
+            DES_encrypt1(tin,ks1,1);
             tout0=tin[0];
             tout1=tin[1];
 
@@ -146,7 +146,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
             {
             tin[0]=m0;
             tin[1]=m1;
-            des_encrypt1(tin,ks3,1);
+            DES_encrypt1(tin,ks3,1);
             m0=tin[0];
             m1=tin[1];
 
@@ -158,13 +158,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
 
             tin[0]=tin0;
             tin[1]=tin1;
-            des_encrypt1(tin,ks1,0);
+            DES_encrypt1(tin,ks1,0);
             tin[0]^=m0;
             tin[1]^=m1;
-            des_encrypt1(tin,ks2,1);
+            DES_encrypt1(tin,ks2,1);
             tin[0]^=m0;
             tin[1]^=m1;
-            des_encrypt1(tin,ks1,0);
+            DES_encrypt1(tin,ks1,0);
             tout0=tin[0];
             tout1=tin[1];
 
diff --git a/src/lib/libcrypto/des/enc_read.c b/src/lib/libcrypto/des/enc_read.c
index af2d9177d2..c70fb686b8 100644
--- a/src/lib/libcrypto/des/enc_read.c
+++ b/src/lib/libcrypto/des/enc_read.c
@@ -63,15 +63,15 @@
 
 /* This has some uglies in it but it works - even over sockets. */
 /*extern int errno;*/
-OPENSSL_GLOBAL int des_rw_mode=DES_PCBC_MODE;
+OPENSSL_IMPLEMENT_GLOBAL(int,DES_rw_mode)=DES_PCBC_MODE;
 
 
 /*
  * WARNINGS:
  *
- *  -  The data format used by des_enc_write() and des_enc_read()
+ *  -  The data format used by DES_enc_write() and DES_enc_read()
  *     has a cryptographic weakness: When asked to write more
- *     than MAXWRITE bytes, des_enc_write will split the data
+ *     than MAXWRITE bytes, DES_enc_write will split the data
  *     into several chunks that are all encrypted
  *     using the same IV.  So don't use these functions unless you
  *     are sure you know what you do (in which case you might
@@ -84,8 +84,8 @@ OPENSSL_GLOBAL int des_rw_mode=DES_PCBC_MODE;
  */
 
 
-int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
-                 des_cblock *iv)
+int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
+                 DES_cblock *iv)
         {
         /* data to be unencrypted */
         int net_num=0;
@@ -180,10 +180,10 @@ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
         /* Check if there will be data left over. */
         if (len < num)
                 {
-                if (des_rw_mode & DES_PCBC_MODE)
-                        des_pcbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
+                if (DES_rw_mode & DES_PCBC_MODE)
+                        DES_pcbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
                 else
-                        des_cbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
+                        DES_cbc_encrypt(net,unnet,num,sched,iv,DES_DECRYPT);
                 memcpy(buf,unnet,len);
                 unnet_start=len;
                 unnet_left=num-len;
@@ -202,11 +202,11 @@ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
                 if (len < rnum)
                         {
 
-                        if (des_rw_mode & DES_PCBC_MODE)
-                                des_pcbc_encrypt(net,tmpbuf,num,sched,iv,
+                        if (DES_rw_mode & DES_PCBC_MODE)
+                                DES_pcbc_encrypt(net,tmpbuf,num,sched,iv,
                                                  DES_DECRYPT);
                         else
-                                des_cbc_encrypt(net,tmpbuf,num,sched,iv,
+                                DES_cbc_encrypt(net,tmpbuf,num,sched,iv,
                                                 DES_DECRYPT);
 
                         /* eay 26/08/92 fix a bug that returned more
@@ -215,11 +215,11 @@ int des_enc_read(int fd, void *buf, int len, des_key_schedule sched,
                         }
                 else
                         {
-                        if (des_rw_mode & DES_PCBC_MODE)
-                                des_pcbc_encrypt(net,buf,num,sched,iv,
+                        if (DES_rw_mode & DES_PCBC_MODE)
+                                DES_pcbc_encrypt(net,buf,num,sched,iv,
                                                  DES_DECRYPT);
                         else
-                                des_cbc_encrypt(net,buf,num,sched,iv,
+                                DES_cbc_encrypt(net,buf,num,sched,iv,
                                                 DES_DECRYPT);
                         }
                 }
diff --git a/src/lib/libcrypto/des/enc_writ.c b/src/lib/libcrypto/des/enc_writ.c
index cc2b50fb50..af5b8c2349 100644
--- a/src/lib/libcrypto/des/enc_writ.c
+++ b/src/lib/libcrypto/des/enc_writ.c
@@ -66,9 +66,9 @@
 /*
  * WARNINGS:
  *
- *  -  The data format used by des_enc_write() and des_enc_read()
+ *  -  The data format used by DES_enc_write() and DES_enc_read()
  *     has a cryptographic weakness: When asked to write more
- *     than MAXWRITE bytes, des_enc_write will split the data
+ *     than MAXWRITE bytes, DES_enc_write will split the data
  *     into several chunks that are all encrypted
  *     using the same IV.  So don't use these functions unless you
  *     are sure you know what you do (in which case you might
@@ -77,8 +77,8 @@
  *  -  This code cannot handle non-blocking sockets.
  */
 
-int des_enc_write(int fd, const void *_buf, int len,
-                  des_key_schedule sched, des_cblock *iv)
+int DES_enc_write(int fd, const void *_buf, int len,
+                  DES_key_schedule *sched, DES_cblock *iv)
         {
 #ifdef _LIBC
         extern unsigned long time();
@@ -111,7 +111,7 @@ int des_enc_write(int fd, const void *_buf, int len,
                 j=0;
                 for (i=0; i<len; i+=k)
                         {
-                        k=des_enc_write(fd,&(buf[i]),
+                        k=DES_enc_write(fd,&(buf[i]),
                                 ((len-i) > MAXWRITE)?MAXWRITE:(len-i),sched,iv);
                         if (k < 0)
                                 return(k);
@@ -139,11 +139,11 @@ int des_enc_write(int fd, const void *_buf, int len,
                 rnum=((len+7)/8*8); /* round up to nearest eight */
                 }
 
-        if (des_rw_mode & DES_PCBC_MODE)
-                des_pcbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
+        if (DES_rw_mode & DES_PCBC_MODE)
+                DES_pcbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
                                  DES_ENCRYPT); 
         else
-                des_cbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
+                DES_cbc_encrypt(cp,&(outbuf[HDRSIZE]),(len<8)?8:len,sched,iv,
                                 DES_ENCRYPT); 
 
         /* output */
diff --git a/src/lib/libcrypto/des/fcrypt.c b/src/lib/libcrypto/des/fcrypt.c
index 9b21f81cc2..d3d27de9f7 100644
--- a/src/lib/libcrypto/des/fcrypt.c
+++ b/src/lib/libcrypto/des/fcrypt.c
@@ -50,48 +50,55 @@ static unsigned const char cov_2char[64]={
 0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
 };
 
-#ifndef NOPROTO
-void fcrypt_body(DES_LONG *out,des_key_schedule ks,
-        DES_LONG Eswap0, DES_LONG Eswap1);
+void fcrypt_body(DES_LONG *out,DES_key_schedule *ks,
+                 DES_LONG Eswap0, DES_LONG Eswap1);
 
-#if defined(PERL5) || defined(FreeBSD) || defined(__OpenBSD__)
-char *des_crypt(const char *buf,const char *salt);
-#else
-char *crypt(const char *buf,const char *salt);
-#endif
-#else
-void fcrypt_body();
-#ifdef PERL5
-char *des_crypt();
-#else
-char *crypt();
-#endif
-#endif
-
-#if defined(PERL5) || defined(FreeBSD) || defined(__OpenBSD__)
-char *des_crypt(buf,salt)
-#else
-char *crypt(buf,salt)
-#endif
-const char *buf;
-const char *salt;
+char *DES_crypt(const char *buf, const char *salt)
         {
         static char buff[14];
 
-        return(des_fcrypt(buf,salt,buff));
+#ifndef CHARSET_EBCDIC
+        return(DES_fcrypt(buf,salt,buff));
+#else
+        char e_salt[2+1];
+        char e_buf[32+1];       /* replace 32 by 8 ? */
+        char *ret;
+
+        /* Copy at most 2 chars of salt */
+        if ((e_salt[0] = salt[0]) != '\0')
+            e_salt[1] = salt[1];
+
+        /* Copy at most 32 chars of password */
+        strncpy (e_buf, buf, sizeof(e_buf));
+
+        /* Make sure we have a delimiter */
+        e_salt[sizeof(e_salt)-1] = e_buf[sizeof(e_buf)-1] = '\0';
+
+        /* Convert the e_salt to ASCII, as that's what DES_fcrypt works on */
+        ebcdic2ascii(e_salt, e_salt, sizeof e_salt);
+
+        /* Convert the cleartext password to ASCII */
+        ebcdic2ascii(e_buf, e_buf, sizeof e_buf);
+
+        /* Encrypt it (from/to ASCII) */
+        ret = DES_fcrypt(e_buf,e_salt,buff);
+
+        /* Convert the result back to EBCDIC */
+        ascii2ebcdic(ret, ret, strlen(ret));
+        
+        return ret;
+#endif
         }
 
 
-char *des_fcrypt(buf,salt,ret)
-const char *buf;
-const char *salt;
-char *ret;
+
+char *DES_fcrypt(const char *buf, const char *salt, char *ret)
         {
         unsigned int i,j,x,y;
         DES_LONG Eswap0,Eswap1;
         DES_LONG out[2],ll;
-        des_cblock key;
-        des_key_schedule ks;
+        DES_cblock key;
+        DES_key_schedule ks;
         unsigned char bb[9];
         unsigned char *b=bb;
         unsigned char c,u;
@@ -104,10 +111,17 @@ char *ret;
          * crypt to "*".  This was found when replacing the crypt in
          * our shared libraries.  People found that the disabled
          * accounts effectively had no passwd :-(. */
+#ifndef CHARSET_EBCDIC
         x=ret[0]=((salt[0] == '\0')?'A':salt[0]);
         Eswap0=con_salt[x]<<2;
         x=ret[1]=((salt[1] == '\0')?'A':salt[1]);
         Eswap1=con_salt[x]<<6;
+#else
+        x=ret[0]=((salt[0] == '\0')?os_toascii['A']:salt[0]);
+        Eswap0=con_salt[x]<<2;
+        x=ret[1]=((salt[1] == '\0')?os_toascii['A']:salt[1]);
+        Eswap1=con_salt[x]<<6;
+#endif
 
 /* EAY
 r=strlen(buf);
@@ -122,8 +136,8 @@ r=(r+7)/8;
         for (; i<8; i++)
                 key[i]=0;
 
-        des_set_key_unchecked(&key,ks);
-        fcrypt_body(&(out[0]),ks,Eswap0,Eswap1);
+        DES_set_key_unchecked(&key,&ks);
+        fcrypt_body(&(out[0]),&ks,Eswap0,Eswap1);
 
         ll=out[0]; l2c(ll,b);
         ll=out[1]; l2c(ll,b);
@@ -149,4 +163,3 @@ r=(r+7)/8;
         ret[13]='\0';
         return(ret);
         }
-
diff --git a/src/lib/libcrypto/des/fcrypt_b.c b/src/lib/libcrypto/des/fcrypt_b.c
index 22c87f5983..1390138787 100644
--- a/src/lib/libcrypto/des/fcrypt_b.c
+++ b/src/lib/libcrypto/des/fcrypt_b.c
@@ -77,12 +77,12 @@
 #define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
         (a)=(a)^(t)^(t>>(16-(n))))\
 
-void fcrypt_body(DES_LONG *out, des_key_schedule ks, DES_LONG Eswap0,
-             DES_LONG Eswap1)
+void fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
+                 DES_LONG Eswap1)
         {
         register DES_LONG l,r,t,u;
 #ifdef DES_PTR
-        register const unsigned char *des_SP=(const unsigned char *)des_SPtrans;
+        register const unsigned char *des_SP=(const unsigned char *)DES_SPtrans;
 #endif
         register DES_LONG *s;
         register int j;
diff --git a/src/lib/libcrypto/des/ncbc_enc.c b/src/lib/libcrypto/des/ncbc_enc.c
index b8db07b199..fda23d522f 100644
--- a/src/lib/libcrypto/des/ncbc_enc.c
+++ b/src/lib/libcrypto/des/ncbc_enc.c
@@ -1,8 +1,8 @@
 /* crypto/des/ncbc_enc.c */
 /*
  * #included by:
- *    cbc_enc.c  (des_cbc_encrypt)
- *    des_enc.c  (des_ncbc_encrypt)
+ *    cbc_enc.c  (DES_cbc_encrypt)
+ *    des_enc.c  (DES_ncbc_encrypt)
  */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
@@ -64,11 +64,11 @@
 #include "des_locl.h"
 
 #ifdef CBC_ENC_C__DONT_UPDATE_IV
-void des_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-             des_key_schedule schedule, des_cblock *ivec, int enc)
+void DES_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+                     DES_key_schedule *_schedule, DES_cblock *ivec, int enc)
 #else
-void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-             des_key_schedule schedule, des_cblock *ivec, int enc)
+void DES_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+                     DES_key_schedule *_schedule, DES_cblock *ivec, int enc)
 #endif
         {
         register DES_LONG tin0,tin1;
@@ -89,7 +89,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
                         c2l(in,tin1);
                         tin0^=tout0; tin[0]=tin0;
                         tin1^=tout1; tin[1]=tin1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
+                        DES_encrypt1((DES_LONG *)tin,_schedule,DES_ENCRYPT);
                         tout0=tin[0]; l2c(tout0,out);
                         tout1=tin[1]; l2c(tout1,out);
                         }
@@ -98,7 +98,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
                         c2ln(in,tin0,tin1,l+8);
                         tin0^=tout0; tin[0]=tin0;
                         tin1^=tout1; tin[1]=tin1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
+                        DES_encrypt1((DES_LONG *)tin,_schedule,DES_ENCRYPT);
                         tout0=tin[0]; l2c(tout0,out);
                         tout1=tin[1]; l2c(tout1,out);
                         }
@@ -116,7 +116,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
                         {
                         c2l(in,tin0); tin[0]=tin0;
                         c2l(in,tin1); tin[1]=tin1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT);
+                        DES_encrypt1((DES_LONG *)tin,_schedule,DES_DECRYPT);
                         tout0=tin[0]^xor0;
                         tout1=tin[1]^xor1;
                         l2c(tout0,out);
@@ -128,7 +128,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length,
                         {
                         c2l(in,tin0); tin[0]=tin0;
                         c2l(in,tin1); tin[1]=tin1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT);
+                        DES_encrypt1((DES_LONG *)tin,_schedule,DES_DECRYPT);
                         tout0=tin[0]^xor0;
                         tout1=tin[1]^xor1;
                         l2cn(tout0,tout1,out,l+8);
diff --git a/src/lib/libcrypto/des/ofb64ede.c b/src/lib/libcrypto/des/ofb64ede.c
index 6eafe908da..26bbf9a6a7 100644
--- a/src/lib/libcrypto/des/ofb64ede.c
+++ b/src/lib/libcrypto/des/ofb64ede.c
@@ -62,15 +62,16 @@
  * used.  The extra state information to record how much of the
  * 64bit block we have used is contained in *num;
  */
-void des_ede3_ofb64_encrypt(register const unsigned char *in,
-             register unsigned char *out, long length, des_key_schedule k1,
-             des_key_schedule k2, des_key_schedule k3, des_cblock *ivec,
-             int *num)
+void DES_ede3_ofb64_encrypt(register const unsigned char *in,
+                            register unsigned char *out, long length,
+                            DES_key_schedule *k1, DES_key_schedule *k2,
+                            DES_key_schedule *k3, DES_cblock *ivec,
+                            int *num)
         {
         register DES_LONG v0,v1;
         register int n= *num;
         register long l=length;
-        des_cblock d;
+        DES_cblock d;
         register char *dp;
         DES_LONG ti[2];
         unsigned char *iv;
@@ -90,7 +91,7 @@ void des_ede3_ofb64_encrypt(register const unsigned char *in,
                         {
                         /* ti[0]=v0; */
                         /* ti[1]=v1; */
-                        des_encrypt3(ti,k1,k2,k3);
+                        DES_encrypt3(ti,k1,k2,k3);
                         v0=ti[0];
                         v1=ti[1];
 
@@ -115,10 +116,10 @@ void des_ede3_ofb64_encrypt(register const unsigned char *in,
         }
 
 #ifdef undef /* MACRO */
-void des_ede2_ofb64_encrypt(register unsigned char *in,
-             register unsigned char *out, long length, des_key_schedule k1,
-             des_key_schedule k2, des_cblock (*ivec), int *num)
+void DES_ede2_ofb64_encrypt(register unsigned char *in,
+             register unsigned char *out, long length, DES_key_schedule k1,
+             DES_key_schedule k2, DES_cblock (*ivec), int *num)
         {
-        des_ede3_ofb64_encrypt(in, out, length, k1,k2,k1, ivec, num);
+        DES_ede3_ofb64_encrypt(in, out, length, k1,k2,k1, ivec, num);
         }
 #endif
diff --git a/src/lib/libcrypto/des/ofb64enc.c b/src/lib/libcrypto/des/ofb64enc.c
index 1a1d1f1ac4..8ca3d49dea 100644
--- a/src/lib/libcrypto/des/ofb64enc.c
+++ b/src/lib/libcrypto/des/ofb64enc.c
@@ -62,14 +62,14 @@
  * used.  The extra state information to record how much of the
  * 64bit block we have used is contained in *num;
  */
-void des_ofb64_encrypt(register const unsigned char *in,
-             register unsigned char *out, long length, des_key_schedule schedule,
-             des_cblock *ivec, int *num)
+void DES_ofb64_encrypt(register const unsigned char *in,
+                       register unsigned char *out, long length,
+                       DES_key_schedule *schedule, DES_cblock *ivec, int *num)
         {
         register DES_LONG v0,v1,t;
         register int n= *num;
         register long l=length;
-        des_cblock d;
+        DES_cblock d;
         register unsigned char *dp;
         DES_LONG ti[2];
         unsigned char *iv;
@@ -87,7 +87,7 @@ void des_ofb64_encrypt(register const unsigned char *in,
                 {
                 if (n == 0)
                         {
-                        des_encrypt1(ti,schedule,DES_ENCRYPT);
+                        DES_encrypt1(ti,schedule,DES_ENCRYPT);
                         dp=d;
                         t=ti[0]; l2c(t,dp);
                         t=ti[1]; l2c(t,dp);
diff --git a/src/lib/libcrypto/des/ofb_enc.c b/src/lib/libcrypto/des/ofb_enc.c
index 70493e632c..e887a3c6f4 100644
--- a/src/lib/libcrypto/des/ofb_enc.c
+++ b/src/lib/libcrypto/des/ofb_enc.c
@@ -64,8 +64,9 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
-void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
-             long length, des_key_schedule schedule, des_cblock *ivec)
+void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
+                     long length, DES_key_schedule *schedule,
+                     DES_cblock *ivec)
         {
         register DES_LONG d0,d1,vv0,vv1,v0,v1,n=(numbits+7)/8;
         register DES_LONG mask0,mask1;
@@ -101,7 +102,7 @@ void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
                 {
                 ti[0]=v0;
                 ti[1]=v1;
-                des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
+                DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
                 vv0=ti[0];
                 vv1=ti[1];
                 c2ln(in,d0,d1,n);
diff --git a/src/lib/libcrypto/des/pcbc_enc.c b/src/lib/libcrypto/des/pcbc_enc.c
index 5b987f074d..17a40f9520 100644
--- a/src/lib/libcrypto/des/pcbc_enc.c
+++ b/src/lib/libcrypto/des/pcbc_enc.c
@@ -58,8 +58,9 @@
 
 #include "des_locl.h"
 
-void des_pcbc_encrypt(const unsigned char *input, unsigned char *output,
-             long length, des_key_schedule schedule, des_cblock *ivec, int enc)
+void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
+                      long length, DES_key_schedule *schedule,
+                      DES_cblock *ivec, int enc)
         {
         register DES_LONG sin0,sin1,xor0,xor1,tout0,tout1;
         DES_LONG tin[2];
@@ -85,7 +86,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output,
                                 c2ln(in,sin0,sin1,length);
                         tin[0]=sin0^xor0;
                         tin[1]=sin1^xor1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
+                        DES_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT);
                         tout0=tin[0];
                         tout1=tin[1];
                         xor0=sin0^tout0;
@@ -103,7 +104,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output,
                         c2l(in,sin1);
                         tin[0]=sin0;
                         tin[1]=sin1;
-                        des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT);
+                        DES_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT);
                         tout0=tin[0]^xor0;
                         tout1=tin[1]^xor1;
                         if (length >= 8)
diff --git a/src/lib/libcrypto/des/qud_cksm.c b/src/lib/libcrypto/des/qud_cksm.c
index 9fff989edb..dac201227e 100644
--- a/src/lib/libcrypto/des/qud_cksm.c
+++ b/src/lib/libcrypto/des/qud_cksm.c
@@ -73,8 +73,8 @@
 /* Got the value MIT uses via brute force :-) 2/10/90 eay */
 #define NOISE   ((DES_LONG)83653421L)
 
-DES_LONG des_quad_cksum(const unsigned char *input, des_cblock output[],
-             long length, int out_count, des_cblock *seed)
+DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[],
+             long length, int out_count, DES_cblock *seed)
         {
         DES_LONG z0,z1,t0,t1;
         int i;
diff --git a/src/lib/libcrypto/des/rand_key.c b/src/lib/libcrypto/des/rand_key.c
index ee1a6c274e..2398165568 100644
--- a/src/lib/libcrypto/des/rand_key.c
+++ b/src/lib/libcrypto/des/rand_key.c
@@ -56,18 +56,13 @@
 #include <openssl/des.h>
 #include <openssl/rand.h>
 
-void des_random_seed(des_cblock *key)
-        {
-        RAND_seed(key, sizeof(des_cblock));
-        }
-
-int des_random_key(des_cblock *ret)
+int DES_random_key(DES_cblock *ret)
         {
         do
                 {
-                if (RAND_bytes((unsigned char *)ret, sizeof(des_cblock)) != 1)
+                if (RAND_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1)
                         return (0);
-                } while (des_is_weak_key(ret));
-        des_set_odd_parity(ret);
+                } while (DES_is_weak_key(ret));
+        DES_set_odd_parity(ret);
         return (1);
         }
diff --git a/src/lib/libcrypto/des/read2pwd.c b/src/lib/libcrypto/des/read2pwd.c
index a8ceaf088a..b4720c3a98 100644
--- a/src/lib/libcrypto/des/read2pwd.c
+++ b/src/lib/libcrypto/des/read2pwd.c
@@ -1,4 +1,57 @@
 /* crypto/des/read2pwd.c */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,28 +109,30 @@
  * [including the GNU Public Licence.]
  */
 
-#include "des_locl.h"
+#include <string.h>
+#include <openssl/des.h>
+#include <openssl/ui.h>
 
-int des_read_password(des_cblock *key, const char *prompt, int verify)
+int DES_read_password(DES_cblock *key, const char *prompt, int verify)
         {
         int ok;
         char buf[BUFSIZ],buff[BUFSIZ];
 
-        if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
-                des_string_to_key(buf,key);
+        if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
+                DES_string_to_key(buf,key);
         memset(buf,0,BUFSIZ);
         memset(buff,0,BUFSIZ);
         return(ok);
         }
 
-int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt,
+int DES_read_2passwords(DES_cblock *key1, DES_cblock *key2, const char *prompt,
              int verify)
         {
         int ok;
         char buf[BUFSIZ],buff[BUFSIZ];
 
-        if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
-                des_string_to_2keys(buf,key1,key2);
+        if ((ok=UI_UTIL_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
+                DES_string_to_2keys(buf,key1,key2);
         memset(buf,0,BUFSIZ);
         memset(buff,0,BUFSIZ);
         return(ok);
diff --git a/src/lib/libcrypto/des/read_pwd.c b/src/lib/libcrypto/des/read_pwd.c
index c27ec336e7..ae9aef620b 100644
--- a/src/lib/libcrypto/des/read_pwd.c
+++ b/src/lib/libcrypto/des/read_pwd.c
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#if !defined(MSDOS) && !defined(VMS) && !defined(WIN32)
-#include <openssl/opensslconf.h>
+#include <openssl/e_os2.h>
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WIN32)
 #ifdef OPENSSL_UNISTD
 # include OPENSSL_UNISTD
 #else
@@ -78,7 +78,7 @@
 /* #define SIGACTION */ /* Define this if you have sigaction() */
 
 #ifdef WIN16TTY
-#undef WIN16
+#undef OPENSSL_SYS_WIN16
 #undef _WINDOWS
 #include <graph.h>
 #endif
@@ -92,7 +92,7 @@
 #include <setjmp.h>
 #include <errno.h>
 
-#ifdef VMS                      /* prototypes for sys$whatever */
+#ifdef OPENSSL_SYS_VMS                  /* prototypes for sys$whatever */
 #include <starlet.h>
 #ifdef __DECC
 #pragma message disable DOLLARID
@@ -127,12 +127,18 @@
 #undef  SGTTY
 #endif
 
-#if !defined(TERMIO) && !defined(TERMIOS) && !defined(VMS) && !defined(MSDOS) && !defined(MAC_OS_pre_X) && !defined(MAC_OS_GUSI_SOURCE)
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MSDOS) && !defined(MAC_OS_pre_X) && !defined(MAC_OS_GUSI_SOURCE)
 #undef  TERMIOS
 #undef  TERMIO
 #define SGTTY
 #endif
 
+#if defined(OPENSSL_SYS_VSWORKS)
+#undef TERMIOS
+#undef TERMIO
+#undef SGTTY
+#endif
+
 #ifdef TERMIOS
 #include <termios.h>
 #define TTY_STRUCT              struct termios
@@ -157,16 +163,16 @@
 #define TTY_set(tty,data)       ioctl(tty,TIOCSETP,data)
 #endif
 
-#if !defined(_LIBC) && !defined(MSDOS) && !defined(VMS) && !defined(MAC_OS_pre_X)
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(MAC_OS_pre_X)
 #include <sys/ioctl.h>
 #endif
 
-#if defined(MSDOS) && !defined(__CYGWIN32__)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(__CYGWIN32__)
 #include <conio.h>
 #define fgets(a,b,c) noecho_fgets(a,b,c)
 #endif
 
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
 #include <ssdef.h>
 #include <iodef.h>
 #include <ttdef.h>
@@ -195,17 +201,17 @@ static void read_till_nl(FILE *);
 static void recsig(int);
 static void pushsig(void);
 static void popsig(void);
-#if defined(MSDOS) && !defined(WIN16)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
 static int noecho_fgets(char *buf, int size, FILE *tty);
 #endif
 #ifdef SIGACTION
  static struct sigaction savsig[NX509_SIG];
 #else
-  static void (*savsig[NX509_SIG])(int );
+ static void (*savsig[NX509_SIG])(int );
 #endif
 static jmp_buf save;
 
-int des_read_pw_string(char *buf, int length, const char *prompt,
+int _ossl_old_des_read_pw_string(char *buf, int length, const char *prompt,
              int verify)
         {
         char buff[BUFSIZ];
@@ -216,7 +222,7 @@ int des_read_pw_string(char *buf, int length, const char *prompt,
         return(ret);
         }
 
-#ifndef WIN16
+#ifndef OPENSSL_SYS_WIN16
 
 static void read_till_nl(FILE *in)
         {
@@ -233,14 +239,14 @@ static void read_till_nl(FILE *in)
 int des_read_pw(char *buf, char *buff, int size, const char *prompt,
              int verify)
         {
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         struct IOSB iosb;
         $DESCRIPTOR(terminal,"TT");
         long tty_orig[3], tty_new[3];
         long status;
         unsigned short channel = 0;
 #else
-#ifndef MSDOS
+#ifndef OPENSSL_SYS_MSDOS
         TTY_STRUCT tty_orig,tty_new;
 #endif
 #endif
@@ -265,19 +271,19 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
         is_a_tty=1;
         tty=NULL;
 
-#ifdef MSDOS
+#ifdef OPENSSL_SYS_MSDOS
         if ((tty=fopen("con","r")) == NULL)
                 tty=stdin;
-#elif defined(MAC_OS_pre_X)
+#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS)
         tty=stdin;
 #else
-#ifndef MPE
+#ifndef OPENSSL_SYS_MPE
         if ((tty=fopen("/dev/tty","r")) == NULL)
 #endif
                 tty=stdin;
 #endif
 
-#if defined(TTY_get) && !defined(VMS)
+#if defined(TTY_get) && !defined(OPENSSL_SYS_VMS)
         if (TTY_get(fileno(tty),&tty_orig) == -1)
                 {
 #ifdef ENOTTY
@@ -296,7 +302,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
                 }
         memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
 #endif
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         status = sys$assign(&terminal,&channel,0,0);
         if (status != SS$_NORMAL)
                 return(-1);
@@ -312,15 +318,15 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
         tty_new.TTY_FLAGS &= ~ECHO;
 #endif
 
-#if defined(TTY_set) && !defined(VMS)
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
         if (is_a_tty && (TTY_set(fileno(tty),&tty_new) == -1))
-#ifdef MPE 
+#ifdef OPENSSL_SYS_MPE 
                 ; /* MPE lies -- echo really has been disabled */
 #else
                 return(-1);
 #endif
 #endif
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         tty_new[0] = tty_orig[0];
         tty_new[1] = tty_orig[1] | TT$M_NOECHO;
         tty_new[2] = tty_orig[2];
@@ -366,14 +372,14 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt,
 
 error:
         fprintf(stderr,"\n");
-#ifdef DEBUG
+#if 0
         perror("fgets(tty)");
 #endif
         /* What can we do if there is an error? */
-#if defined(TTY_set) && !defined(VMS)
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
         if (ps >= 2) TTY_set(fileno(tty),&tty_orig);
 #endif
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         if (ps >= 2)
                 status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0
                         ,tty_orig,12,0,0,0,0);
@@ -381,13 +387,13 @@ error:
         
         if (ps >= 1) popsig();
         if (stdin != tty) fclose(tty);
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         status = sys$dassgn(channel);
 #endif
         return(!ok);
         }
 
-#else /* WIN16 */
+#else /* OPENSSL_SYS_WIN16 */
 
 int des_read_pw(char *buf, char *buff, int size, char *prompt, int verify)
         { 
@@ -460,7 +466,7 @@ static void recsig(int i)
 #endif
         }
 
-#if defined(MSDOS) && !defined(WIN16)
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
 static int noecho_fgets(char *buf, int size, FILE *tty)
         {
         int i;
diff --git a/src/lib/libcrypto/des/rpc_enc.c b/src/lib/libcrypto/des/rpc_enc.c
index 32d96d5cae..d937d08da5 100644
--- a/src/lib/libcrypto/des/rpc_enc.c
+++ b/src/lib/libcrypto/des/rpc_enc.c
@@ -63,20 +63,20 @@
 int _des_crypt(char *buf,int len,struct desparams *desp);
 int _des_crypt(char *buf, int len, struct desparams *desp)
         {
-        des_key_schedule ks;
+        DES_key_schedule ks;
         int enc;
 
-        des_set_key_unchecked(&desp->des_key,ks);
+        DES_set_key_unchecked(&desp->des_key,&ks);
         enc=(desp->des_dir == ENCRYPT)?DES_ENCRYPT:DES_DECRYPT;
 
         if (desp->des_mode == CBC)
-                des_ecb_encrypt((const_des_cblock *)desp->UDES.UDES_buf,
-                                (des_cblock *)desp->UDES.UDES_buf,ks,
+                DES_ecb_encrypt((const_DES_cblock *)desp->UDES.UDES_buf,
+                                (DES_cblock *)desp->UDES.UDES_buf,&ks,
                                 enc);
         else
                 {
-                des_ncbc_encrypt(desp->UDES.UDES_buf,desp->UDES.UDES_buf,
-                                len,ks,&desp->des_ivec,enc);
+                DES_ncbc_encrypt(desp->UDES.UDES_buf,desp->UDES.UDES_buf,
+                                len,&ks,&desp->des_ivec,enc);
 #ifdef undef
                 /* len will always be %8 if called from common_crypt
                  * in secure_rpc.
diff --git a/src/lib/libcrypto/des/rpw.c b/src/lib/libcrypto/des/rpw.c
index 0b6b1519b0..8a9473c4f9 100644
--- a/src/lib/libcrypto/des/rpw.c
+++ b/src/lib/libcrypto/des/rpw.c
@@ -61,7 +61,7 @@
 
 int main(int argc, char *argv[])
         {
-        des_cblock k,k1;
+        DES_cblock k,k1;
         int i;
 
         printf("read passwd\n");
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index 09afd4fc03..683916e71b 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -65,7 +65,7 @@
  */
 #include "des_locl.h"
 
-OPENSSL_GLOBAL int des_check_key=0;
+OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key);    /* defaults to false */
 
 static const unsigned char odd_parity[256]={
   1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
@@ -85,7 +85,7 @@ static const unsigned char odd_parity[256]={
 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
 
-void des_set_odd_parity(des_cblock *key)
+void DES_set_odd_parity(DES_cblock *key)
         {
         int i;
 
@@ -93,7 +93,7 @@ void des_set_odd_parity(des_cblock *key)
                 (*key)[i]=odd_parity[(*key)[i]];
         }
 
-int des_check_key_parity(const_des_cblock *key)
+int DES_check_key_parity(const_DES_cblock *key)
         {
         int i;
 
@@ -115,7 +115,7 @@ int des_check_key_parity(const_des_cblock *key)
  * (and actual cblock values).
  */
 #define NUM_WEAK_KEY    16
-static des_cblock weak_keys[NUM_WEAK_KEY]={
+static DES_cblock weak_keys[NUM_WEAK_KEY]={
         /* weak keys */
         {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
         {0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
@@ -135,7 +135,7 @@ static des_cblock weak_keys[NUM_WEAK_KEY]={
         {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
         {0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
 
-int des_is_weak_key(const_des_cblock *key)
+int DES_is_weak_key(const_DES_cblock *key)
         {
         int i;
 
@@ -146,7 +146,7 @@ int des_is_weak_key(const_des_cblock *key)
                  * eay 93/06/29
                  * Another problem, I was comparing only the first 4
                  * bytes, 97/03/18 */
-                if (memcmp(weak_keys[i],key,sizeof(des_cblock)) == 0) return(1);
+                if (memcmp(weak_keys[i],key,sizeof(DES_cblock)) == 0) return(1);
         return(0);
         }
 
@@ -307,15 +307,15 @@ static const DES_LONG des_skb[8][64]={
         0x00002822L,0x04002822L,0x00042822L,0x04042822L,
         }};
 
-int des_set_key(const_des_cblock *key, des_key_schedule schedule)
+int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule)
         {
-        if (des_check_key)
+        if (DES_check_key)
                 {
-                return des_set_key_checked(key, schedule);
+                return DES_set_key_checked(key, schedule);
                 }
         else
                 {
-                des_set_key_unchecked(key, schedule);
+                DES_set_key_unchecked(key, schedule);
                 return 0;
                 }
         }
@@ -324,17 +324,17 @@ int des_set_key(const_des_cblock *key, des_key_schedule schedule)
  * return -1 if key parity error,
  * return -2 if illegal weak key.
  */
-int des_set_key_checked(const_des_cblock *key, des_key_schedule schedule)
+int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
         {
-        if (!des_check_key_parity(key))
+        if (!DES_check_key_parity(key))
                 return(-1);
-        if (des_is_weak_key(key))
+        if (DES_is_weak_key(key))
                 return(-2);
-        des_set_key_unchecked(key, schedule);
+        DES_set_key_unchecked(key, schedule);
         return 0;
         }
 
-void des_set_key_unchecked(const_des_cblock *key, des_key_schedule schedule)
+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
         {
         static int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
         register DES_LONG c,d,t,s,t2;
@@ -342,7 +342,11 @@ void des_set_key_unchecked(const_des_cblock *key, des_key_schedule schedule)
         register DES_LONG *k;
         register int i;
 
-        k = &schedule->ks.deslong[0];
+#if OPENBSD_DEV_CRYPTO
+        memcpy(schedule->key,key,sizeof schedule->key);
+        schedule->session=NULL;
+#endif
+        k = &schedule->ks->deslong[0];
         in = &(*key)[0];
 
         c2l(in,c);
@@ -390,13 +394,14 @@ void des_set_key_unchecked(const_des_cblock *key, des_key_schedule schedule)
                 }
         }
 
-int des_key_sched(const_des_cblock *key, des_key_schedule schedule)
+int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule)
         {
-        return(des_set_key(key,schedule));
+        return(DES_set_key(key,schedule));
         }
-
+/*
 #undef des_fixup_key_parity
 void des_fixup_key_parity(des_cblock *key)
         {
         des_set_odd_parity(key);
         }
+*/
diff --git a/src/lib/libcrypto/des/speed.c b/src/lib/libcrypto/des/speed.c
index 1223edf290..48fc1d49fc 100644
--- a/src/lib/libcrypto/des/speed.c
+++ b/src/lib/libcrypto/des/speed.c
@@ -59,7 +59,7 @@
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -176,10 +176,10 @@ int main(int argc, char **argv)
         {
         long count;
         static unsigned char buf[BUFSIZE];
-        static des_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
-        static des_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
-        static des_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
-        des_key_schedule sch,sch2,sch3;
+        static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
+        static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+        static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
+        DES_key_schedule sch,sch2,sch3;
         double a,b,c,d,e;
 #ifndef SIGALRM
         long ca,cb,cc,cd,ce;
@@ -190,12 +190,12 @@ int main(int argc, char **argv)
         printf("program when this computer is idle.\n");
 #endif
 
-        des_set_key_unchecked(&key2,sch2);
-        des_set_key_unchecked(&key3,sch3);
+        DES_set_key_unchecked(&key2,&sch2);
+        DES_set_key_unchecked(&key3,&sch3);
 
 #ifndef SIGALRM
         printf("First we calculate the approximate speed ...\n");
-        des_set_key_unchecked(&key,sch);
+        DES_set_key_unchecked(&key,&sch);
         count=10;
         do      {
                 long i;
@@ -204,7 +204,7 @@ int main(int argc, char **argv)
                 count*=2;
                 Time_F(START);
                 for (i=count; i; i--)
-                        des_encrypt1(data,&(sch[0]),DES_ENCRYPT);
+                        DES_encrypt1(data,&sch,DES_ENCRYPT);
                 d=Time_F(STOP);
                 } while (d < 3.0);
         ca=count;
@@ -225,63 +225,63 @@ int main(int argc, char **argv)
 
         Time_F(START);
         for (count=0,run=1; COND(ca); count++)
-                des_set_key_unchecked(&key,sch);
+                DES_set_key_unchecked(&key,&sch);
         d=Time_F(STOP);
         printf("%ld set_key's in %.2f seconds\n",count,d);
         a=((double)COUNT(ca))/d;
 
 #ifdef SIGALRM
-        printf("Doing des_encrypt's for 10 seconds\n");
+        printf("Doing DES_encrypt's for 10 seconds\n");
         alarm(10);
 #else
-        printf("Doing des_encrypt %ld times\n",cb);
+        printf("Doing DES_encrypt %ld times\n",cb);
 #endif
         Time_F(START);
         for (count=0,run=1; COND(cb); count++)
                 {
                 DES_LONG data[2];
 
-                des_encrypt1(data,&(sch[0]),DES_ENCRYPT);
+                DES_encrypt1(data,&sch,DES_ENCRYPT);
                 }
         d=Time_F(STOP);
-        printf("%ld des_encrypt's in %.2f second\n",count,d);
+        printf("%ld DES_encrypt's in %.2f second\n",count,d);
         b=((double)COUNT(cb)*8)/d;
 
 #ifdef SIGALRM
-        printf("Doing des_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+        printf("Doing DES_cbc_encrypt on %ld byte blocks for 10 seconds\n",
                 BUFSIZE);
         alarm(10);
 #else
-        printf("Doing des_cbc_encrypt %ld times on %ld byte blocks\n",cc,
+        printf("Doing DES_cbc_encrypt %ld times on %ld byte blocks\n",cc,
                 BUFSIZE);
 #endif
         Time_F(START);
         for (count=0,run=1; COND(cc); count++)
-                des_ncbc_encrypt(buf,buf,BUFSIZE,&(sch[0]),
+                DES_ncbc_encrypt(buf,buf,BUFSIZE,&sch,
                         &key,DES_ENCRYPT);
         d=Time_F(STOP);
-        printf("%ld des_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+        printf("%ld DES_cbc_encrypt's of %ld byte blocks in %.2f second\n",
                 count,BUFSIZE,d);
         c=((double)COUNT(cc)*BUFSIZE)/d;
 
 #ifdef SIGALRM
-        printf("Doing des_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n",
+        printf("Doing DES_ede_cbc_encrypt on %ld byte blocks for 10 seconds\n",
                 BUFSIZE);
         alarm(10);
 #else
-        printf("Doing des_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd,
+        printf("Doing DES_ede_cbc_encrypt %ld times on %ld byte blocks\n",cd,
                 BUFSIZE);
 #endif
         Time_F(START);
         for (count=0,run=1; COND(cd); count++)
-                des_ede3_cbc_encrypt(buf,buf,BUFSIZE,
-                        &(sch[0]),
-                        &(sch2[0]),
-                        &(sch3[0]),
+                DES_ede3_cbc_encrypt(buf,buf,BUFSIZE,
+                        &sch,
+                        &sch2,
+                        &sch3,
                         &key,
                         DES_ENCRYPT);
         d=Time_F(STOP);
-        printf("%ld des_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n",
+        printf("%ld DES_ede_cbc_encrypt's of %ld byte blocks in %.2f second\n",
                 count,BUFSIZE,d);
         d=((double)COUNT(cd)*BUFSIZE)/d;
 
@@ -304,7 +304,7 @@ int main(int argc, char **argv)
         printf("DES ede cbc bytes  per sec = %12.2f (%9.3fuS)\n",d,8.0e6/d);
         printf("crypt              per sec = %12.2f (%9.3fuS)\n",e,1.0e6/e);
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/des/spr.h b/src/lib/libcrypto/des/spr.h
index b8fbdcf8d3..b91936a5a5 100644
--- a/src/lib/libcrypto/des/spr.h
+++ b/src/lib/libcrypto/des/spr.h
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-OPENSSL_GLOBAL const DES_LONG des_SPtrans[8][64]={
+OPENSSL_GLOBAL const DES_LONG DES_SPtrans[8][64]={
 {
 /* nibble 0 */
 0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L,
diff --git a/src/lib/libcrypto/des/str2key.c b/src/lib/libcrypto/des/str2key.c
index c6abb87201..36c3f81d99 100644
--- a/src/lib/libcrypto/des/str2key.c
+++ b/src/lib/libcrypto/des/str2key.c
@@ -58,9 +58,9 @@
 
 #include "des_locl.h"
 
-void des_string_to_key(const char *str, des_cblock *key)
+void DES_string_to_key(const char *str, DES_cblock *key)
         {
-        des_key_schedule ks;
+        DES_key_schedule ks;
         int i,length;
         register unsigned char j;
 
@@ -85,16 +85,22 @@ void des_string_to_key(const char *str, des_cblock *key)
                         }
                 }
 #endif
-        des_set_odd_parity(key);
-        des_set_key_unchecked(key,ks);
-        des_cbc_cksum((const unsigned char*)str,key,length,ks,key);
-        memset(ks,0,sizeof(ks));
-        des_set_odd_parity(key);
+        DES_set_odd_parity(key);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
+        if(DES_is_weak_key(key))
+            (*key)[7] ^= 0xF0;
+        DES_set_key(key,&ks);
+#else
+        DES_set_key_unchecked(key,&ks);
+#endif
+        DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key);
+        memset(&ks,0,sizeof(ks));
+        DES_set_odd_parity(key);
         }
 
-void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
+void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2)
         {
-        des_key_schedule ks;
+        DES_key_schedule ks;
         int i,length;
         register unsigned char j;
 
@@ -143,13 +149,25 @@ void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2)
                 }
         if (length <= 8) memcpy(key2,key1,8);
 #endif
-        des_set_odd_parity(key1);
-        des_set_odd_parity(key2);
-        des_set_key_unchecked(key1,ks);
-        des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1);
-        des_set_key_unchecked(key2,ks);
-        des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2);
-        memset(ks,0,sizeof(ks));
-        des_set_odd_parity(key1);
-        des_set_odd_parity(key2);
+        DES_set_odd_parity(key1);
+        DES_set_odd_parity(key2);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
+        if(DES_is_weak_key(key1))
+            (*key1)[7] ^= 0xF0;
+        DES_set_key(key1,&ks);
+#else
+        DES_set_key_unchecked(key1,&ks);
+#endif
+        DES_cbc_cksum((const unsigned char*)str,key1,length,&ks,key1);
+#ifdef EXPERIMENTAL_STR_TO_STRONG_KEY
+        if(DES_is_weak_key(key2))
+            (*key2)[7] ^= 0xF0;
+        DES_set_key(key2,&ks);
+#else
+        DES_set_key_unchecked(key2,&ks);
+#endif
+        DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2);
+        memset(&ks,0,sizeof(ks));
+        DES_set_odd_parity(key1);
+        DES_set_odd_parity(key2);
         }
diff --git a/src/lib/libcrypto/des/xcbc_enc.c b/src/lib/libcrypto/des/xcbc_enc.c
index ccfede13ac..47246eb466 100644
--- a/src/lib/libcrypto/des/xcbc_enc.c
+++ b/src/lib/libcrypto/des/xcbc_enc.c
@@ -79,8 +79,8 @@ static unsigned char desx_white_in2out[256]={
 0xA7,0x1C,0xC9,0x09,0x69,0x9A,0x83,0xCF,0x29,0x39,0xB9,0xE9,0x4C,0xFF,0x43,0xAB,
         };
 
-void des_xwhite_in2out(const_des_cblock *des_key, const_des_cblock *in_white,
-             des_cblock *out_white)
+void DES_xwhite_in2out(const_DES_cblock *des_key, const_DES_cblock *in_white,
+             DES_cblock *out_white)
         {
         int out0,out1;
         int i;
@@ -107,9 +107,10 @@ void des_xwhite_in2out(const_des_cblock *des_key, const_des_cblock *in_white,
                 }
         }
 
-void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
-            long length, des_key_schedule schedule, des_cblock *ivec,
-            const_des_cblock *inw, const_des_cblock *outw, int enc)
+void DES_xcbc_encrypt(const unsigned char *in, unsigned char *out,
+                      long length, DES_key_schedule *schedule,
+                      DES_cblock *ivec, const_DES_cblock *inw,
+                      const_DES_cblock *outw, int enc)
         {
         register DES_LONG tin0,tin1;
         register DES_LONG tout0,tout1,xor0,xor1;
@@ -138,7 +139,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
                         c2l(in,tin1);
                         tin0^=tout0^inW0; tin[0]=tin0;
                         tin1^=tout1^inW1; tin[1]=tin1;
-                        des_encrypt1(tin,schedule,DES_ENCRYPT);
+                        DES_encrypt1(tin,schedule,DES_ENCRYPT);
                         tout0=tin[0]^outW0; l2c(tout0,out);
                         tout1=tin[1]^outW1; l2c(tout1,out);
                         }
@@ -147,7 +148,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
                         c2ln(in,tin0,tin1,l+8);
                         tin0^=tout0^inW0; tin[0]=tin0;
                         tin1^=tout1^inW1; tin[1]=tin1;
-                        des_encrypt1(tin,schedule,DES_ENCRYPT);
+                        DES_encrypt1(tin,schedule,DES_ENCRYPT);
                         tout0=tin[0]^outW0; l2c(tout0,out);
                         tout1=tin[1]^outW1; l2c(tout1,out);
                         }
@@ -163,7 +164,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
                         {
                         c2l(in,tin0); tin[0]=tin0^outW0;
                         c2l(in,tin1); tin[1]=tin1^outW1;
-                        des_encrypt1(tin,schedule,DES_DECRYPT);
+                        DES_encrypt1(tin,schedule,DES_DECRYPT);
                         tout0=tin[0]^xor0^inW0;
                         tout1=tin[1]^xor1^inW1;
                         l2c(tout0,out);
@@ -175,7 +176,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out,
                         {
                         c2l(in,tin0); tin[0]=tin0^outW0;
                         c2l(in,tin1); tin[1]=tin1^outW1;
-                        des_encrypt1(tin,schedule,DES_DECRYPT);
+                        DES_encrypt1(tin,schedule,DES_DECRYPT);
                         tout0=tin[0]^xor0^inW0;
                         tout1=tin[1]^xor1^inW1;
                         l2cn(tout0,tout1,out,l+8);
diff --git a/src/lib/libcrypto/dh/Makefile.ssl b/src/lib/libcrypto/dh/Makefile.ssl
index bf4b47ca9a..209e2bf39c 100644
--- a/src/lib/libcrypto/dh/Makefile.ssl
+++ b/src/lib/libcrypto/dh/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    dh
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,8 +23,8 @@ TEST= dhtest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
-LIBOBJ= dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o
+LIBSRC= dh_asn1.c dh_gen.c dh_key.c dh_lib.c dh_check.c dh_err.c
+LIBOBJ= dh_asn1.o dh_gen.o dh_key.o dh_lib.o dh_check.o dh_err.o
 
 SRC= $(LIBSRC)
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,61 +79,58 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-dh_check.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+dh_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+dh_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dh_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dh_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dh_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_asn1.c
+dh_check.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_check.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-dh_check.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dh_check.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dh_check.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dh_check.o: ../cryptlib.h
+dh_check.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_check.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_check.o: ../../include/openssl/opensslconf.h
+dh_check.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dh_check.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_check.o: ../../include/openssl/symhacks.h ../cryptlib.h dh_check.c
 dh_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dh_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dh_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dh_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dh_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dh_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dh_err.o: ../../include/openssl/symhacks.h
-dh_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dh_err.o: ../../include/openssl/symhacks.h dh_err.c
+dh_gen.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dh_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os.h
-dh_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dh_gen.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dh_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dh_gen.o: ../../include/openssl/dh.h ../../include/openssl/e_os2.h
+dh_gen.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dh_gen.o: ../cryptlib.h
-dh_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dh_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-dh_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dh_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dh_gen.o: ../cryptlib.h dh_gen.c
+dh_key.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_key.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_key.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dh_key.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_key.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-dh_key.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-dh_key.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-dh_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dh_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dh_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-dh_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-dh_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dh_key.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dh_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dh_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dh_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-dh_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dh_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dh_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dh_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dh_key.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dh_key.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dh_key.o: ../cryptlib.h dh_key.c
+dh_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+dh_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dh_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-dh_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-dh_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-dh_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dh_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dh_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-dh_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-dh_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dh_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
+dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dh_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dh_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dh_lib.o: ../cryptlib.h dh_lib.c
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 7a8d9f88c2..d51dc130f4 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -59,15 +59,16 @@
 #ifndef HEADER_DH_H
 #define HEADER_DH_H
 
-#ifdef NO_DH
+#ifdef OPENSSL_NO_DH
 #error DH is disabled.
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
+#include <openssl/ossl_typ.h>
         
 #define DH_FLAG_CACHE_MONT_P    0x01
 
@@ -81,9 +82,9 @@ typedef struct dh_method {
         const char *name;
         /* Methods here */
         int (*generate_key)(DH *dh);
-        int (*compute_key)(unsigned char *key,BIGNUM *pub_key,DH *dh);
-        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                                const BIGNUM *m, BN_CTX *ctx,
+        int (*compute_key)(unsigned char *key,const BIGNUM *pub_key,DH *dh);
+        int (*bn_mod_exp)(const DH *dh, BIGNUM *r, const BIGNUM *a,
+                                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
                                 BN_MONT_CTX *m_ctx); /* Can be null */
 
         int (*init)(DH *dh);
@@ -115,11 +116,8 @@ struct dh_st
 
         int references;
         CRYPTO_EX_DATA ex_data;
-#if 0
-        DH_METHOD *meth;
-#else
-        struct engine_st *engine;
-#endif
+        const DH_METHOD *meth;
+        ENGINE *engine;
         };
 
 #define DH_GENERATOR_2          2
@@ -152,46 +150,42 @@ struct dh_st
                 (unsigned char *)(x))
 #endif
 
-DH_METHOD *DH_OpenSSL(void);
+const DH_METHOD *DH_OpenSSL(void);
 
-void DH_set_default_openssl_method(DH_METHOD *meth);
-DH_METHOD *DH_get_default_openssl_method(void);
-#if 0
-DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth);
-DH *DH_new_method(DH_METHOD *meth);
-#else
-int DH_set_method(DH *dh, struct engine_st *engine);
-DH *DH_new_method(struct engine_st *engine);
-#endif
+void DH_set_default_method(const DH_METHOD *meth);
+const DH_METHOD *DH_get_default_method(void);
+int DH_set_method(DH *dh, const DH_METHOD *meth);
+DH *DH_new_method(ENGINE *engine);
 
 DH *    DH_new(void);
 void    DH_free(DH *dh);
-int     DH_size(DH *dh);
+int     DH_up_ref(DH *dh);
+int     DH_size(const DH *dh);
 int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int DH_set_ex_data(DH *d, int idx, void *arg);
 void *DH_get_ex_data(DH *d, int idx);
 DH *    DH_generate_parameters(int prime_len,int generator,
                 void (*callback)(int,int,void *),void *cb_arg);
-int     DH_check(DH *dh,int *codes);
+int     DH_check(const DH *dh,int *codes);
 int     DH_generate_key(DH *dh);
-int     DH_compute_key(unsigned char *key,BIGNUM *pub_key,DH *dh);
-DH *    d2i_DHparams(DH **a,unsigned char **pp, long length);
-int     i2d_DHparams(DH *a,unsigned char **pp);
-#ifndef NO_FP_API
-int     DHparams_print_fp(FILE *fp, DH *x);
+int     DH_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
+DH *    d2i_DHparams(DH **a,const unsigned char **pp, long length);
+int     i2d_DHparams(const DH *a,unsigned char **pp);
+#ifndef OPENSSL_NO_FP_API
+int     DHparams_print_fp(FILE *fp, const DH *x);
 #endif
-#ifndef NO_BIO
-int     DHparams_print(BIO *bp, DH *x);
+#ifndef OPENSSL_NO_BIO
+int     DHparams_print(BIO *bp, const DH *x);
 #else
-int     DHparams_print(char *bp, DH *x);
+int     DHparams_print(char *bp, const DH *x);
 #endif
-void    ERR_load_DH_strings(void );
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_DH_strings(void);
 
 /* Error codes for the DH functions. */
 
@@ -201,13 +195,13 @@ void	ERR_load_DH_strings(void );
 #define DH_F_DH_COMPUTE_KEY                              102
 #define DH_F_DH_GENERATE_KEY                             103
 #define DH_F_DH_GENERATE_PARAMETERS                      104
-#define DH_F_DH_NEW                                      105
+#define DH_F_DH_NEW_METHOD                               105
 
 /* Reason codes. */
+#define DH_R_BAD_GENERATOR                               101
 #define DH_R_NO_PRIVATE_VALUE                            100
 
 #ifdef  __cplusplus
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/dh/dh_asn1.c b/src/lib/libcrypto/dh/dh_asn1.c
new file mode 100644
index 0000000000..769b5b68c5
--- /dev/null
+++ b/src/lib/libcrypto/dh/dh_asn1.c
@@ -0,0 +1,87 @@
+/* dh_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/objects.h>
+#include <openssl/asn1t.h>
+
+/* Override the default free and new methods */
+static int dh_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)DH_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                DH_free((DH *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(DHparams, dh_cb) = {
+        ASN1_SIMPLE(DH, p, BIGNUM),
+        ASN1_SIMPLE(DH, g, BIGNUM),
+        ASN1_OPT(DH, length, ZLONG),
+} ASN1_SEQUENCE_END_cb(DH, DHparams)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DH, DHparams, DHparams)
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index 7e5cfd8bfc..f0373f7d68 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -70,7 +70,7 @@
  * should hold.
  */
 
-int DH_check(DH *dh, int *ret)
+int DH_check(const DH *dh, int *ret)
         {
         int ok=0;
         BN_CTX *ctx=NULL;
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index ff2d1684c2..d837950aec 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -63,7 +63,7 @@
 #include <openssl/dh.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA DH_str_functs[]=
         {
 {ERR_PACK(0,DH_F_DHPARAMS_PRINT,0),     "DHparams_print"},
@@ -71,12 +71,13 @@ static ERR_STRING_DATA DH_str_functs[]=
 {ERR_PACK(0,DH_F_DH_COMPUTE_KEY,0),     "DH_compute_key"},
 {ERR_PACK(0,DH_F_DH_GENERATE_KEY,0),    "DH_generate_key"},
 {ERR_PACK(0,DH_F_DH_GENERATE_PARAMETERS,0),     "DH_generate_parameters"},
-{ERR_PACK(0,DH_F_DH_NEW,0),     "DH_new"},
+{ERR_PACK(0,DH_F_DH_NEW_METHOD,0),      "DH_new_method"},
 {0,NULL}
         };
 
 static ERR_STRING_DATA DH_str_reasons[]=
         {
+{DH_R_BAD_GENERATOR                      ,"bad generator"},
 {DH_R_NO_PRIVATE_VALUE                   ,"no private value"},
 {0,NULL}
         };
@@ -90,7 +91,7 @@ void ERR_load_DH_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_DH,DH_str_functs);
                 ERR_load_strings(ERR_LIB_DH,DH_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 7a6a38fbb4..06f78b35ab 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -82,7 +82,10 @@
  * Since DH should be using a safe prime (both p and q are prime),
  * this generator function can take a very very long time to run.
  */
-
+/* Actually there is no reason to insist that 'generator' be a generator.
+ * It's just as OK (and in some sense better) to use a generator of the
+ * order-q subgroup.
+ */
 DH *DH_generate_parameters(int prime_len, int generator,
              void (*callback)(int,int,void *), void *cb_arg)
         {
@@ -100,30 +103,43 @@ DH *DH_generate_parameters(int prime_len, int generator,
         t2 = BN_CTX_get(ctx);
         if (t1 == NULL || t2 == NULL) goto err;
         
+        if (generator <= 1)
+                {
+                DHerr(DH_F_DH_GENERATE_PARAMETERS, DH_R_BAD_GENERATOR);
+                goto err;
+                }
         if (generator == DH_GENERATOR_2)
                 {
-                BN_set_word(t1,24);
-                BN_set_word(t2,11);
+                if (!BN_set_word(t1,24)) goto err;
+                if (!BN_set_word(t2,11)) goto err;
                 g=2;
                 }
-#ifdef undef  /* does not work for safe primes */
+#if 0 /* does not work for safe primes */
         else if (generator == DH_GENERATOR_3)
                 {
-                BN_set_word(t1,12);
-                BN_set_word(t2,5);
+                if (!BN_set_word(t1,12)) goto err;
+                if (!BN_set_word(t2,5)) goto err;
                 g=3;
                 }
 #endif
         else if (generator == DH_GENERATOR_5)
                 {
-                BN_set_word(t1,10);
-                BN_set_word(t2,3);
+                if (!BN_set_word(t1,10)) goto err;
+                if (!BN_set_word(t2,3)) goto err;
                 /* BN_set_word(t3,7); just have to miss
                  * out on these ones :-( */
                 g=5;
                 }
         else
+                {
+                /* in the general case, don't worry if 'generator' is a
+                 * generator or not: since we are using safe primes,
+                 * it will generate either an order-q or an order-2q group,
+                 * which both is OK */
+                if (!BN_set_word(t1,2)) goto err;
+                if (!BN_set_word(t2,1)) goto err;
                 g=generator;
+                }
         
         p=BN_generate_prime(NULL,prime_len,1,t1,t2,callback,cb_arg);
         if (p == NULL) goto err;
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 22b087b778..1a0efca2c4 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -64,8 +64,9 @@
 #include <openssl/engine.h>
 
 static int generate_key(DH *dh);
-static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh);
-static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
+                        const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx,
                         BN_MONT_CTX *m_ctx);
 static int dh_init(DH *dh);
@@ -73,12 +74,12 @@ static int dh_finish(DH *dh);
 
 int DH_generate_key(DH *dh)
         {
-        return ENGINE_get_DH(dh->engine)->generate_key(dh);
+        return dh->meth->generate_key(dh);
         }
 
-int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         {
-        return ENGINE_get_DH(dh->engine)->compute_key(key, pub_key, dh);
+        return dh->meth->compute_key(key, pub_key, dh);
         }
 
 static DH_METHOD dh_ossl = {
@@ -92,7 +93,7 @@ dh_finish,
 NULL
 };
 
-DH_METHOD *DH_OpenSSL(void)
+const DH_METHOD *DH_OpenSSL(void)
 {
         return &dh_ossl;
 }
@@ -100,19 +101,20 @@ DH_METHOD *DH_OpenSSL(void)
 static int generate_key(DH *dh)
         {
         int ok=0;
-        BN_CTX ctx;
+        int generate_new_key=0;
+        unsigned l;
+        BN_CTX *ctx;
         BN_MONT_CTX *mont;
         BIGNUM *pub_key=NULL,*priv_key=NULL;
 
-        BN_CTX_init(&ctx);
+        ctx = BN_CTX_new();
+        if (ctx == NULL) goto err;
 
         if (dh->priv_key == NULL)
                 {
                 priv_key=BN_new();
                 if (priv_key == NULL) goto err;
-                do
-                        if (!BN_rand_range(priv_key, dh->p)) goto err;
-                while (BN_is_zero(priv_key));
+                generate_new_key=1;
                 }
         else
                 priv_key=dh->priv_key;
@@ -129,12 +131,16 @@ static int generate_key(DH *dh)
                 {
                 if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
                         if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-                                dh->p,&ctx)) goto err;
+                                dh->p,ctx)) goto err;
                 }
         mont=(BN_MONT_CTX *)dh->method_mont_p;
 
-        if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g,
-                                priv_key,dh->p,&ctx,mont))
+        if (generate_new_key)
+                {
+                l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
+                if (!BN_rand(priv_key, l, 0, 0)) goto err;
+                }
+        if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,ctx,mont))
                 goto err;
                 
         dh->pub_key=pub_key;
@@ -146,20 +152,21 @@ err:
 
         if ((pub_key != NULL)  && (dh->pub_key == NULL))  BN_free(pub_key);
         if ((priv_key != NULL) && (dh->priv_key == NULL)) BN_free(priv_key);
-        BN_CTX_free(&ctx);
+        BN_CTX_free(ctx);
         return(ok);
         }
 
-static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
+static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         {
-        BN_CTX ctx;
+        BN_CTX *ctx;
         BN_MONT_CTX *mont;
         BIGNUM *tmp;
         int ret= -1;
 
-        BN_CTX_init(&ctx);
-        BN_CTX_start(&ctx);
-        tmp = BN_CTX_get(&ctx);
+        ctx = BN_CTX_new();
+        if (ctx == NULL) goto err;
+        BN_CTX_start(ctx);
+        tmp = BN_CTX_get(ctx);
         
         if (dh->priv_key == NULL)
                 {
@@ -170,12 +177,11 @@ static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
                 {
                 if ((dh->method_mont_p=(char *)BN_MONT_CTX_new()) != NULL)
                         if (!BN_MONT_CTX_set((BN_MONT_CTX *)dh->method_mont_p,
-                                dh->p,&ctx)) goto err;
+                                dh->p,ctx)) goto err;
                 }
 
         mont=(BN_MONT_CTX *)dh->method_mont_p;
-        if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, tmp, pub_key,
-                                dh->priv_key,dh->p,&ctx,mont))
+        if (!dh->meth->bn_mod_exp(dh, tmp, pub_key, dh->priv_key,dh->p,ctx,mont))
                 {
                 DHerr(DH_F_DH_COMPUTE_KEY,ERR_R_BN_LIB);
                 goto err;
@@ -183,12 +189,13 @@ static int compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh)
 
         ret=BN_bn2bin(tmp,key);
 err:
-        BN_CTX_end(&ctx);
-        BN_CTX_free(&ctx);
+        BN_CTX_end(ctx);
+        BN_CTX_free(ctx);
         return(ret);
         }
 
-static int dh_bn_mod_exp(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
+                        const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx,
                         BN_MONT_CTX *m_ctx)
         {
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 96f118c153..ba5fd41057 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -64,95 +64,78 @@
 
 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
-static DH_METHOD *default_DH_method;
-static int dh_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
-
-void DH_set_default_openssl_method(DH_METHOD *meth)
-{
-        ENGINE *e;
-        /* We'll need to notify the "openssl" ENGINE of this
-         * change too. We won't bother locking things down at
-         * our end as there was never any locking in these
-         * functions! */
-        if(default_DH_method != meth)
-                {
-                default_DH_method = meth;
-                e = ENGINE_by_id("openssl");
-                if(e)
-                        {
-                        ENGINE_set_DH(e, meth);
-                        ENGINE_free(e);
-                        }
-                }
-}
+static const DH_METHOD *default_DH_method = NULL;
+
+void DH_set_default_method(const DH_METHOD *meth)
+        {
+        default_DH_method = meth;
+        }
 
-DH_METHOD *DH_get_default_openssl_method(void)
-{
-        if(!default_DH_method) default_DH_method = DH_OpenSSL();
+const DH_METHOD *DH_get_default_method(void)
+        {
+        if(!default_DH_method)
+                default_DH_method = DH_OpenSSL();
         return default_DH_method;
-}
+        }
 
-#if 0
-DH_METHOD *DH_set_method(DH *dh, DH_METHOD *meth)
-{
-        DH_METHOD *mtmp;
+int DH_set_method(DH *dh, const DH_METHOD *meth)
+        {
+        /* NB: The caller is specifically setting a method, so it's not up to us
+         * to deal with which ENGINE it comes from. */
+        const DH_METHOD *mtmp;
         mtmp = dh->meth;
         if (mtmp->finish) mtmp->finish(dh);
+        if (dh->engine)
+                {
+                ENGINE_finish(dh->engine);
+                dh->engine = NULL;
+                }
         dh->meth = meth;
         if (meth->init) meth->init(dh);
-        return mtmp;
-}
-#else
-int DH_set_method(DH *dh, ENGINE *engine)
-{
-        ENGINE *mtmp;
-        DH_METHOD *meth;
-        mtmp = dh->engine;
-        meth = ENGINE_get_DH(mtmp);
-        if (!ENGINE_init(engine))
-                return 0;
-        if (meth->finish) meth->finish(dh);
-        dh->engine= engine;
-        meth = ENGINE_get_DH(engine);
-        if (meth->init) meth->init(dh);
-        /* SHOULD ERROR CHECK THIS!!! */
-        ENGINE_finish(mtmp);
-        return 1;
-}
-#endif
+        return 1;
+        }
 
 DH *DH_new(void)
-{
+        {
         return DH_new_method(NULL);
-}
+        }
 
-#if 0
-DH *DH_new_method(DH_METHOD *meth)
-#else
 DH *DH_new_method(ENGINE *engine)
-#endif
         {
-        DH_METHOD *meth;
         DH *ret;
-        ret=(DH *)OPENSSL_malloc(sizeof(DH));
 
+        ret=(DH *)OPENSSL_malloc(sizeof(DH));
         if (ret == NULL)
                 {
-                DHerr(DH_F_DH_NEW,ERR_R_MALLOC_FAILURE);
+                DHerr(DH_F_DH_NEW_METHOD,ERR_R_MALLOC_FAILURE);
                 return(NULL);
                 }
-        if(engine)
+
+        ret->meth = DH_get_default_method();
+        if (engine)
+                {
+                if (!ENGINE_init(engine))
+                        {
+                        DHerr(DH_F_DH_NEW_METHOD, ERR_R_ENGINE_LIB);
+                        OPENSSL_free(ret);
+                        return NULL;
+                        }
                 ret->engine = engine;
+                }
         else
+                ret->engine = ENGINE_get_default_DH();
+        if(ret->engine)
                 {
-                if((ret->engine=ENGINE_get_default_DH()) == NULL)
+                ret->meth = ENGINE_get_DH(ret->engine);
+                if(!ret->meth)
                         {
+                        DHerr(DH_F_DH_NEW_METHOD,ERR_R_ENGINE_LIB);
+                        ENGINE_finish(ret->engine);
                         OPENSSL_free(ret);
                         return NULL;
                         }
                 }
-        meth = ENGINE_get_DH(ret->engine);
+
         ret->pad=0;
         ret->version=0;
         ret->p=NULL;
@@ -167,11 +150,13 @@ DH *DH_new_method(ENGINE *engine)
         ret->counter = NULL;
         ret->method_mont_p=NULL;
         ret->references = 1;
-        ret->flags=meth->flags;
-        CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
-        if ((meth->init != NULL) && !meth->init(ret))
+        ret->flags=ret->meth->flags;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
+        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
-                CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data);
+                if (ret->engine)
+                        ENGINE_finish(ret->engine);
+                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
                 }
@@ -180,7 +165,6 @@ DH *DH_new_method(ENGINE *engine)
 
 void DH_free(DH *r)
         {
-        DH_METHOD *meth;
         int i;
         if(r == NULL) return;
         i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_DH);
@@ -196,11 +180,12 @@ void DH_free(DH *r)
         }
 #endif
 
-        meth = ENGINE_get_DH(r->engine);
-        if(meth->finish) meth->finish(r);
-        ENGINE_finish(r->engine);
+        if (r->meth->finish)
+                r->meth->finish(r);
+        if (r->engine)
+                ENGINE_finish(r->engine);
 
-        CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
         if (r->p != NULL) BN_clear_free(r->p);
         if (r->g != NULL) BN_clear_free(r->g);
@@ -213,12 +198,27 @@ void DH_free(DH *r)
         OPENSSL_free(r);
         }
 
+int DH_up_ref(DH *r)
+        {
+        int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_DH);
+#ifdef REF_PRINT
+        REF_PRINT("DH",r);
+#endif
+#ifdef REF_CHECK
+        if (i < 2)
+                {
+                fprintf(stderr, "DH_up, bad reference count\n");
+                abort();
+                }
+#endif
+        return ((i > 1) ? 1 : 0);
+        }
+
 int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-        dh_meth_num++;
-        return(CRYPTO_get_ex_new_index(dh_meth_num-1,
-                &dh_meth,argl,argp,new_func,dup_func,free_func));
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, argl, argp,
+                                new_func, dup_func, free_func);
         }
 
 int DH_set_ex_data(DH *d, int idx, void *arg)
@@ -231,7 +231,7 @@ void *DH_get_ex_data(DH *d, int idx)
         return(CRYPTO_get_ex_data(&d->ex_data,idx));
         }
 
-int DH_size(DH *dh)
+int DH_size(const DH *dh)
         {
         return(BN_num_bytes(dh->p));
         }
diff --git a/src/lib/libcrypto/dh/dhtest.c b/src/lib/libcrypto/dh/dhtest.c
index f0151253d7..34894ced73 100644
--- a/src/lib/libcrypto/dh/dhtest.c
+++ b/src/lib/libcrypto/dh/dhtest.c
@@ -59,15 +59,16 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
 #include "../bio/bss_file.c" 
 #endif
 #include <openssl/crypto.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
 
-#ifdef NO_DH
+#ifdef OPENSSL_NO_DH
 int main(int argc, char *argv[])
 {
     printf("No DH support\n");
@@ -76,14 +77,14 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/dh.h>
 
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
 #define MS_CALLBACK     _far _loadds
 #else
 #define MS_CALLBACK
 #endif
 
 static void MS_CALLBACK cb(int p, int n, void *arg);
-#ifdef NO_STDIO
+#ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #include "bss_file.c"
 #endif
@@ -99,7 +100,11 @@ int main(int argc, char *argv[])
         int i,alen,blen,aout,bout,ret=1;
         BIO *out;
 
-#ifdef WIN32
+        CRYPTO_malloc_debug_init();
+        CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+#ifdef OPENSSL_SYS_WIN32
         CRYPTO_malloc_init();
 #endif
 
@@ -112,6 +117,16 @@ int main(int argc, char *argv[])
         a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out);
         if (a == NULL) goto err;
 
+        if (!DH_check(a, &i)) goto err;
+        if (i & DH_CHECK_P_NOT_PRIME)
+                BIO_puts(out, "p value is not prime\n");
+        if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+                BIO_puts(out, "p value is not a safe prime\n");
+        if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+                BIO_puts(out, "unable to check the generator value\n");
+        if (i & DH_NOT_SUITABLE_GENERATOR)
+                BIO_puts(out, "the g value is not a generator\n");
+
         BIO_puts(out,"\np    =");
         BN_print(out,a->p);
         BIO_puts(out,"\ng    =");
@@ -170,11 +185,16 @@ int main(int argc, char *argv[])
         else
                 ret=0;
 err:
+        ERR_print_errors_fp(stderr);
+
         if (abuf != NULL) OPENSSL_free(abuf);
         if (bbuf != NULL) OPENSSL_free(bbuf);
         if(b != NULL) DH_free(b);
         if(a != NULL) DH_free(a);
         BIO_free(out);
+        CRYPTO_cleanup_all_ex_data();
+        ERR_remove_state(0);
+        CRYPTO_mem_leaks_fp(stderr);
         exit(ret);
         return(ret);
         }
diff --git a/src/lib/libcrypto/doc/DH_set_method.pod b/src/lib/libcrypto/doc/DH_set_method.pod
index 62088eea1b..d990bf8786 100644
--- a/src/lib/libcrypto/doc/DH_set_method.pod
+++ b/src/lib/libcrypto/doc/DH_set_method.pod
@@ -82,8 +82,8 @@ the default engine for Diffie-Hellman opertaions is used.
 
 =head1 RETURN VALUES
 
-DH_OpenSSL() and DH_get_default_method() return pointers to the respective
-DH_METHODs.
+DH_OpenSSL() and DH_get_default_openssl_method() return pointers to the
+respective B<DH_METHOD>s.
 
 DH_set_default_openssl_method() returns no value.
 
diff --git a/src/lib/libcrypto/doc/DSA_set_method.pod b/src/lib/libcrypto/doc/DSA_set_method.pod
index c56dfd0f47..36a1052d27 100644
--- a/src/lib/libcrypto/doc/DSA_set_method.pod
+++ b/src/lib/libcrypto/doc/DSA_set_method.pod
@@ -90,7 +90,7 @@ struct
 =head1 RETURN VALUES
 
 DSA_OpenSSL() and DSA_get_default_openssl_method() return pointers to the
-respective DSA_METHODs.
+respective B<DSA_METHOD>s.
 
 DSA_set_default_openssl_method() returns no value.
 
diff --git a/src/lib/libcrypto/doc/ERR_get_error.pod b/src/lib/libcrypto/doc/ERR_get_error.pod
index 3551bacb8d..9fdedbcb91 100644
--- a/src/lib/libcrypto/doc/ERR_get_error.pod
+++ b/src/lib/libcrypto/doc/ERR_get_error.pod
@@ -2,8 +2,10 @@
 
 =head1 NAME
 
-ERR_get_error, ERR_peek_error, ERR_get_error_line, ERR_peek_error_line,
-ERR_get_error_line_data, ERR_peek_error_line_data - obtain error code and data
+ERR_get_error, ERR_peek_error, ERR_peek_last_error,
+ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
+ERR_get_error_line_data, ERR_peek_error_line_data,
+ERR_peek_error_line_data - obtain error code and data
 
 =head1 SYNOPSIS
 
@@ -11,22 +13,29 @@ ERR_get_error_line_data, ERR_peek_error_line_data - obtain error code and data
 
  unsigned long ERR_get_error(void);
  unsigned long ERR_peek_error(void);
+ unsigned long ERR_peek_last_error(void);
 
  unsigned long ERR_get_error_line(const char **file, int *line);
  unsigned long ERR_peek_error_line(const char **file, int *line);
+ unsigned long ERR_peek_last_error_line(const char **file, int *line);
 
  unsigned long ERR_get_error_line_data(const char **file, int *line,
          const char **data, int *flags);
  unsigned long ERR_peek_error_line_data(const char **file, int *line,
          const char **data, int *flags);
+ unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
+         const char **data, int *flags);
 
 =head1 DESCRIPTION
 
-ERR_get_error() returns the last error code from the thread's error
+ERR_get_error() returns the earliest error code from the thread's error
 queue and removes the entry. This function can be called repeatedly
 until there are no more error codes to return.
 
-ERR_peek_error() returns the last error code from the thread's
+ERR_peek_error() returns the earliest error code from the thread's
+error queue without modifying it.
+
+ERR_peek_last_error() returns the latest error code from the thread's
 error queue without modifying it.
 
 See L<ERR_GET_LIB(3)|ERR_GET_LIB(3)> for obtaining information about
@@ -34,12 +43,14 @@ location and reason of the error, and
 L<ERR_error_string(3)|ERR_error_string(3)> for human-readable error
 messages.
 
-ERR_get_error_line() and ERR_peek_error_line() are the same as the
-above, but they additionally store the file name and line number where
+ERR_get_error_line(), ERR_peek_error_line() and
+ERR_peek_last_error_line() are the same as the above, but they
+additionally store the file name and line number where
 the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
 
-ERR_get_error_line_data() and ERR_peek_error_line_data() store
-additional data and flags associated with the error code in *B<data>
+ERR_get_error_line_data(), ERR_peek_error_line_data() and
+ERR_get_last_error_line_data() store additional data and flags
+associated with the error code in *B<data>
 and *B<flags>, unless these are B<NULL>. *B<data> contains a string
 if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(),
 *B<flags>&B<ERR_TXT_MALLOCED> is true.
@@ -59,5 +70,7 @@ ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and
 ERR_peek_error_line() are available in all versions of SSLeay and
 OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data()
 were added in SSLeay 0.9.0.
+ERR_peek_last_error(), ERR_peek_last_error_line() and
+ERR_peek_last_error_line_data() were added in OpenSSL 0.9.7.
 
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
new file mode 100644
index 0000000000..5ce4add082
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
@@ -0,0 +1,67 @@
+=pod
+
+=head1 NAME
+
+ EVP_BytesToKey - password based encryption routine
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
+                       const unsigned char *salt,
+                       const unsigned char *data, int datal, int count,
+                       unsigned char *key,unsigned char *iv);
+
+=head1 DESCRIPTION
+
+EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
+the cipher to derive the key and IV for. B<md> is the message digest to use.
+The B<salt> paramter is used as a salt in the derivation: it should point to
+an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
+B<datal> bytes which is used to derive the keying data. B<count> is the
+iteration count to use. The derived key and IV will be written to B<key>
+and B<iv> respectively.
+
+=head1 NOTES
+
+A typical application of this function is to derive keying material for an
+encryption algorithm from a password in the B<data> parameter.
+
+Increasing the B<count> parameter slows down the algorithm which makes it
+harder for an attacker to peform a brute force attack using a large number
+of candidate passwords.
+
+If the total key and IV length is less than the digest length and
+B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
+otherwise a non standard extension is used to derive the extra data.
+
+Newer applications should use more standard algorithms such as PKCS#5
+v2.0 for key derivation.
+
+=head1 KEY DERIVATION ALGORITHM
+
+The key and IV is derived by concatenating D_1, D_2, etc until
+enough data is available for the key and IV. D_i is defined as:
+
+        D_i = HASH^count(D_(i-1) || data || salt)
+
+where || denotes concatentaion, D_0 is empty, HASH is the digest
+algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
+is HASH(HASH(data)) and so on.
+
+The initial bytes are used for the key and the subsequent bytes for
+the IV.
+
+=head1 RETURN VALUES
+
+EVP_BytesToKey() returns the size of the derived key in bytes.
+
+=head1 SEE ALSO
+
+L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+
+=head1 HISTORY
+
+=cut
diff --git a/src/lib/libcrypto/doc/EVP_DigestInit.pod b/src/lib/libcrypto/doc/EVP_DigestInit.pod
index fefc858f7e..acd4d0167a 100644
--- a/src/lib/libcrypto/doc/EVP_DigestInit.pod
+++ b/src/lib/libcrypto/doc/EVP_DigestInit.pod
@@ -2,9 +2,10 @@
 
 =head1 NAME
 
-EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size,
-EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
+EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
+EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
+EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
 EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
 EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
 EVP digest routines
@@ -13,15 +14,28 @@ EVP digest routines
 
  #include <openssl/evp.h>
 
- void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
- void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
+ void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
+ EVP_MD_CTX *EVP_MD_CTX_create(void);
+
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
         unsigned int *s);
 
- #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
+ void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
+
+ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
+
+ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
+        unsigned int *s);
 
  int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
 
+ #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+
+
  #define EVP_MD_type(e)                 ((e)->type)
  #define EVP_MD_pkey_type(e)            ((e)->pkey_type)
  #define EVP_MD_size(e)                 ((e)->md_size)
@@ -32,15 +46,15 @@ EVP digest routines
  #define EVP_MD_CTX_block_size(e)       EVP_MD_block_size((e)->digest)
  #define EVP_MD_CTX_type(e)             EVP_MD_type((e)->digest)
 
- EVP_MD *EVP_md_null(void);
- EVP_MD *EVP_md2(void);
- EVP_MD *EVP_md5(void);
- EVP_MD *EVP_sha(void);
- EVP_MD *EVP_sha1(void);
- EVP_MD *EVP_dss(void);
- EVP_MD *EVP_dss1(void);
- EVP_MD *EVP_mdc2(void);
- EVP_MD *EVP_ripemd160(void);
+ const EVP_MD *EVP_md_null(void);
+ const EVP_MD *EVP_md2(void);
+ const EVP_MD *EVP_md5(void);
+ const EVP_MD *EVP_sha(void);
+ const EVP_MD *EVP_sha1(void);
+ const EVP_MD *EVP_dss(void);
+ const EVP_MD *EVP_dss1(void);
+ const EVP_MD *EVP_mdc2(void);
+ const EVP_MD *EVP_ripemd160(void);
 
  const EVP_MD *EVP_get_digestbyname(const char *name);
  #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
@@ -50,25 +64,48 @@ EVP digest routines
 
 The EVP digest routines are a high level interface to message digests.
 
-EVP_DigestInit() initializes a digest context B<ctx> to use a digest
-B<type>: this will typically be supplied by a function such as
-EVP_sha1().
+EVP_MD_CTX_init() initializes digest contet B<ctx>.
+
+EVP_MD_CTX_create() allocates, initializes and returns a digest contet.
+
+EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
+B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
+function. B<type> will typically be supplied by a functionsuch as EVP_sha1().
+If B<impl> is NULL then the default implementation of digest B<type> is used.
 
 EVP_DigestUpdate() hashes B<cnt> bytes of data at B<d> into the
 digest context B<ctx>. This function can be called several times on the
 same B<ctx> to hash additional data.
 
-EVP_DigestFinal() retrieves the digest value from B<ctx> and places
+EVP_DigestFinal_ex() retrieves the digest value from B<ctx> and places
 it in B<md>. If the B<s> parameter is not NULL then the number of
 bytes of data written (i.e. the length of the digest) will be written
 to the integer at B<s>, at most B<EVP_MAX_MD_SIZE> bytes will be written.
-After calling EVP_DigestFinal() no additional calls to EVP_DigestUpdate()
-can be made, but EVP_DigestInit() can be called to initialize a new
+After calling EVP_DigestFinal_ex() no additional calls to EVP_DigestUpdate()
+can be made, but EVP_DigestInit_ex() can be called to initialize a new
 digest operation.
 
-EVP_MD_CTX_copy() can be used to copy the message digest state from
+EVP_MD_CTX_cleanup() cleans up digest context B<ctx>, it should be called
+after a digest context is no longer needed.
+
+EVP_MD_CTX_destroy() cleans up digest context B<ctx> and frees up the
+space allocated to it, it should be called only on a context created
+using EVP_MD_CTX_create().
+
+EVP_MD_CTX_copy_ex() can be used to copy the message digest state from
 B<in> to B<out>. This is useful if large amounts of data are to be
-hashed which only differ in the last few bytes.
+hashed which only differ in the last few bytes. B<out> must be initialized
+before calling this function.
+
+EVP_DigestInit() behaves in the same way as EVP_DigestInit_ex() except
+the passed context B<ctx> does not have to be initialized, and it always
+uses the default digest implementation.
+
+EVP_DigestFinal() is similar to EVP_DigestFinal_ex() except the digest
+contet B<ctx> is automatically cleaned up.
+
+EVP_MD_CTX_copy() is similar to EVP_MD_CTX_copy_ex() except the destination
+B<out> does not have to be initialized.
 
 EVP_MD_size() and EVP_MD_CTX_size() return the size of the message digest
 when passed an B<EVP_MD> or an B<EVP_MD_CTX> structure, i.e. the size of the
@@ -107,9 +144,10 @@ using, for example, OpenSSL_add_all_digests() for these functions to work.
 
 =head1 RETURN VALUES
 
-EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() do not return values.
+EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for
+success and 0 for failure.
 
-EVP_MD_CTX_copy() returns 1 if successful or 0 for failure.
+EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
 
 EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
 corresponding OBJECT IDENTIFIER or NID_undef if none exists.
@@ -134,6 +172,19 @@ transparent to the digest used and much more flexible.
 SHA1 is the digest of choice for new applications. The other digest algorithms
 are still in common use.
 
+For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
+set to NULL to use the default digest implementation.
+
+The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are 
+obsolete but are retained to maintain compatibility with existing code. New
+applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and 
+EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context
+instead of initializing and cleaning it up on each call and allow non default
+implementations of digests to be specified.
+
+In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
+memory leaks will occur. 
+
 =head1 EXAMPLE
 
 This example digests the data "Test Message\n" and "Hello World\n", using the
@@ -165,10 +216,12 @@ digest name passed on the command line.
         exit(1);
  }
 
- EVP_DigestInit(&mdctx, md);
+ EVP_MD_CTX_init(&mdctx);
+ EVP_DigestInit_ex(&mdctx, md, NULL);
  EVP_DigestUpdate(&mdctx, mess1, strlen(mess1));
  EVP_DigestUpdate(&mdctx, mess2, strlen(mess2));
- EVP_DigestFinal(&mdctx, md_value, &md_len);
+ EVP_DigestFinal_ex(&mdctx, md_value, &md_len);
+ EVP_MD_CTX_cleanup(&mdctx);
 
  printf("Digest is: ");
  for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
@@ -177,17 +230,10 @@ digest name passed on the command line.
 
 =head1 BUGS
 
-Several of the functions do not return values: maybe they should. Although the
-internal digest operations will never fail some future hardware based operations
-might.
-
 The link between digests and signing algorithms results in a situation where
 EVP_sha1() must be used with RSA and EVP_dss1() must be used with DSS
 even though they are identical digests.
 
-The size of an B<EVP_MD_CTX> structure is determined at compile time: this results
-in code that must be recompiled if the size of B<EVP_MD_CTX> increases.
-
 =head1 SEE ALSO
 
 L<evp(3)|evp(3)>, L<HMAC(3)|HMAC(3)>, L<MD2(3)|MD2(3)>,
@@ -199,4 +245,7 @@ L<SHA1(3)|SHA1(3)>
 EVP_DigestInit(), EVP_DigestUpdate() and EVP_DigestFinal() are
 available in all versions of SSLeay and OpenSSL.
 
+EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex()
+were added in OpenSSL 0.9.7.
+
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 9afe2396e2..371b6a2287 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -2,43 +2,65 @@
 
 =head1 NAME
 
-EVP_EncryptInit, EVP_EncryptUpdate, EVP_EncryptFinal, EVP_DecryptInit,
-EVP_DecryptUpdate, EVP_DecryptFinal, EVP_CipherInit, EVP_CipherUpdate,
-EVP_CipherFinal, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX_ctrl,
-EVP_CIPHER_CTX_cleanup, EVP_get_cipherbyname, EVP_get_cipherbynid,
-EVP_get_cipherbyobj, EVP_CIPHER_nid, EVP_CIPHER_block_size,
-EVP_CIPHER_key_length, EVP_CIPHER_iv_length, EVP_CIPHER_flags,
-EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, EVP_CIPHER_CTX_nid,
-EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, EVP_CIPHER_CTX_iv_length,
-EVP_CIPHER_CTX_get_app_data, EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type,
-EVP_CIPHER_CTX_flags, EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1,
-EVP_CIPHER_asn1_to_param - EVP cipher routines
+EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate,
+EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate,
+EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate,
+EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length,
+EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit,
+EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal,
+EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname,
+EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid,
+EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length,
+EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher,
+EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length,
+EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data,
+EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags,
+EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
+EVP_CIPHER_CTX_set_padding - EVP cipher routines
 
 =head1 SYNOPSIS
 
  #include <openssl/evp.h>
 
- int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
-         unsigned char *key, unsigned char *iv);
+ int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
+
+ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         ENGINE *impl, unsigned char *key, unsigned char *iv);
  int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl, unsigned char *in, int inl);
+ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl);
+
+ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         ENGINE *impl, unsigned char *key, unsigned char *iv);
+ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         ENGINE *impl, unsigned char *key, unsigned char *iv, int enc);
+ int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
+         int *outl, unsigned char *in, int inl);
+ int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
+         int *outl);
+
+ int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         unsigned char *key, unsigned char *iv);
  int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl);
 
  int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
          unsigned char *key, unsigned char *iv);
- int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
  int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
          int *outl);
 
  int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
          unsigned char *key, unsigned char *iv, int enc);
- int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-         int *outl, unsigned char *in, int inl);
  int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
          int *outl);
 
+ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
  int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
  int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
  int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
@@ -74,14 +96,19 @@ EVP_CIPHER_asn1_to_param - EVP cipher routines
 The EVP cipher routines are a high level interface to certain
 symmetric ciphers.
 
-EVP_EncryptInit() initializes a cipher context B<ctx> for encryption
-with cipher B<type>. B<type> is normally supplied by a function such
-as EVP_des_cbc() . B<key> is the symmetric key to use and B<iv> is the
-IV to use (if necessary), the actual number of bytes used for the
-key and IV depends on the cipher. It is possible to set all parameters
-to NULL except B<type> in an initial call and supply the remaining
-parameters in subsequent calls, all of which have B<type> set to NULL.
-This is done when the default cipher parameters are not appropriate.
+EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>.
+
+EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
+with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized
+before calling this function. B<type> is normally supplied
+by a function such as EVP_des_cbc(). If B<impl> is NULL then the
+default implementation is used. B<key> is the symmetric key to use
+and B<iv> is the IV to use (if necessary), the actual number of bytes
+used for the key and IV depends on the cipher. It is possible to set
+all parameters to NULL except B<type> in an initial call and supply
+the remaining parameters in subsequent calls, all of which have B<type>
+set to NULL. This is done when the default cipher parameters are not
+appropriate.
 
 EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
 writes the encrypted version to B<out>. This function can be called
@@ -89,32 +116,49 @@ multiple times to encrypt successive blocks of data. The amount
 of data written depends on the block alignment of the encrypted data:
 as a result the amount of data written may be anything from zero bytes
 to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
-room.  The actual number of bytes written is placed in B<outl>.
+room. The actual number of bytes written is placed in B<outl>.
+
+If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
+the "final" data, that is any data that remains in a partial block.
+It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted
+final data is written to B<out> which should have sufficient space for
+one cipher block. The number of bytes written is placed in B<outl>. After
+this function is called the encryption operation is finished and no further
+calls to EVP_EncryptUpdate() should be made.
 
-EVP_EncryptFinal() encrypts the "final" data, that is any data that
-remains in a partial block. It uses L<standard block padding|/NOTES> (aka PKCS
-padding). The encrypted final data is written to B<out> which should
-have sufficient space for one cipher block. The number of bytes written
-is placed in B<outl>. After this function is called the encryption operation
-is finished and no further calls to EVP_EncryptUpdate() should be made.
+If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
+data and it will return an error if any data remains in a partial block:
+that is if the total data length is not a multiple of the block size. 
 
-EVP_DecryptInit(), EVP_DecryptUpdate() and EVP_DecryptFinal() are the
+EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
 corresponding decryption operations. EVP_DecryptFinal() will return an
-error code if the final block is not correctly formatted. The parameters
-and restrictions are identical to the encryption operations except that
-the decrypted data buffer B<out> passed to EVP_DecryptUpdate() should
-have sufficient room for (B<inl> + cipher_block_size) bytes unless the
-cipher block size is 1 in which case B<inl> bytes is sufficient.
-
-EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal() are functions
-that can be used for decryption or encryption. The operation performed
-depends on the value of the B<enc> parameter. It should be set to 1 for
-encryption, 0 for decryption and -1 to leave the value unchanged (the
-actual value of 'enc' being supplied in a previous call).
-
-EVP_CIPHER_CTX_cleanup() clears all information from a cipher context.
-It should be called after all operations using a cipher are complete
-so sensitive information does not remain in memory.
+error code if padding is enabled and the final block is not correctly
+formatted. The parameters and restrictions are identical to the encryption
+operations except that if padding is enabled the decrypted data buffer B<out>
+passed to EVP_DecryptUpdate() should have sufficient room for
+(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
+which case B<inl> bytes is sufficient.
+
+EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
+functions that can be used for decryption or encryption. The operation
+performed depends on the value of the B<enc> parameter. It should be set
+to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
+(the actual value of 'enc' being supplied in a previous call).
+
+EVP_CIPHER_CTX_cleanup() clears all information from a cipher context
+and free up any allocated memory associate with it. It should be called
+after all operations using a cipher are complete so sensitive information
+does not remain in memory.
+
+EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
+similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
+EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
+initialized and they always use the default cipher implementation.
+
+EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
+similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
+EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up 
+after the call.
 
 EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
 return an EVP_CIPHER structure when passed a cipher name, a NID or an
@@ -125,6 +169,13 @@ passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure.  The actual NID
 value is an internal value which may not have a corresponding OBJECT
 IDENTIFIER.
 
+EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
+encryption operations are padded using standard block padding and the
+padding is checked and removed when decrypting. If the B<pad> parameter
+is zero then no padding is performed, the total amount of data encrypted
+or decrypted must then be a multiple of the block size or an error will
+occur.
+
 EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
 length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
 structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
@@ -185,14 +236,14 @@ RC5 can be set.
 
 =head1 RETURN VALUES
 
-EVP_EncryptInit(), EVP_EncryptUpdate() and EVP_EncryptFinal() return 1 for success
-and 0 for failure.
+EVP_CIPHER_CTX_init, EVP_EncryptInit_ex(), EVP_EncryptUpdate() and
+EVP_EncryptFinal_ex() return 1 for success and 0 for failure.
 
-EVP_DecryptInit() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
-EVP_DecryptFinal() returns 0 if the decrypt failed or 1 for success.
+EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
+EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
 
-EVP_CipherInit() and EVP_CipherUpdate() return 1 for success and 0 for failure.
-EVP_CipherFinal() returns 1 for a decryption failure or 1 for success.
+EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
+EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
 
 EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
 
@@ -207,6 +258,8 @@ size.
 EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
 length.
 
+EVP_CIPHER_CTX_set_padding() always returns 1.
+
 EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
 length or zero if the cipher does not use an IV.
 
@@ -301,25 +354,26 @@ encrypted then 5 padding bytes of value 5 will be added.
 
 When decrypting the final block is checked to see if it has the correct form.
 
-Although the decryption operation can produce an error, it is not a strong
-test that the input data or key is correct. A random block has better than
-1 in 256 chance of being of the correct format and problems with the
-input data earlier on will not produce a final decrypt error.
+Although the decryption operation can produce an error if padding is enabled,
+it is not a strong test that the input data or key is correct. A random block
+has better than 1 in 256 chance of being of the correct format and problems with
+the input data earlier on will not produce a final decrypt error.
 
-The functions EVP_EncryptInit(), EVP_EncryptUpdate(), EVP_EncryptFinal(),
-EVP_DecryptInit(), EVP_DecryptUpdate(), EVP_CipherInit() and EVP_CipherUpdate()
-and EVP_CIPHER_CTX_cleanup() did not return errors in OpenSSL version 0.9.5a or
-earlier. Software only versions of encryption algorithms will never return
-error codes for these functions, unless there is a programming error (for example
-and attempt to set the key before the cipher is set in EVP_EncryptInit() ).
+If padding is disabled then the decryption operation will always succeed if
+the total amount of data decrypted is a multiple of the block size.
+
+The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
+EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
+compatibility with existing code. New code should use EVP_EncryptInit_ex(),
+EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
+EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
+existing context without allocating and freeing it up on each call.
 
 =head1 BUGS
 
 For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is
 a limitation of the current RC5 code rather than the EVP interface.
 
-It should be possible to disable PKCS padding: currently it isn't.
-
 EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with
 default key lengths. If custom ciphers exceed these values the results are
 unpredictable. This is because it has become standard practice to define a 
@@ -333,22 +387,113 @@ for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
 Get the number of rounds used in RC5:
 
  int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &i);
+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
 
 Get the RC2 effective key length:
 
  int key_bits;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i);
+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
 
 Set the number of rounds used in RC5:
 
  int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, i, NULL);
+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
 
-Set the number of rounds used in RC2:
+Set the effective key length used in RC2:
+
+ int key_bits;
+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
+
+Encrypt a string using blowfish:
+
+ int do_crypt(char *outfile)
+        {
+        unsigned char outbuf[1024];
+        int outlen, tmplen;
+        /* Bogus key and IV: we'd normally set these from
+         * another source.
+         */
+        unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
+        unsigned char iv[] = {1,2,3,4,5,6,7,8};
+        char intext[] = "Some Crypto Text";
+        EVP_CIPHER_CTX ctx;
+        FILE *out;
+        EVP_CIPHER_CTX_init(&ctx);
+        EVP_EncryptInit_ex(&ctx, NULL, EVP_bf_cbc(), key, iv);
+
+        if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
+                {
+                /* Error */
+                return 0;
+                }
+        /* Buffer passed to EVP_EncryptFinal() must be after data just
+         * encrypted to avoid overwriting it.
+         */
+        if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
+                {
+                /* Error */
+                return 0;
+                }
+        outlen += tmplen;
+        EVP_CIPHER_CTX_cleanup(&ctx);
+        /* Need binary mode for fopen because encrypted data is
+         * binary data. Also cannot use strlen() on it because
+         * it wont be null terminated and may contain embedded
+         * nulls.
+         */
+        out = fopen(outfile, "wb");
+        fwrite(outbuf, 1, outlen, out);
+        fclose(out);
+        return 1;
+        }
+
+The ciphertext from the above example can be decrypted using the B<openssl>
+utility with the command line:
+ 
+ S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d>
+
+General encryption, decryption function example using FILE I/O and RC2 with an
+80 bit key:
+
+ int do_crypt(FILE *in, FILE *out, int do_encrypt)
+        {
+        /* Allow enough space in output buffer for additional block */
+        inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
+        int inlen, outlen;
+        /* Bogus key and IV: we'd normally set these from
+         * another source.
+         */
+        unsigned char key[] = "0123456789";
+        unsigned char iv[] = "12345678";
+        /* Don't set key or IV because we will modify the parameters */
+        EVP_CIPHER_CTX_init(&ctx);
+        EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
+        EVP_CIPHER_CTX_set_key_length(&ctx, 10);
+        /* We finished modifying parameters so now we can set key and IV */
+        EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
+
+        for(;;) 
+                {
+                inlen = fread(inbuf, 1, 1024, in);
+                if(inlen <= 0) break;
+                if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
+                        {
+                        /* Error */
+                        return 0;
+                        }
+                fwrite(outbuf, 1, outlen, out);
+                }
+        if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
+                {
+                /* Error */
+                return 0;
+                }
+        fwrite(outbuf, 1, outlen, out);
+
+        EVP_CIPHER_CTX_cleanup(&ctx);
+        return 1;
+        }
 
- int nrounds;
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, i, NULL);
 
 =head1 SEE ALSO
 
diff --git a/src/lib/libcrypto/doc/EVP_SignInit.pod b/src/lib/libcrypto/doc/EVP_SignInit.pod
index d5ce245ecd..b1ac129430 100644
--- a/src/lib/libcrypto/doc/EVP_SignInit.pod
+++ b/src/lib/libcrypto/doc/EVP_SignInit.pod
@@ -8,10 +8,12 @@ EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
 
  #include <openssl/evp.h>
 
- void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- void EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
+ int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
  int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey);
 
+ void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+
  int EVP_PKEY_size(EVP_PKEY *pkey);
 
 =head1 DESCRIPTION
@@ -19,9 +21,9 @@ EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
 The EVP signature routines are a high level interface to digital
 signatures.
 
-EVP_SignInit() initializes a signing context B<ctx> to using digest
-B<type>: this will typically be supplied by a function such as
-EVP_sha1().
+EVP_SignInit_ex() sets up signing context B<ctx> to use digest
+B<type> from ENGINE B<impl>. B<ctx> must be initialized with
+EVP_MD_CTX_init() before calling this function.
 
 EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
 signature context B<ctx>. This function can be called several times on the
@@ -31,18 +33,18 @@ EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
 and places the signature in B<sig>. If the B<s> parameter is not NULL
 then the number of bytes of data written (i.e. the length of the signature)
 will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
-will be written.  After calling EVP_SignFinal() no additional calls to
-EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialize
-a new signature operation.
+will be written. 
+
+EVP_SignInit() initializes a signing context B<ctx> to use the default
+implementation of digest B<type>.
 
 EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual
 signature returned by EVP_SignFinal() may be smaller.
 
 =head1 RETURN VALUES
 
-EVP_SignInit() and EVP_SignUpdate() do not return values.
-
-EVP_SignFinal() returns 1 for success and 0 for failure.
+EVP_SignInit_ex(), EVP_SignUpdate() and EVP_SignFinal() return 1
+for success and 0 for failure.
 
 EVP_PKEY_size() returns the maximum size of a signature in bytes.
 
@@ -63,11 +65,18 @@ When signing with DSA private keys the random number generator must be seeded
 or the operation will fail. The random number generator does not need to be
 seeded for RSA signatures.
 
+The call to EVP_SignFinal() internally finalizes a copy of the digest context.
+This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called
+later to digest and sign additional data.
+
+Since only a copy of the digest context is ever finalized the context must
+be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
+will occur.
+
 =head1 BUGS
 
-Several of the functions do not return values: maybe they should. Although the
-internal digest operations will never fail some future hardware based operations
-might.
+Older versions of this documentation wrongly stated that calls to 
+EVP_SignUpdate() could not be made after calling EVP_SignFinal().
 
 =head1 SEE ALSO
 
@@ -82,4 +91,6 @@ L<SHA1(3)|SHA1(3)>, L<digest(1)|digest(1)>
 EVP_SignInit(), EVP_SignUpdate() and EVP_SignFinal() are
 available in all versions of SSLeay and OpenSSL.
 
+EVP_SignInit_ex() was added in OpenSSL 0.9.7
+
 =cut
diff --git a/src/lib/libcrypto/doc/EVP_VerifyInit.pod b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
index 736a0f4a82..80c656fde8 100644
--- a/src/lib/libcrypto/doc/EVP_VerifyInit.pod
+++ b/src/lib/libcrypto/doc/EVP_VerifyInit.pod
@@ -8,30 +8,35 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification f
 
  #include <openssl/evp.h>
 
- void EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- void EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
+ int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
  int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey);
 
+ int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+
 =head1 DESCRIPTION
 
 The EVP signature verification routines are a high level interface to digital
 signatures.
 
-EVP_VerifyInit() initializes a verification context B<ctx> to using digest
-B<type>: this will typically be supplied by a function such as EVP_sha1().
+EVP_VerifyInit_ex() sets up verification context B<ctx> to use digest
+B<type> from ENGINE B<impl>. B<ctx> must be initialized by calling
+EVP_MD_CTX_init() before calling this function.
 
 EVP_VerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
 verification context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
 
 EVP_VerifyFinal() verifies the data in B<ctx> using the public key B<pkey>
-and against the B<siglen> bytes at B<sigbuf>. After calling EVP_VerifyFinal()
-no additional calls to EVP_VerifyUpdate() can be made, but EVP_VerifyInit()
-can be called to initialize a new verification operation.
+and against the B<siglen> bytes at B<sigbuf>.
+
+EVP_VerifyInit() initializes verification context B<ctx> to use the default
+implementation of digest B<type>.
 
 =head1 RETURN VALUES
 
-EVP_VerifyInit() and EVP_VerifyUpdate() do not return values.
+EVP_VerifyInit_ex() and EVP_VerifyUpdate() return 1 for success and 0 for
+failure.
 
 EVP_VerifyFinal() returns 1 for a correct signature, 0 for failure and -1 if some
 other error occurred.
@@ -49,11 +54,18 @@ digest algorithm must be used with the correct public key type. A list of
 algorithms and associated public key algorithms appears in 
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>.
 
+The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
+This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can be called
+later to digest and verify additional data.
+
+Since only a copy of the digest context is ever finalized the context must
+be cleaned up after use by calling EVP_MD_CTX_cleanup() or a memory leak
+will occur.
+
 =head1 BUGS
 
-Several of the functions do not return values: maybe they should. Although the
-internal digest operations will never fail some future hardware based operations
-might.
+Older versions of this documentation wrongly stated that calls to 
+EVP_VerifyUpdate() could not be made after calling EVP_VerifyFinal().
 
 =head1 SEE ALSO
 
@@ -69,4 +81,6 @@ L<sha(3)|sha(3)>, L<digest(1)|digest(1)>
 EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() are
 available in all versions of SSLeay and OpenSSL.
 
+EVP_VerifyInit_ex() was added in OpenSSL 0.9.7
+
 =cut
diff --git a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
index 68ea723259..c39ac35e78 100644
--- a/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
+++ b/src/lib/libcrypto/doc/OPENSSL_VERSION_NUMBER.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-OPENSSL_VERSION_NUMBER, SSLeay SSLeay_version - get OpenSSL version number
+OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version - get OpenSSL version number
 
 =head1 SYNOPSIS
 
@@ -11,7 +11,7 @@ OPENSSL_VERSION_NUMBER, SSLeay SSLeay_version - get OpenSSL version number
 
  #include <openssl/crypto.h>
  long SSLeay(void);
- char *SSLeay_version(int t);
+ const char *SSLeay_version(int t);
 
 =head1 DESCRIPTION
 
@@ -55,20 +55,32 @@ SSLeay_version() returns different strings depending on B<t>:
 =over 4
 
 =item SSLEAY_VERSION
+
 The text variant of the version number and the release date.  For example,
 "OpenSSL 0.9.5a 1 Apr 2000".
 
 =item SSLEAY_CFLAGS
-The flags given to the C compiler when compiling OpenSSL are returned in a
-string.
+
+The compiler flags set for the compilation process in the form
+"compiler: ..."  if available or "compiler: information not available"
+otherwise.
+
+=item SSLEAY_BUILT_ON
+
+The date of the build process in the form "built on: ..." if available
+or "built on: date not available" otherwise.
 
 =item SSLEAY_PLATFORM
-The platform name used when OpenSSL was configured is returned.
 
-=back
+The "Configure" target of the library build in the form "platform: ..."
+if available or "platform: information not available" otherwise.
+
+=item SSLEAY_DIR
 
-If the data request isn't available, a text saying that the information is
-not available is returned.
+The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "...""
+if available or "OPENSSLDIR: N/A" otherwise.
+
+=back
 
 For an unknown B<t>, the text "not available" is returned.
 
@@ -84,5 +96,6 @@ L<crypto(3)|crypto(3)>
 
 SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL.
 OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL.
+B<SSLEAY_DIR> was added in OpenSSL 0.9.7.
 
 =cut
diff --git a/src/lib/libcrypto/doc/RSA_generate_key.pod b/src/lib/libcrypto/doc/RSA_generate_key.pod
index 0e0f0a764c..11bc0b3459 100644
--- a/src/lib/libcrypto/doc/RSA_generate_key.pod
+++ b/src/lib/libcrypto/doc/RSA_generate_key.pod
@@ -19,7 +19,7 @@ be seeded prior to calling RSA_generate_key().
 
 The modulus size will be B<num> bits, and the public exponent will be
 B<e>. Key sizes with B<num> E<lt> 1024 should be considered insecure.
-The exponent is an odd number, typically 3 or 65535.
+The exponent is an odd number, typically 3, 17 or 65537.
 
 A callback function may be used to provide feedback about the
 progress of the key generation. If B<callback> is not B<NULL>, it
diff --git a/src/lib/libcrypto/doc/RSA_public_encrypt.pod b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
index 23861c0004..8022a23f99 100644
--- a/src/lib/libcrypto/doc/RSA_public_encrypt.pod
+++ b/src/lib/libcrypto/doc/RSA_public_encrypt.pod
@@ -74,10 +74,6 @@ SSL, PKCS #1 v2.0
 
 L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)>
 
-=head1 NOTES
-
-The L<RSA_PKCS1_RSAref(3)|RSA_PKCS1_RSAref(3)> method supports only the RSA_PKCS1_PADDING mode.
-
 =head1 HISTORY
 
 The B<padding> argument was added in SSLeay 0.8. RSA_NO_PADDING is
diff --git a/src/lib/libcrypto/doc/RSA_set_method.pod b/src/lib/libcrypto/doc/RSA_set_method.pod
index b672712292..14917dd35f 100644
--- a/src/lib/libcrypto/doc/RSA_set_method.pod
+++ b/src/lib/libcrypto/doc/RSA_set_method.pod
@@ -3,7 +3,7 @@
 =head1 NAME
 
 RSA_set_default_method, RSA_get_default_method, RSA_set_method,
-RSA_get_method, RSA_PKCS1_SSLeay, RSA_PKCS1_RSAref,
+RSA_get_method, RSA_PKCS1_SSLeay,
 RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 
 =head1 SYNOPSIS
@@ -15,14 +15,12 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method
 
  RSA_METHOD *RSA_get_default_openssl_method(void);
 
- RSA_METHOD *RSA_set_method(RSA *rsa, ENGINE *engine);
+ int RSA_set_method(RSA *rsa, ENGINE *engine);
 
  RSA_METHOD *RSA_get_method(RSA *rsa);
 
  RSA_METHOD *RSA_PKCS1_SSLeay(void);
 
- RSA_METHOD *RSA_PKCS1_RSAref(void);
-
  RSA_METHOD *RSA_null_method(void);
 
  int RSA_flags(RSA *rsa);
@@ -35,17 +33,8 @@ An B<RSA_METHOD> specifies the functions that OpenSSL uses for RSA
 operations. By modifying the method, alternative implementations
 such as hardware accelerators may be used.
 
-Initially, the default is to use the OpenSSL internal implementation,
-unless OpenSSL was configured with the C<rsaref> or C<-DRSA_NULL>
-options. RSA_PKCS1_SSLeay() returns a pointer to that method.
-
-RSA_PKCS1_RSAref() returns a pointer to a method that uses the RSAref
-library. This is the default method in the C<rsaref> configuration;
-the function is not available in other configurations.
-RSA_null_method() returns a pointer to a method that does not support
-the RSA transformation. It is the default if OpenSSL is compiled with
-C<-DRSA_NULL>. These methods may be useful in the USA because of a
-patent on the RSA cryptosystem.
+Initially, the default is to use the OpenSSL internal implementation.
+RSA_PKCS1_SSLeay() returns a pointer to that method.
 
 RSA_set_default_openssl_method() makes B<meth> the default method for all B<RSA>
 structures created later. B<NB:> This is true only whilst the default engine
@@ -132,9 +121,8 @@ the default engine for RSA operations is used.
 
 =head1 RETURN VALUES
 
-RSA_PKCS1_SSLeay(), RSA_PKCS1_RSAref(), RSA_PKCS1_null_method(),
-RSA_get_default_openssl_method() and RSA_get_method() return pointers to
-the respective RSA_METHODs.
+RSA_PKCS1_SSLeay(), RSA_PKCS1_null_method(), RSA_get_default_openssl_method()
+and RSA_get_method() return pointers to the respective RSA_METHODs.
 
 RSA_set_default_openssl_method() returns no value.
 
@@ -163,6 +151,6 @@ added in OpenSSL 0.9.4.
 RSA_set_default_openssl_method() and RSA_get_default_openssl_method()
 replaced RSA_set_default_method() and RSA_get_default_method() respectively,
 and RSA_set_method() and RSA_new_method() were altered to use B<ENGINE>s
-rather than B<DH_METHOD>s during development of OpenSSL 0.9.6.
+rather than B<RSA_METHOD>s during development of OpenSSL 0.9.6.
 
 =cut
diff --git a/src/lib/libcrypto/doc/bn.pod b/src/lib/libcrypto/doc/bn.pod
index d183028d61..210dfeac08 100644
--- a/src/lib/libcrypto/doc/bn.pod
+++ b/src/lib/libcrypto/doc/bn.pod
@@ -21,19 +21,27 @@ bn - multiprecision integer arithmetics
  BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
  BIGNUM *BN_dup(const BIGNUM *a);
 
+ BIGNUM *BN_swap(BIGNUM *a, BIGNUM *b);
+
  int BN_num_bytes(const BIGNUM *a);
  int BN_num_bits(const BIGNUM *a);
  int BN_num_bits_word(BN_ULONG w);
 
- int BN_add(BIGNUM *r, BIGNUM *a, BIGNUM *b);
+ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
  int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
          BN_CTX *ctx);
- int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
  int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_nnmod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+ int BN_mod_add(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
+ int BN_mod_sub(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+         BN_CTX *ctx);
  int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
          BN_CTX *ctx);
+ int BN_mod_sqr(BIGNUM *ret, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
  int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
  int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
          const BIGNUM *m, BN_CTX *ctx);
@@ -54,13 +62,14 @@ bn - multiprecision integer arithmetics
 
  int BN_zero(BIGNUM *a);
  int BN_one(BIGNUM *a);
- BIGNUM *BN_value_one(void);
+ const BIGNUM *BN_value_one(void);
  int BN_set_word(BIGNUM *a, unsigned long w);
  unsigned long BN_get_word(BIGNUM *a);
 
  int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
  int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
  int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
+ int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
 
  BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
          BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
@@ -138,7 +147,7 @@ of B<BIGNUM>s to external formats is described in L<BN_bn2bin(3)|BN_bn2bin(3)>.
 L<bn_internal(3)|bn_internal(3)>,
 L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>,
 L<BN_new(3)|BN_new(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>,
-L<BN_copy(3)|BN_copy(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
+L<BN_copy(3)|BN_copy(3)>, L<BN_swap(3)|BN_swap(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)>,
 L<BN_add(3)|BN_add(3)>, L<BN_add_word(3)|BN_add_word(3)>,
 L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
 L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
diff --git a/src/lib/libcrypto/doc/rsa.pod b/src/lib/libcrypto/doc/rsa.pod
index ef0d4df205..09ad30cab1 100644
--- a/src/lib/libcrypto/doc/rsa.pod
+++ b/src/lib/libcrypto/doc/rsa.pod
@@ -37,7 +37,6 @@ rsa - RSA public key cryptosystem
  int RSA_set_method(RSA *rsa, ENGINE *engine);
  RSA_METHOD *RSA_get_method(RSA *rsa);
  RSA_METHOD *RSA_PKCS1_SSLeay(void);
- RSA_METHOD *RSA_PKCS1_RSAref(void);
  RSA_METHOD *RSA_null_method(void);
  int RSA_flags(RSA *rsa);
  RSA *RSA_new_method(ENGINE *engine);
diff --git a/src/lib/libcrypto/dsa/Makefile.ssl b/src/lib/libcrypto/dsa/Makefile.ssl
index d88f596364..32ecf6ee01 100644
--- a/src/lib/libcrypto/dsa/Makefile.ssl
+++ b/src/lib/libcrypto/dsa/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    dsa
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -41,8 +42,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -81,110 +81,89 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-dsa_asn1.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-dsa_asn1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_asn1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_asn1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+dsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dsa_asn1.o: ../../include/openssl/opensslconf.h
-dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-dsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_asn1.o: ../cryptlib.h
+dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_asn1.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_asn1.c
 dsa_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
-dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/err.h
-dsa_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+dsa_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 dsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_err.o: dsa_err.c
+dsa_gen.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_gen.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_gen.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 dsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_gen.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_gen.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dsa_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_gen.o: ../cryptlib.h dsa_gen.c
+dsa_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_key.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_key.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_key.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-dsa_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_key.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_key.o: ../cryptlib.h dsa_key.c
+dsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-dsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-dsa_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-dsa_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-dsa_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dsa_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+dsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 dsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-dsa_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_ossl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dsa_ossl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h dsa_lib.c
+dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_ossl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_ossl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_ossl.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-dsa_ossl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-dsa_ossl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-dsa_ossl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-dsa_ossl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_ossl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dsa_ossl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-dsa_ossl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-dsa_ossl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_ossl.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-dsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-dsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+dsa_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+dsa_ossl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_ossl.o: ../../include/openssl/opensslconf.h
+dsa_ossl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_ossl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_ossl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_ossl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_ossl.o: ../cryptlib.h dsa_ossl.c
+dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-dsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-dsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-dsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-dsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-dsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-dsa_sign.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-dsa_sign.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-dsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-dsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_sign.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dsa_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-dsa_vrf.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+dsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_sign.o: ../cryptlib.h dsa_sign.c
+dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-dsa_vrf.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-dsa_vrf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-dsa_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-dsa_vrf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-dsa_vrf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-dsa_vrf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-dsa_vrf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-dsa_vrf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-dsa_vrf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-dsa_vrf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_vrf.o: ../cryptlib.h
+dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+dsa_vrf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+dsa_vrf.o: ../cryptlib.h dsa_vrf.c
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 12b60a8faa..9b3baadf2c 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -65,16 +65,17 @@
 #ifndef HEADER_DSA_H
 #define HEADER_DSA_H
 
-#ifdef NO_DSA
+#ifdef OPENSSL_NO_DSA
 #error DSA is disabled.
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
-#ifndef NO_DH
+#include <openssl/ossl_typ.h>
+#ifndef OPENSSL_NO_DH
 # include <openssl/dh.h>
 #endif
 
@@ -116,7 +117,7 @@ struct dsa_st
         /* This first variable is used to pick up errors where
          * a DSA is passed instead of of a EVP_PKEY */
         int pad;
-        int version;
+        long version;
         int write_params;
         BIGNUM *p;
         BIGNUM *q;      /* == 20 */
@@ -133,11 +134,9 @@ struct dsa_st
         char *method_mont_p;
         int references;
         CRYPTO_EX_DATA ex_data;
-#if 0
-        DSA_METHOD *meth;
-#else
-        struct engine_st *engine;
-#endif
+        const DSA_METHOD *meth;
+        /* functional reference if 'meth' is ENGINE-provided */
+        ENGINE *engine;
         };
 
 #define DSAparams_dup(x) (DSA *)ASN1_dup((int (*)())i2d_DSAparams, \
@@ -154,62 +153,55 @@ struct dsa_st
 
 DSA_SIG * DSA_SIG_new(void);
 void    DSA_SIG_free(DSA_SIG *a);
-int     i2d_DSA_SIG(DSA_SIG *a, unsigned char **pp);
-DSA_SIG * d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length);
+int     i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
+DSA_SIG * d2i_DSA_SIG(DSA_SIG **v, const unsigned char **pp, long length);
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst,int dlen,DSA *dsa);
 int     DSA_do_verify(const unsigned char *dgst,int dgst_len,
                       DSA_SIG *sig,DSA *dsa);
 
-DSA_METHOD *DSA_OpenSSL(void);
+const DSA_METHOD *DSA_OpenSSL(void);
 
-void        DSA_set_default_openssl_method(DSA_METHOD *);
-DSA_METHOD *DSA_get_default_openssl_method(void);
-#if 0
-DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *);
-#else
-int DSA_set_method(DSA *dsa, struct engine_st *engine);
-#endif
+void    DSA_set_default_method(const DSA_METHOD *);
+const DSA_METHOD *DSA_get_default_method(void);
+int     DSA_set_method(DSA *dsa, const DSA_METHOD *);
 
 DSA *   DSA_new(void);
-#if 0
-DSA *   DSA_new_method(DSA_METHOD *meth);
-#else
-DSA *   DSA_new_method(struct engine_st *engine);
-#endif
-int     DSA_size(DSA *);
+DSA *   DSA_new_method(ENGINE *engine);
+void    DSA_free (DSA *r);
+/* "up" the DSA object's reference count */
+int     DSA_up_ref(DSA *r);
+int     DSA_size(const DSA *);
         /* next 4 return -1 on error */
 int     DSA_sign_setup( DSA *dsa,BN_CTX *ctx_in,BIGNUM **kinvp,BIGNUM **rp);
 int     DSA_sign(int type,const unsigned char *dgst,int dlen,
                 unsigned char *sig, unsigned int *siglen, DSA *dsa);
 int     DSA_verify(int type,const unsigned char *dgst,int dgst_len,
-                unsigned char *sigbuf, int siglen, DSA *dsa);
-void    DSA_free (DSA *r);
+                const unsigned char *sigbuf, int siglen, DSA *dsa);
 int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int DSA_set_ex_data(DSA *d, int idx, void *arg);
 void *DSA_get_ex_data(DSA *d, int idx);
 
-void    ERR_load_DSA_strings(void );
-
-DSA *   d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
-DSA *   d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
-DSA *   d2i_DSAparams(DSA **a, unsigned char **pp, long length);
-DSA *   DSA_generate_parameters(int bits, unsigned char *seed,int seed_len,
+DSA *   d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length);
+DSA *   d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length);
+DSA *   d2i_DSAparams(DSA **a, const unsigned char **pp, long length);
+DSA *   DSA_generate_parameters(int bits,
+                unsigned char *seed,int seed_len,
                 int *counter_ret, unsigned long *h_ret,void
                 (*callback)(int, int, void *),void *cb_arg);
 int     DSA_generate_key(DSA *a);
-int     i2d_DSAPublicKey(DSA *a, unsigned char **pp);
-int     i2d_DSAPrivateKey(DSA *a, unsigned char **pp);
-int     i2d_DSAparams(DSA *a,unsigned char **pp);
+int     i2d_DSAPublicKey(const DSA *a, unsigned char **pp);
+int     i2d_DSAPrivateKey(const DSA *a, unsigned char **pp);
+int     i2d_DSAparams(const DSA *a,unsigned char **pp);
 
-#ifndef NO_BIO
-int     DSAparams_print(BIO *bp, DSA *x);
-int     DSA_print(BIO *bp, DSA *x, int off);
+#ifndef OPENSSL_NO_BIO
+int     DSAparams_print(BIO *bp, const DSA *x);
+int     DSA_print(BIO *bp, const DSA *x, int off);
 #endif
-#ifndef NO_FP_API
-int     DSAparams_print_fp(FILE *fp, DSA *x);
-int     DSA_print_fp(FILE *bp, DSA *x, int off);
+#ifndef OPENSSL_NO_FP_API
+int     DSAparams_print_fp(FILE *fp, const DSA *x);
+int     DSA_print_fp(FILE *bp, const DSA *x, int off);
 #endif
 
 #define DSS_prime_checks 50
@@ -218,16 +210,17 @@ int	DSA_print_fp(FILE *bp, DSA *x, int off);
 #define DSA_is_prime(n, callback, cb_arg) \
         BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 /* Convert DSA structure (key or just parameters) into DH structure
  * (be careful to avoid small subgroup attacks when using this!) */
-DH *DSA_dup_DH(DSA *r);
+DH *DSA_dup_DH(const DSA *r);
 #endif
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_DSA_strings(void);
 
 /* Error codes for the DSA functions. */
 
@@ -237,7 +230,7 @@ DH *DSA_dup_DH(DSA *r);
 #define DSA_F_DSAPARAMS_PRINT_FP                         101
 #define DSA_F_DSA_DO_SIGN                                112
 #define DSA_F_DSA_DO_VERIFY                              113
-#define DSA_F_DSA_NEW                                    103
+#define DSA_F_DSA_NEW_METHOD                             103
 #define DSA_F_DSA_PRINT                                  104
 #define DSA_F_DSA_PRINT_FP                               105
 #define DSA_F_DSA_SIGN                                   106
@@ -245,6 +238,7 @@ DH *DSA_dup_DH(DSA *r);
 #define DSA_F_DSA_SIG_NEW                                109
 #define DSA_F_DSA_VERIFY                                 108
 #define DSA_F_I2D_DSA_SIG                                111
+#define DSA_F_SIG_CB                                     114
 
 /* Reason codes. */
 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE                100
@@ -254,4 +248,3 @@ DH *DSA_dup_DH(DSA *r);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index a76c8f7c7e..23fce555aa 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -1,96 +1,140 @@
-/* crypto/dsa/dsa_asn1.c */
+/* dsa_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 
-DSA_SIG *DSA_SIG_new(void)
+/* Override the default new methods */
+static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        DSA_SIG *ret;
-
-        ret = OPENSSL_malloc(sizeof(DSA_SIG));
-        if (ret == NULL)
-                {
-                DSAerr(DSA_F_DSA_SIG_NEW,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        ret->r = NULL;
-        ret->s = NULL;
-        return(ret);
+        if(operation == ASN1_OP_NEW_PRE) {
+                DSA_SIG *sig;
+                sig = OPENSSL_malloc(sizeof(DSA_SIG));
+                sig->r = NULL;
+                sig->s = NULL;
+                *pval = (ASN1_VALUE *)sig;
+                if(sig) return 2;
+                DSAerr(DSA_F_SIG_CB, ERR_R_MALLOC_FAILURE);
+                return 0;
+        }
+        return 1;
 }
 
-void DSA_SIG_free(DSA_SIG *r)
+ASN1_SEQUENCE_cb(DSA_SIG, sig_cb) = {
+        ASN1_SIMPLE(DSA_SIG, r, CBIGNUM),
+        ASN1_SIMPLE(DSA_SIG, s, CBIGNUM)
+} ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG)
+
+/* Override the default free and new methods */
+static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
-        if (r == NULL) return;
-        if (r->r) BN_clear_free(r->r);
-        if (r->s) BN_clear_free(r->s);
-        OPENSSL_free(r);
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)DSA_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                DSA_free((DSA *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
 }
 
-int i2d_DSA_SIG(DSA_SIG *v, unsigned char **pp)
-{
-        int t=0,len;
-        ASN1_INTEGER rbs,sbs;
-        unsigned char *p;
+ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = {
+        ASN1_SIMPLE(DSA, version, LONG),
+        ASN1_SIMPLE(DSA, p, BIGNUM),
+        ASN1_SIMPLE(DSA, q, BIGNUM),
+        ASN1_SIMPLE(DSA, g, BIGNUM),
+        ASN1_SIMPLE(DSA, pub_key, BIGNUM),
+        ASN1_SIMPLE(DSA, priv_key, BIGNUM)
+} ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey)
 
-        rbs.data=OPENSSL_malloc(BN_num_bits(v->r)/8+1);
-        if (rbs.data == NULL)
-                {
-                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        rbs.type=V_ASN1_INTEGER;
-        rbs.length=BN_bn2bin(v->r,rbs.data);
-        sbs.data=OPENSSL_malloc(BN_num_bits(v->s)/8+1);
-        if (sbs.data == NULL)
-                {
-                OPENSSL_free(rbs.data);
-                DSAerr(DSA_F_I2D_DSA_SIG, ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        sbs.type=V_ASN1_INTEGER;
-        sbs.length=BN_bn2bin(v->s,sbs.data);
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPrivateKey, DSAPrivateKey)
 
-        len=i2d_ASN1_INTEGER(&rbs,NULL);
-        len+=i2d_ASN1_INTEGER(&sbs,NULL);
+ASN1_SEQUENCE_cb(DSAparams, dsa_cb) = {
+        ASN1_SIMPLE(DSA, p, BIGNUM),
+        ASN1_SIMPLE(DSA, q, BIGNUM),
+        ASN1_SIMPLE(DSA, g, BIGNUM),
+} ASN1_SEQUENCE_END_cb(DSA, DSAparams)
 
-        if (pp)
-                {
-                p=*pp;
-                ASN1_put_object(&p,1,len,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-                i2d_ASN1_INTEGER(&rbs,&p);
-                i2d_ASN1_INTEGER(&sbs,&p);
-                }
-        t=ASN1_object_size(1,len,V_ASN1_SEQUENCE);
-        OPENSSL_free(rbs.data);
-        OPENSSL_free(sbs.data);
-        return(t);
-}
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAparams, DSAparams)
 
-DSA_SIG *d2i_DSA_SIG(DSA_SIG **a, unsigned char **pp, long length)
-{
-        int i=ERR_R_NESTED_ASN1_ERROR;
-        ASN1_INTEGER *bs=NULL;
-        M_ASN1_D2I_vars(a,DSA_SIG *,DSA_SIG_new);
+/* DSA public key is a bit trickier... its effectively a CHOICE type
+ * decided by a field called write_params which can either write out
+ * just the public key as an INTEGER or the parameters and public key
+ * in a SEQUENCE
+ */
 
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
-        if ((ret->r=BN_bin2bn(bs->data,bs->length,ret->r)) == NULL)
-                goto err_bn;
-        M_ASN1_D2I_get(bs,d2i_ASN1_INTEGER);
-        if ((ret->s=BN_bin2bn(bs->data,bs->length,ret->s)) == NULL)
-                goto err_bn;
-        M_ASN1_BIT_STRING_free(bs);
-        M_ASN1_D2I_Finish_2(a);
+ASN1_SEQUENCE(dsa_pub_internal) = {
+        ASN1_SIMPLE(DSA, pub_key, BIGNUM),
+        ASN1_SIMPLE(DSA, p, BIGNUM),
+        ASN1_SIMPLE(DSA, q, BIGNUM),
+        ASN1_SIMPLE(DSA, g, BIGNUM)
+} ASN1_SEQUENCE_END_name(DSA, dsa_pub_internal)
 
-err_bn:
-        i=ERR_R_BN_LIB;
-err:
-        DSAerr(DSA_F_D2I_DSA_SIG,i);
-        if ((ret != NULL) && ((a == NULL) || (*a != ret))) DSA_SIG_free(ret);
-        if (bs != NULL) M_ASN1_BIT_STRING_free(bs);
-        return(NULL);
-}
+ASN1_CHOICE_cb(DSAPublicKey, dsa_cb) = {
+        ASN1_SIMPLE(DSA, pub_key, BIGNUM),
+        ASN1_EX_COMBINE(0, 0, dsa_pub_internal)
+} ASN1_CHOICE_END_cb(DSA, DSAPublicKey, write_params)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPublicKey, DSAPublicKey)
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index 736aeef7c4..79aa4ff526 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -63,7 +63,7 @@
 #include <openssl/dsa.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA DSA_str_functs[]=
         {
 {ERR_PACK(0,DSA_F_D2I_DSA_SIG,0),       "d2i_DSA_SIG"},
@@ -71,7 +71,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_PACK(0,DSA_F_DSAPARAMS_PRINT_FP,0),        "DSAparams_print_fp"},
 {ERR_PACK(0,DSA_F_DSA_DO_SIGN,0),       "DSA_do_sign"},
 {ERR_PACK(0,DSA_F_DSA_DO_VERIFY,0),     "DSA_do_verify"},
-{ERR_PACK(0,DSA_F_DSA_NEW,0),   "DSA_new"},
+{ERR_PACK(0,DSA_F_DSA_NEW_METHOD,0),    "DSA_new_method"},
 {ERR_PACK(0,DSA_F_DSA_PRINT,0), "DSA_print"},
 {ERR_PACK(0,DSA_F_DSA_PRINT_FP,0),      "DSA_print_fp"},
 {ERR_PACK(0,DSA_F_DSA_SIGN,0),  "DSA_sign"},
@@ -79,6 +79,7 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_PACK(0,DSA_F_DSA_SIG_NEW,0),       "DSA_SIG_new"},
 {ERR_PACK(0,DSA_F_DSA_VERIFY,0),        "DSA_verify"},
 {ERR_PACK(0,DSA_F_I2D_DSA_SIG,0),       "i2d_DSA_SIG"},
+{ERR_PACK(0,DSA_F_SIG_CB,0),    "SIG_CB"},
 {0,NULL}
         };
 
@@ -98,7 +99,7 @@ void ERR_load_DSA_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_DSA,DSA_str_functs);
                 ERR_load_strings(ERR_LIB_DSA,DSA_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index 2294a362d9..dc9c249310 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -61,25 +61,27 @@
 #ifdef GENUINE_DSA
 /* Parameter generation follows the original release of FIPS PUB 186,
  * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
-#define HASH    SHA
+#define HASH    EVP_sha()
 #else
 /* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
  * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
  * FIPS PUB 180-1) */
-#define HASH    SHA1
+#define HASH    EVP_sha1()
 #endif 
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
+#include <openssl/sha.h>
 
-DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
+DSA *DSA_generate_parameters(int bits,
+                unsigned char *seed_in, int seed_len,
                 int *counter_ret, unsigned long *h_ret,
                 void (*callback)(int, int, void *),
                 void *cb_arg)
@@ -157,8 +159,8 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                                 }
 
                         /* step 2 */
-                        HASH(seed,SHA_DIGEST_LENGTH,md);
-                        HASH(buf,SHA_DIGEST_LENGTH,buf2);
+                        EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
+                        EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL);
                         for (i=0; i<SHA_DIGEST_LENGTH; i++)
                                 md[i]^=buf2[i];
 
@@ -205,7 +207,7 @@ DSA *DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len,
                                         if (buf[i] != 0) break;
                                         }
 
-                                HASH(buf,SHA_DIGEST_LENGTH,md);
+                                EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
 
                                 /* step 8 */
                                 if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index a68d236e05..bf718c1c6d 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -56,11 +56,10 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include <time.h>
 #include "cryptlib.h"
-#include <openssl/sha.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index 15f667a203..da2cdfa3d6 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -67,96 +67,78 @@
 
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
-static DSA_METHOD *default_DSA_method;
-static int dsa_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
-
-void DSA_set_default_openssl_method(DSA_METHOD *meth)
-{
-        ENGINE *e;
-        /* We'll need to notify the "openssl" ENGINE of this
-         * change too. We won't bother locking things down at
-         * our end as there was never any locking in these
-         * functions! */
-        if(default_DSA_method != meth)
-                {
-                default_DSA_method = meth;
-                e = ENGINE_by_id("openssl");
-                if(e)
-                        {
-                        ENGINE_set_DSA(e, meth);
-                        ENGINE_free(e);
-                        }
-                }
-}
+static const DSA_METHOD *default_DSA_method = NULL;
 
-DSA_METHOD *DSA_get_default_openssl_method(void)
-{
-        if(!default_DSA_method) default_DSA_method = DSA_OpenSSL();
+void DSA_set_default_method(const DSA_METHOD *meth)
+        {
+        default_DSA_method = meth;
+        }
+
+const DSA_METHOD *DSA_get_default_method(void)
+        {
+        if(!default_DSA_method)
+                default_DSA_method = DSA_OpenSSL();
         return default_DSA_method;
-}
+        }
 
 DSA *DSA_new(void)
-{
+        {
         return DSA_new_method(NULL);
-}
+        }
 
-#if 0
-DSA_METHOD *DSA_set_method(DSA *dsa, DSA_METHOD *meth)
-{
-        DSA_METHOD *mtmp;
+int DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
+        {
+        /* NB: The caller is specifically setting a method, so it's not up to us
+         * to deal with which ENGINE it comes from. */
+        const DSA_METHOD *mtmp;
         mtmp = dsa->meth;
         if (mtmp->finish) mtmp->finish(dsa);
+        if (dsa->engine)
+                {
+                ENGINE_finish(dsa->engine);
+                dsa->engine = NULL;
+                }
         dsa->meth = meth;
         if (meth->init) meth->init(dsa);
-        return mtmp;
-}
-#else
-int DSA_set_method(DSA *dsa, ENGINE *engine)
-        {
-        ENGINE *mtmp;
-        DSA_METHOD *meth;
-        mtmp = dsa->engine;
-        meth = ENGINE_get_DSA(mtmp);
-        if (!ENGINE_init(engine))
-                return 0;
-        if (meth->finish) meth->finish(dsa);
-        dsa->engine = engine;
-        meth = ENGINE_get_DSA(engine);
-        if (meth->init) meth->init(dsa);
-        /* SHOULD ERROR CHECK THIS!!! */
-        ENGINE_finish(mtmp);
-        return 1;
+        return 1;
         }
-#endif
 
-
-#if 0
-DSA *DSA_new_method(DSA_METHOD *meth)
-#else
 DSA *DSA_new_method(ENGINE *engine)
-#endif
         {
-        DSA_METHOD *meth;
         DSA *ret;
 
         ret=(DSA *)OPENSSL_malloc(sizeof(DSA));
         if (ret == NULL)
                 {
-                DSAerr(DSA_F_DSA_NEW,ERR_R_MALLOC_FAILURE);
+                DSAerr(DSA_F_DSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
                 return(NULL);
                 }
-        if(engine)
+        ret->meth = DSA_get_default_method();
+        if (engine)
+                {
+                if (!ENGINE_init(engine))
+                        {
+                        DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_ENGINE_LIB);
+                        OPENSSL_free(ret);
+                        return NULL;
+                        }
                 ret->engine = engine;
+                }
         else
+                ret->engine = ENGINE_get_default_DSA();
+        if(ret->engine)
                 {
-                if((ret->engine=ENGINE_get_default_DSA()) == NULL)
+                ret->meth = ENGINE_get_DSA(ret->engine);
+                if(!ret->meth)
                         {
+                        DSAerr(DSA_F_DSA_NEW_METHOD,
+                                ERR_R_ENGINE_LIB);
+                        ENGINE_finish(ret->engine);
                         OPENSSL_free(ret);
                         return NULL;
                         }
                 }
-        meth = ENGINE_get_DSA(ret->engine);
+
         ret->pad=0;
         ret->version=0;
         ret->write_params=1;
@@ -172,11 +154,13 @@ DSA *DSA_new_method(ENGINE *engine)
         ret->method_mont_p=NULL;
 
         ret->references=1;
-        ret->flags=meth->flags;
-        CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
-        if ((meth->init != NULL) && !meth->init(ret))
+        ret->flags=ret->meth->flags;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
+        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
-                CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
+                if (ret->engine)
+                        ENGINE_finish(ret->engine);
+                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
                 }
@@ -186,7 +170,6 @@ DSA *DSA_new_method(ENGINE *engine)
 
 void DSA_free(DSA *r)
         {
-        DSA_METHOD *meth;
         int i;
 
         if (r == NULL) return;
@@ -204,11 +187,12 @@ void DSA_free(DSA *r)
                 }
 #endif
 
-        meth = ENGINE_get_DSA(r->engine);
-        if(meth->finish) meth->finish(r);
-        ENGINE_finish(r->engine);
+        if(r->meth->finish)
+                r->meth->finish(r);
+        if(r->engine)
+                ENGINE_finish(r->engine);
 
-        CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
 
         if (r->p != NULL) BN_clear_free(r->p);
         if (r->q != NULL) BN_clear_free(r->q);
@@ -220,7 +204,23 @@ void DSA_free(DSA *r)
         OPENSSL_free(r);
         }
 
-int DSA_size(DSA *r)
+int DSA_up_ref(DSA *r)
+        {
+        int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_DSA);
+#ifdef REF_PRINT
+        REF_PRINT("DSA",r);
+#endif
+#ifdef REF_CHECK
+        if (i < 2)
+                {
+                fprintf(stderr, "DSA_up_ref, bad reference count\n");
+                abort();
+                }
+#endif
+        return ((i > 1) ? 1 : 0);
+        }
+
+int DSA_size(const DSA *r)
         {
         int ret,i;
         ASN1_INTEGER bs;
@@ -242,9 +242,8 @@ int DSA_size(DSA *r)
 int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-        dsa_meth_num++;
-        return(CRYPTO_get_ex_new_index(dsa_meth_num-1,
-                &dsa_meth,argl,argp,new_func,dup_func,free_func));
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp,
+                                new_func, dup_func, free_func);
         }
 
 int DSA_set_ex_data(DSA *d, int idx, void *arg)
@@ -257,8 +256,8 @@ void *DSA_get_ex_data(DSA *d, int idx)
         return(CRYPTO_get_ex_data(&d->ex_data,idx));
         }
 
-#ifndef NO_DH
-DH *DSA_dup_DH(DSA *r)
+#ifndef OPENSSL_NO_DH
+DH *DSA_dup_DH(const DSA *r)
         {
         /* DSA has p, q, g, optional pub_key, optional priv_key.
          * DH has p, optional length, g, optional pub_key, optional priv_key.
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 34c6e9a141..07addc94d9 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -94,7 +94,7 @@ dsa_finish,
 NULL
 };
 
-DSA_METHOD *DSA_OpenSSL(void)
+const DSA_METHOD *DSA_OpenSSL(void)
 {
         return &openssl_dsa_meth;
 }
@@ -204,7 +204,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
                 }
 
         /* Compute r = (g^k mod p) mod q */
-        if (!ENGINE_get_DSA(dsa->engine)->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+        if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
                 (BN_MONT_CTX *)dsa->method_mont_p)) goto err;
         if (!BN_mod(r,r,dsa->q,ctx)) goto err;
 
@@ -237,6 +237,11 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
         BIGNUM u1,u2,t1;
         BN_MONT_CTX *mont=NULL;
         int ret = -1;
+        if (!dsa->p || !dsa->q || !dsa->g)
+                {
+                DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MISSING_PARAMETERS);
+                return -1;
+                }
 
         if ((ctx=BN_CTX_new()) == NULL) goto err;
         BN_init(&u1);
@@ -293,7 +298,7 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
         if (!BN_mod(&u1,&u1,dsa->q,ctx)) goto err;
 #else
         {
-        if (!ENGINE_get_DSA(dsa->engine)->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
+        if (!dsa->meth->dsa_mod_exp(dsa, &t1,dsa->g,&u1,dsa->pub_key,&u2,
                                                 dsa->p,ctx,mont)) goto err;
         /* BN_copy(&u1,&t1); */
         /* let u1 = u1 mod q */
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index dfe27bae47..e9469ca62f 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -68,7 +68,7 @@
 
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
-        return ENGINE_get_DSA(dsa->engine)->dsa_do_sign(dgst, dlen, dsa);
+        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
         }
 
 int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
@@ -88,6 +88,6 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
-        return ENGINE_get_DSA(dsa->engine)->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
+        return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index 2e891ae491..066c6b5b28 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -70,7 +70,7 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
-        return ENGINE_get_DSA(dsa->engine)->dsa_do_verify(dgst, dgst_len, sig, dsa);
+        return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
         }
 
 /* data has already been hashed (probably with SHA or SHA-1). */
@@ -80,7 +80,7 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
  *     -1: error
  */
 int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
-             unsigned char *sigbuf, int siglen, DSA *dsa)
+             const unsigned char *sigbuf, int siglen, DSA *dsa)
         {
         DSA_SIG *s;
         int ret=-1;
diff --git a/src/lib/libcrypto/dsa/dsatest.c b/src/lib/libcrypto/dsa/dsatest.c
index 309a7cda89..12da64f9f4 100644
--- a/src/lib/libcrypto/dsa/dsatest.c
+++ b/src/lib/libcrypto/dsa/dsatest.c
@@ -65,11 +65,12 @@
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#ifdef WINDOWS
+#include <openssl/engine.h>
+#ifdef OPENSSL_SYS_WINDOWS
 #include "../bio/bss_file.c"
 #endif
 
-#ifdef NO_DSA
+#ifdef OPENSSL_NO_DSA
 int main(int argc, char *argv[])
 {
     printf("No DSA support\n");
@@ -78,7 +79,7 @@ int main(int argc, char *argv[])
 #else
 #include <openssl/dsa.h>
 
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
 #define MS_CALLBACK     _far _loadds
 #else
 #define MS_CALLBACK
@@ -136,14 +137,16 @@ int main(int argc, char **argv)
         unsigned char sig[256];
         unsigned int siglen;
 
-        ERR_load_crypto_strings();
-        RAND_seed(rnd_seed, sizeof rnd_seed);
-
         if (bio_err == NULL)
                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
+        CRYPTO_malloc_debug_init();
+        CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
+        ERR_load_crypto_strings();
+        RAND_seed(rnd_seed, sizeof rnd_seed);
+
         BIO_printf(bio_err,"test generation of DSA parameters\n");
 
         dsa=DSA_generate_parameters(512,seed,20,&counter,&h,dsa_cb,bio_err);
@@ -200,7 +203,9 @@ end:
         if (!ret)
                 ERR_print_errors(bio_err);
         if (dsa != NULL) DSA_free(dsa);
+        CRYPTO_cleanup_all_ex_data();
         ERR_remove_state(0);
+        ERR_free_strings();
         CRYPTO_mem_leaks(bio_err);
         if (bio_err != NULL)
                 {
diff --git a/src/lib/libcrypto/dso/Makefile.ssl b/src/lib/libcrypto/dso/Makefile.ssl
index 48b36c8330..cca9376bdb 100644
--- a/src/lib/libcrypto/dso/Makefile.ssl
+++ b/src/lib/libcrypto/dso/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    dso
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -41,8 +42,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -81,61 +81,62 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-dso_dl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_dl.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_dl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_dl.o: ../../e_os.h ../../include/openssl/bio.h
+dso_dl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_dl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_dl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_dl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dso_dl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_dl.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dso_dlfcn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_dlfcn.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_dlfcn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_dl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_dl.c
+dso_dlfcn.o: ../../e_os.h ../../include/openssl/bio.h
+dso_dlfcn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_dlfcn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_dlfcn.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_dlfcn.o: ../../include/openssl/opensslconf.h
 dso_dlfcn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dso_dlfcn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_dlfcn.o: ../cryptlib.h
+dso_dlfcn.o: ../cryptlib.h dso_dlfcn.c
 dso_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-dso_err.o: ../../include/openssl/dso.h ../../include/openssl/err.h
-dso_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
+dso_err.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+dso_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dso_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dso_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_err.o: ../../include/openssl/symhacks.h
-dso_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_err.o: ../../include/openssl/symhacks.h dso_err.c
+dso_lib.o: ../../e_os.h ../../include/openssl/bio.h
+dso_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_lib.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dso_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dso_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_null.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_lib.c
+dso_null.o: ../../e_os.h ../../include/openssl/bio.h
+dso_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_null.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_null.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_null.o: ../../include/openssl/opensslconf.h
 dso_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dso_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_null.o: ../cryptlib.h
-dso_openssl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_openssl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_null.o: ../cryptlib.h dso_null.c
+dso_openssl.o: ../../e_os.h ../../include/openssl/bio.h
+dso_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_openssl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_openssl.o: ../../include/openssl/opensslconf.h
 dso_openssl.o: ../../include/openssl/opensslv.h
 dso_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dso_vms.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_vms.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_vms.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_openssl.c
+dso_vms.o: ../../e_os.h ../../include/openssl/bio.h
+dso_vms.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_vms.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_vms.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_vms.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 dso_vms.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-dso_vms.o: ../../include/openssl/symhacks.h ../cryptlib.h
-dso_win32.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-dso_win32.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
-dso_win32.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+dso_vms.o: ../../include/openssl/symhacks.h ../cryptlib.h dso_vms.c
+dso_win32.o: ../../e_os.h ../../include/openssl/bio.h
+dso_win32.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dso_win32.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
 dso_win32.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 dso_win32.o: ../../include/openssl/opensslconf.h
 dso_win32.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 dso_win32.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dso_win32.o: ../cryptlib.h
+dso_win32.o: ../cryptlib.h dso_win32.c
diff --git a/src/lib/libcrypto/dso/README b/src/lib/libcrypto/dso/README
index 6ba03c5631..d0bc9a89fb 100644
--- a/src/lib/libcrypto/dso/README
+++ b/src/lib/libcrypto/dso/README
@@ -1,16 +1,3 @@
-TODO
-----
-
-Find a way where name-translation can be done in a way that is
-sensitive to particular methods (ie. generic code could still do
-different path/filename substitutions on win32 to what it does on
-*nix) but doesn't assume some canonical form. Already one case
-exists where the "blah -> (libblah.so,blah.dll)" mapping doesn't
-suffice. I suspect a callback with an enumerated (or string?)
-parameter could be the way to go here ... DSO_ctrl the callback
-into place and it can be invoked to handle name translation with
-some clue to the calling code as to what kind of system it is.
-
 NOTES
 -----
 
@@ -21,4 +8,15 @@ according to their man page, prefer developers to move to that.
 I'll leave Richard's changes there as I guess dso_dl is needed
 for HPUX10.20.
 
+There is now a callback scheme in place where filename conversion can
+(a) be turned off altogether through the use of the
+    DSO_FLAG_NO_NAME_TRANSLATION flag,
+(b) be handled by default using the default DSO_METHOD's converter
+(c) overriden per-DSO by setting the override callback
+(d) a mix of (b) and (c) - eg. implement an override callback that;
+    (i) checks if we're win32 (if(strstr(dso->meth->name, "win32")....)
+        and if so, convert "blah" into "blah32.dll" (the default is
+        otherwise to make it "blah.dll").
+    (ii) default to the normal behaviour - we're not on win32, eg.
+         finish with (return dso->meth->dso_name_converter(dso,NULL)).
 
diff --git a/src/lib/libcrypto/dso/dso.h b/src/lib/libcrypto/dso/dso.h
index bed7c464a6..aa721f7feb 100644
--- a/src/lib/libcrypto/dso/dso.h
+++ b/src/lib/libcrypto/dso/dso.h
@@ -70,31 +70,51 @@ extern "C" {
 #define DSO_CTRL_SET_FLAGS      2
 #define DSO_CTRL_OR_FLAGS       3
 
-/* These flags control the translation of file-names from canonical to
- * native. Eg. in the CryptoSwift support, the "dl" and "dlfcn"
- * methods will translate "swift" -> "libswift.so" whereas the "win32"
- * method will translate "swift" -> "swift.dll". NB: Until I can figure
- * out how to be more "conventional" with this, the methods will only
- * honour this flag if it looks like it was passed a file without any
- * path and if the filename is small enough.
- */
-#define DSO_FLAG_NAME_TRANSLATION 0x01
+/* By default, DSO_load() will translate the provided filename into a form
+ * typical for the platform (more specifically the DSO_METHOD) using the
+ * dso_name_converter function of the method. Eg. win32 will transform "blah"
+ * into "blah.dll", and dlfcn will transform it into "libblah.so". The
+ * behaviour can be overriden by setting the name_converter callback in the DSO
+ * object (using DSO_set_name_converter()). This callback could even utilise
+ * the DSO_METHOD's converter too if it only wants to override behaviour for
+ * one or two possible DSO methods. However, the following flag can be set in a
+ * DSO to prevent *any* native name-translation at all - eg. if the caller has
+ * prompted the user for a path to a driver library so the filename should be
+ * interpreted as-is. */
+#define DSO_FLAG_NO_NAME_TRANSLATION            0x01
+/* An extra flag to give if only the extension should be added as
+ * translation.  This is obviously only of importance on Unix and
+ * other operating systems where the translation also may prefix
+ * the name with something, like 'lib', and ignored everywhere else.
+ * This flag is also ignored if DSO_FLAG_NO_NAME_TRANSLATION is used
+ * at the same time. */
+#define DSO_FLAG_NAME_TRANSLATION_EXT_ONLY      0x02
 
 /* The following flag controls the translation of symbol names to upper
  * case.  This is currently only being implemented for OpenVMS.
  */
-#define DSO_FLAG_UPCASE_SYMBOL    0x02
+#define DSO_FLAG_UPCASE_SYMBOL                  0x10
 
 
 typedef void (*DSO_FUNC_TYPE)(void);
 
 typedef struct dso_st DSO;
 
+/* The function prototype used for method functions (or caller-provided
+ * callbacks) that transform filenames. They are passed a DSO structure pointer
+ * (or NULL if they are to be used independantly of a DSO object) and a
+ * filename to transform. They should either return NULL (if there is an error
+ * condition) or a newly allocated string containing the transformed form that
+ * the caller will need to free with OPENSSL_free() when done. */
+typedef char* (*DSO_NAME_CONVERTER_FUNC)(DSO *, const char *);
+
 typedef struct dso_meth_st
         {
         const char *name;
-        /* Loads a shared library */
-        int (*dso_load)(DSO *dso, const char *filename);
+        /* Loads a shared library, NB: new DSO_METHODs must ensure that a
+         * successful load populates the loaded_filename field, and likewise a
+         * successful unload OPENSSL_frees and NULLs it out. */
+        int (*dso_load)(DSO *dso);
         /* Unloads a shared library */
         int (*dso_unload)(DSO *dso);
         /* Binds a variable */
@@ -117,6 +137,9 @@ typedef struct dso_meth_st
         /* The generic (yuck) "ctrl()" function. NB: Negative return
          * values (rather than zero) indicate errors. */
         long (*dso_ctrl)(DSO *dso, int cmd, long larg, void *parg);
+        /* The default DSO_METHOD-specific function for converting filenames to
+         * a canonical native form. */
+        DSO_NAME_CONVERTER_FUNC dso_name_converter;
 
         /* [De]Initialisation handlers. */
         int (*init)(DSO *dso);
@@ -140,6 +163,23 @@ struct dso_st
         /* For use by applications etc ... use this for your bits'n'pieces,
          * don't touch meth_data! */
         CRYPTO_EX_DATA ex_data;
+        /* If this callback function pointer is set to non-NULL, then it will
+         * be used on DSO_load() in place of meth->dso_name_converter. NB: This
+         * should normally set using DSO_set_name_converter(). */
+        DSO_NAME_CONVERTER_FUNC name_converter;
+        /* This is populated with (a copy of) the platform-independant
+         * filename used for this DSO. */
+        char *filename;
+        /* This is populated with (a copy of) the translated filename by which
+         * the DSO was actually loaded. It is NULL iff the DSO is not currently
+         * loaded. NB: This is here because the filename translation process
+         * may involve a callback being invoked more than once not only to
+         * convert to a platform-specific form, but also to try different
+         * filenames in the process of trying to perform a load. As such, this
+         * variable can be used to indicate (a) whether this DSO structure
+         * corresponds to a loaded library or not, and (b) the filename with
+         * which it was actually loaded. */
+        char *loaded_filename;
         };
 
 
@@ -147,10 +187,38 @@ DSO *	DSO_new(void);
 DSO *   DSO_new_method(DSO_METHOD *method);
 int     DSO_free(DSO *dso);
 int     DSO_flags(DSO *dso);
-int     DSO_up(DSO *dso);
+int     DSO_up_ref(DSO *dso);
 long    DSO_ctrl(DSO *dso, int cmd, long larg, void *parg);
 
-void DSO_set_default_method(DSO_METHOD *meth);
+/* This function sets the DSO's name_converter callback. If it is non-NULL,
+ * then it will be used instead of the associated DSO_METHOD's function. If
+ * oldcb is non-NULL then it is set to the function pointer value being
+ * replaced. Return value is non-zero for success. */
+int     DSO_set_name_converter(DSO *dso, DSO_NAME_CONVERTER_FUNC cb,
+                                DSO_NAME_CONVERTER_FUNC *oldcb);
+/* These functions can be used to get/set the platform-independant filename
+ * used for a DSO. NB: set will fail if the DSO is already loaded. */
+const char *DSO_get_filename(DSO *dso);
+int     DSO_set_filename(DSO *dso, const char *filename);
+/* This function will invoke the DSO's name_converter callback to translate a
+ * filename, or if the callback isn't set it will instead use the DSO_METHOD's
+ * converter. If "filename" is NULL, the "filename" in the DSO itself will be
+ * used. If the DSO_FLAG_NO_NAME_TRANSLATION flag is set, then the filename is
+ * simply duplicated. NB: This function is usually called from within a
+ * DSO_METHOD during the processing of a DSO_load() call, and is exposed so that
+ * caller-created DSO_METHODs can do the same thing. A non-NULL return value
+ * will need to be OPENSSL_free()'d. */
+char    *DSO_convert_filename(DSO *dso, const char *filename);
+/* If the DSO is currently loaded, this returns the filename that it was loaded
+ * under, otherwise it returns NULL. So it is also useful as a test as to
+ * whether the DSO is currently loaded. NB: This will not necessarily return
+ * the same value as DSO_convert_filename(dso, dso->filename), because the
+ * DSO_METHOD's load function may have tried a variety of filenames (with
+ * and/or without the aid of the converters) before settling on the one it
+ * actually loaded. */
+const char *DSO_get_loaded_filename(DSO *dso);
+
+void    DSO_set_default_method(DSO_METHOD *meth);
 DSO_METHOD *DSO_get_default_method(void);
 DSO_METHOD *DSO_get_method(DSO *dso);
 DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth);
@@ -159,8 +227,7 @@ DSO_METHOD *DSO_set_method(DSO *dso, DSO_METHOD *meth);
  * for the first and third parameters. Use DSO_up and DSO_free for
  * subsequent reference count handling. Any flags passed in will be set
  * in the constructed DSO after its init() function but before the
- * load operation. This will be done with;
- *    DSO_ctrl(dso, DSO_CTRL_SET_FLAGS, flags, NULL); */
+ * load operation. If 'dso' is non-NULL, 'flags' is ignored. */
 DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags);
 
 /* This function binds to a variable inside a shared library. */
@@ -194,52 +261,58 @@ DSO_METHOD *DSO_METHOD_win32(void);
 /* If VMS is defined, use shared images. If not, return NULL. */
 DSO_METHOD *DSO_METHOD_vms(void);
 
-void ERR_load_DSO_strings(void);
-
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_DSO_strings(void);
 
 /* Error codes for the DSO functions. */
 
 /* Function codes. */
 #define DSO_F_DLFCN_BIND_FUNC                            100
 #define DSO_F_DLFCN_BIND_VAR                             101
-#define DSO_F_DLFCN_CTRL                                 102
-#define DSO_F_DLFCN_LOAD                                 103
-#define DSO_F_DLFCN_UNLOAD                               104
-#define DSO_F_DL_BIND_FUNC                               105
-#define DSO_F_DL_BIND_VAR                                106
-#define DSO_F_DL_CTRL                                    107
-#define DSO_F_DL_LOAD                                    108
-#define DSO_F_DL_UNLOAD                                  109
-#define DSO_F_DSO_BIND_FUNC                              110
-#define DSO_F_DSO_BIND_VAR                               111
-#define DSO_F_DSO_CTRL                                   112
-#define DSO_F_DSO_FREE                                   113
-#define DSO_F_DSO_LOAD                                   114
-#define DSO_F_DSO_NEW_METHOD                             115
-#define DSO_F_DSO_UP                                     116
-#define DSO_F_VMS_BIND_VAR                               122
-#define DSO_F_VMS_CTRL                                   123
-#define DSO_F_VMS_LOAD                                   124
-#define DSO_F_VMS_UNLOAD                                 125
-#define DSO_F_WIN32_BIND_FUNC                            117
-#define DSO_F_WIN32_BIND_VAR                             118
-#define DSO_F_WIN32_CTRL                                 119
+#define DSO_F_DLFCN_LOAD                                 102
+#define DSO_F_DLFCN_NAME_CONVERTER                       123
+#define DSO_F_DLFCN_UNLOAD                               103
+#define DSO_F_DL_BIND_FUNC                               104
+#define DSO_F_DL_BIND_VAR                                105
+#define DSO_F_DL_LOAD                                    106
+#define DSO_F_DL_NAME_CONVERTER                          124
+#define DSO_F_DL_UNLOAD                                  107
+#define DSO_F_DSO_BIND_FUNC                              108
+#define DSO_F_DSO_BIND_VAR                               109
+#define DSO_F_DSO_CONVERT_FILENAME                       126
+#define DSO_F_DSO_CTRL                                   110
+#define DSO_F_DSO_FREE                                   111
+#define DSO_F_DSO_GET_FILENAME                           127
+#define DSO_F_DSO_GET_LOADED_FILENAME                    128
+#define DSO_F_DSO_LOAD                                   112
+#define DSO_F_DSO_NEW_METHOD                             113
+#define DSO_F_DSO_SET_FILENAME                           129
+#define DSO_F_DSO_SET_NAME_CONVERTER                     122
+#define DSO_F_DSO_UP_REF                                 114
+#define DSO_F_VMS_BIND_VAR                               115
+#define DSO_F_VMS_LOAD                                   116
+#define DSO_F_VMS_UNLOAD                                 117
+#define DSO_F_WIN32_BIND_FUNC                            118
+#define DSO_F_WIN32_BIND_VAR                             119
 #define DSO_F_WIN32_LOAD                                 120
+#define DSO_F_WIN32_NAME_CONVERTER                       125
 #define DSO_F_WIN32_UNLOAD                               121
 
 /* Reason codes. */
 #define DSO_R_CTRL_FAILED                                100
-#define DSO_R_FILENAME_TOO_BIG                           109
-#define DSO_R_FINISH_FAILED                              101
-#define DSO_R_LOAD_FAILED                                102
-#define DSO_R_NULL_HANDLE                                103
-#define DSO_R_STACK_ERROR                                104
-#define DSO_R_SYM_FAILURE                                105
-#define DSO_R_UNKNOWN_COMMAND                            106
+#define DSO_R_DSO_ALREADY_LOADED                         110
+#define DSO_R_FILENAME_TOO_BIG                           101
+#define DSO_R_FINISH_FAILED                              102
+#define DSO_R_LOAD_FAILED                                103
+#define DSO_R_NAME_TRANSLATION_FAILED                    109
+#define DSO_R_NO_FILENAME                                111
+#define DSO_R_NULL_HANDLE                                104
+#define DSO_R_SET_FILENAME_FAILED                        112
+#define DSO_R_STACK_ERROR                                105
+#define DSO_R_SYM_FAILURE                                106
 #define DSO_R_UNLOAD_FAILED                              107
 #define DSO_R_UNSUPPORTED                                108
 
@@ -247,4 +320,3 @@ void ERR_load_DSO_strings(void);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/dso/dso_dl.c b/src/lib/libcrypto/dso/dso_dl.c
index 455bd66ecf..195717e993 100644
--- a/src/lib/libcrypto/dso/dso_dl.c
+++ b/src/lib/libcrypto/dso/dso_dl.c
@@ -1,5 +1,5 @@
 /* dso_dl.c */
-/* Written by Richard Levitte (levitte@openssl.org) for the OpenSSL
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
@@ -72,7 +72,7 @@ DSO_METHOD *DSO_METHOD_dl(void)
 /* Part of the hack in "dl_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
-static int dl_load(DSO *dso, const char *filename);
+static int dl_load(DSO *dso);
 static int dl_unload(DSO *dso);
 static void *dl_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname);
@@ -81,8 +81,9 @@ static int dl_unbind_var(DSO *dso, char *symname, void *symptr);
 static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
 static int dl_init(DSO *dso);
 static int dl_finish(DSO *dso);
+static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg);
 #endif
-static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg);
+static char *dl_name_converter(DSO *dso, const char *filename);
 
 static DSO_METHOD dso_meth_dl = {
         "OpenSSL 'dl' shared library method",
@@ -95,7 +96,8 @@ static DSO_METHOD dso_meth_dl = {
         NULL, /* unbind_var */
         NULL, /* unbind_func */
 #endif
-        dl_ctrl,
+        NULL, /* ctrl */
+        dl_name_converter,
         NULL, /* init */
         NULL  /* finish */
         };
@@ -111,40 +113,43 @@ DSO_METHOD *DSO_METHOD_dl(void)
  * type so the cast is safe.
  */
 
-#if defined(__hpux)
-static const char extension[] = ".sl";
-#else
-static const char extension[] = ".so";
-#endif
-static int dl_load(DSO *dso, const char *filename)
+static int dl_load(DSO *dso)
         {
-        shl_t ptr;
-        char translated[DSO_MAX_TRANSLATED_SIZE];
-        int len;
+        shl_t ptr = NULL;
+        /* We don't do any fancy retries or anything, just take the method's
+         * (or DSO's if it has the callback set) best translation of the
+         * platform-independant filename and try once with that. */
+        char *filename= DSO_convert_filename(dso, NULL);
 
-        /* The same comment as in dlfcn_load applies here. bleurgh. */
-        len = strlen(filename) + strlen(extension);
-        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
-                        (len + 3 < DSO_MAX_TRANSLATED_SIZE) &&
-                        (strstr(filename, "/") == NULL))
+        if(filename == NULL)
                 {
-                sprintf(translated, "lib%s%s", filename, extension);
-                ptr = shl_load(translated, BIND_IMMEDIATE, NULL);
+                DSOerr(DSO_F_DL_LOAD,DSO_R_NO_FILENAME);
+                goto err;
                 }
-        else
-                ptr = shl_load(filename, BIND_IMMEDIATE, NULL);
+        ptr = shl_load(filename, BIND_IMMEDIATE|DYNAMIC_PATH, NULL);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_LOAD_FAILED);
-                return(0);
+                ERR_add_error_data(4, "filename(", filename, "): ",
+                        strerror(errno));
+                goto err;
                 }
         if(!sk_push(dso->meth_data, (char *)ptr))
                 {
                 DSOerr(DSO_F_DL_LOAD,DSO_R_STACK_ERROR);
-                shl_unload(ptr);
-                return(0);
+                goto err;
                 }
+        /* Success, stick the converted filename we've loaded under into the DSO
+         * (it also serves as the indicator that we are currently loaded). */
+        dso->loaded_filename = filename;
         return(1);
+err:
+        /* Cleanup! */
+        if(filename != NULL)
+                OPENSSL_free(filename);
+        if(ptr != NULL)
+                shl_unload(ptr);
+        return(0);
         }
 
 static int dl_unload(DSO *dso)
@@ -195,6 +200,8 @@ static void *dl_bind_var(DSO *dso, const char *symname)
         if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
                 {
                 DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(4, "symname(", symname, "): ",
+                        strerror(errno));
                 return(NULL);
                 }
         return(sym);
@@ -224,33 +231,54 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname)
         if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0)
                 {
                 DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(4, "symname(", symname, "): ",
+                        strerror(errno));
                 return(NULL);
                 }
         return((DSO_FUNC_TYPE)sym);
         }
 
-static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg)
+/* This function is identical to the one in dso_dlfcn.c, but as it is highly
+ * unlikely that both the "dl" *and* "dlfcn" variants are being compiled at the
+ * same time, there's no great duplicating the code. Figuring out an elegant 
+ * way to share one copy of the code would be more difficult and would not
+ * leave the implementations independant. */
+#if defined(__hpux)
+static const char extension[] = ".sl";
+#else
+static const char extension[] = ".so";
+#endif
+static char *dl_name_converter(DSO *dso, const char *filename)
         {
-        if(dso == NULL)
+        char *translated;
+        int len, rsize, transform;
+
+        len = strlen(filename);
+        rsize = len + 1;
+        transform = (strstr(filename, "/") == NULL);
                 {
-                DSOerr(DSO_F_DL_CTRL,ERR_R_PASSED_NULL_PARAMETER);
-                return(-1);
+                /* We will convert this to "%s.s?" or "lib%s.s?" */
+                rsize += strlen(extension);/* The length of ".s?" */
+                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+                        rsize += 3; /* The length of "lib" */
                 }
-        switch(cmd)
+        translated = OPENSSL_malloc(rsize);
+        if(translated == NULL)
                 {
-        case DSO_CTRL_GET_FLAGS:
-                return dso->flags;
-        case DSO_CTRL_SET_FLAGS:
-                dso->flags = larg;
-                return(0);
-        case DSO_CTRL_OR_FLAGS:
-                dso->flags |= larg;
-                return(0);
-        default:
-                break;
+                DSOerr(DSO_F_DL_NAME_CONVERTER,
+                                DSO_R_NAME_TRANSLATION_FAILED); 
+                return(NULL);   
                 }
-        DSOerr(DSO_F_DL_CTRL,DSO_R_UNKNOWN_COMMAND);
-        return(-1);
+        if(transform)
+                {
+                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+                        sprintf(translated, "lib%s%s", filename, extension);
+                else
+                        sprintf(translated, "%s%s", filename, extension);
+                }
+        else
+                sprintf(translated, "%s", filename);
+        return(translated);
         }
 
 #endif /* DSO_DL */
diff --git a/src/lib/libcrypto/dso/dso_dlfcn.c b/src/lib/libcrypto/dso/dso_dlfcn.c
index e709c721cc..1a19164d3b 100644
--- a/src/lib/libcrypto/dso/dso_dlfcn.c
+++ b/src/lib/libcrypto/dso/dso_dlfcn.c
@@ -74,7 +74,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
 /* Part of the hack in "dlfcn_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
-static int dlfcn_load(DSO *dso, const char *filename);
+static int dlfcn_load(DSO *dso);
 static int dlfcn_unload(DSO *dso);
 static void *dlfcn_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname);
@@ -82,8 +82,9 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname);
 static int dlfcn_unbind(DSO *dso, char *symname, void *symptr);
 static int dlfcn_init(DSO *dso);
 static int dlfcn_finish(DSO *dso);
-#endif
 static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg);
+#endif
+static char *dlfcn_name_converter(DSO *dso, const char *filename);
 
 static DSO_METHOD dso_meth_dlfcn = {
         "OpenSSL 'dlfcn' shared library method",
@@ -96,7 +97,8 @@ static DSO_METHOD dso_meth_dlfcn = {
         NULL, /* unbind_var */
         NULL, /* unbind_func */
 #endif
-        dlfcn_ctrl,
+        NULL, /* ctrl */
+        dlfcn_name_converter,
         NULL, /* init */
         NULL  /* finish */
         };
@@ -130,41 +132,40 @@ DSO_METHOD *DSO_METHOD_dlfcn(void)
  * (i) the handle (void*) returned from dlopen().
  */
 
-static int dlfcn_load(DSO *dso, const char *filename)
+static int dlfcn_load(DSO *dso)
         {
-        void *ptr;
-        char translated[DSO_MAX_TRANSLATED_SIZE];
-        int len;
+        void *ptr = NULL;
+        /* See applicable comments in dso_dl.c */
+        char *filename = DSO_convert_filename(dso, NULL);
 
-        /* NB: This is a hideous hack, but I'm not yet sure what
-         * to replace it with. This attempts to convert any filename,
-         * that looks like it has no path information, into a
-         * translated form, e. "blah" -> "libblah.so" */
-        len = strlen(filename);
-        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
-                        (len + 6 < DSO_MAX_TRANSLATED_SIZE) &&
-                        (strstr(filename, "/") == NULL))
+        if(filename == NULL)
                 {
-                sprintf(translated, "lib%s.so", filename);
-                ptr = dlopen(translated, DLOPEN_FLAG);
-                }
-        else
-                {
-                ptr = dlopen(filename, DLOPEN_FLAG);
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_NO_FILENAME);
+                goto err;
                 }
+        ptr = dlopen(filename, DLOPEN_FLAG);
         if(ptr == NULL)
                 {
                 DSOerr(DSO_F_DLFCN_LOAD,DSO_R_LOAD_FAILED);
-                return(0);
+                ERR_add_error_data(4, "filename(", filename, "): ", dlerror());
+                goto err;
                 }
         if(!sk_push(dso->meth_data, (char *)ptr))
                 {
                 DSOerr(DSO_F_DLFCN_LOAD,DSO_R_STACK_ERROR);
-                dlclose(ptr);
-                return(0);
+                goto err;
                 }
+        /* Success */
+        dso->loaded_filename = filename;
         return(1);
-        }
+err:
+        /* Cleanup! */
+        if(filename != NULL)
+                OPENSSL_free(filename);
+        if(ptr != NULL)
+                dlclose(ptr);
+        return(0);
+}
 
 static int dlfcn_unload(DSO *dso)
         {
@@ -214,6 +215,7 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname)
         if(sym == NULL)
                 {
                 DSOerr(DSO_F_DLFCN_BIND_VAR,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(4, "symname(", symname, "): ", dlerror());
                 return(NULL);
                 }
         return(sym);
@@ -244,33 +246,44 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
         if(sym == NULL)
                 {
                 DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(4, "symname(", symname, "): ", dlerror());
                 return(NULL);
                 }
         return(sym);
         }
 
-static long dlfcn_ctrl(DSO *dso, int cmd, long larg, void *parg)
+static char *dlfcn_name_converter(DSO *dso, const char *filename)
         {
-        if(dso == NULL)
+        char *translated;
+        int len, rsize, transform;
+
+        len = strlen(filename);
+        rsize = len + 1;
+        transform = (strstr(filename, "/") == NULL);
+        if(transform)
                 {
-                DSOerr(DSO_F_DLFCN_CTRL,ERR_R_PASSED_NULL_PARAMETER);
-                return(-1);
+                /* We will convert this to "%s.so" or "lib%s.so" */
+                rsize += 3;     /* The length of ".so" */
+                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+                        rsize += 3; /* The length of "lib" */
                 }
-        switch(cmd)
+        translated = OPENSSL_malloc(rsize);
+        if(translated == NULL)
                 {
-        case DSO_CTRL_GET_FLAGS:
-                return dso->flags;
-        case DSO_CTRL_SET_FLAGS:
-                dso->flags = (int)larg;
-                return(0);
-        case DSO_CTRL_OR_FLAGS:
-                dso->flags |= (int)larg;
-                return(0);
-        default:
-                break;
+                DSOerr(DSO_F_DLFCN_NAME_CONVERTER,
+                                DSO_R_NAME_TRANSLATION_FAILED);
+                return(NULL);
                 }
-        DSOerr(DSO_F_DLFCN_CTRL,DSO_R_UNKNOWN_COMMAND);
-        return(-1);
+        if(transform)
+                {
+                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
+                        sprintf(translated, "lib%s.so", filename);
+                else
+                        sprintf(translated, "%s.so", filename);
+                }
+        else
+                sprintf(translated, "%s", filename);
+        return(translated);
         }
 
 #endif /* DSO_DLFCN */
diff --git a/src/lib/libcrypto/dso/dso_err.c b/src/lib/libcrypto/dso/dso_err.c
index a3d7321c9b..cf452de1aa 100644
--- a/src/lib/libcrypto/dso/dso_err.c
+++ b/src/lib/libcrypto/dso/dso_err.c
@@ -63,34 +63,38 @@
 #include <openssl/dso.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA DSO_str_functs[]=
         {
 {ERR_PACK(0,DSO_F_DLFCN_BIND_FUNC,0),   "DLFCN_BIND_FUNC"},
 {ERR_PACK(0,DSO_F_DLFCN_BIND_VAR,0),    "DLFCN_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DLFCN_CTRL,0),        "DLFCN_CTRL"},
 {ERR_PACK(0,DSO_F_DLFCN_LOAD,0),        "DLFCN_LOAD"},
+{ERR_PACK(0,DSO_F_DLFCN_NAME_CONVERTER,0),      "DLFCN_NAME_CONVERTER"},
 {ERR_PACK(0,DSO_F_DLFCN_UNLOAD,0),      "DLFCN_UNLOAD"},
 {ERR_PACK(0,DSO_F_DL_BIND_FUNC,0),      "DL_BIND_FUNC"},
 {ERR_PACK(0,DSO_F_DL_BIND_VAR,0),       "DL_BIND_VAR"},
-{ERR_PACK(0,DSO_F_DL_CTRL,0),   "DL_CTRL"},
 {ERR_PACK(0,DSO_F_DL_LOAD,0),   "DL_LOAD"},
+{ERR_PACK(0,DSO_F_DL_NAME_CONVERTER,0), "DL_NAME_CONVERTER"},
 {ERR_PACK(0,DSO_F_DL_UNLOAD,0), "DL_UNLOAD"},
 {ERR_PACK(0,DSO_F_DSO_BIND_FUNC,0),     "DSO_bind_func"},
 {ERR_PACK(0,DSO_F_DSO_BIND_VAR,0),      "DSO_bind_var"},
+{ERR_PACK(0,DSO_F_DSO_CONVERT_FILENAME,0),      "DSO_convert_filename"},
 {ERR_PACK(0,DSO_F_DSO_CTRL,0),  "DSO_ctrl"},
 {ERR_PACK(0,DSO_F_DSO_FREE,0),  "DSO_free"},
+{ERR_PACK(0,DSO_F_DSO_GET_FILENAME,0),  "DSO_get_filename"},
+{ERR_PACK(0,DSO_F_DSO_GET_LOADED_FILENAME,0),   "DSO_get_loaded_filename"},
 {ERR_PACK(0,DSO_F_DSO_LOAD,0),  "DSO_load"},
 {ERR_PACK(0,DSO_F_DSO_NEW_METHOD,0),    "DSO_new_method"},
-{ERR_PACK(0,DSO_F_DSO_UP,0),    "DSO_up"},
+{ERR_PACK(0,DSO_F_DSO_SET_FILENAME,0),  "DSO_set_filename"},
+{ERR_PACK(0,DSO_F_DSO_SET_NAME_CONVERTER,0),    "DSO_set_name_converter"},
+{ERR_PACK(0,DSO_F_DSO_UP_REF,0),        "DSO_up_ref"},
 {ERR_PACK(0,DSO_F_VMS_BIND_VAR,0),      "VMS_BIND_VAR"},
-{ERR_PACK(0,DSO_F_VMS_CTRL,0),  "VMS_CTRL"},
 {ERR_PACK(0,DSO_F_VMS_LOAD,0),  "VMS_LOAD"},
 {ERR_PACK(0,DSO_F_VMS_UNLOAD,0),        "VMS_UNLOAD"},
 {ERR_PACK(0,DSO_F_WIN32_BIND_FUNC,0),   "WIN32_BIND_FUNC"},
 {ERR_PACK(0,DSO_F_WIN32_BIND_VAR,0),    "WIN32_BIND_VAR"},
-{ERR_PACK(0,DSO_F_WIN32_CTRL,0),        "WIN32_CTRL"},
 {ERR_PACK(0,DSO_F_WIN32_LOAD,0),        "WIN32_LOAD"},
+{ERR_PACK(0,DSO_F_WIN32_NAME_CONVERTER,0),      "WIN32_NAME_CONVERTER"},
 {ERR_PACK(0,DSO_F_WIN32_UNLOAD,0),      "WIN32_UNLOAD"},
 {0,NULL}
         };
@@ -98,13 +102,16 @@ static ERR_STRING_DATA DSO_str_functs[]=
 static ERR_STRING_DATA DSO_str_reasons[]=
         {
 {DSO_R_CTRL_FAILED                       ,"control command failed"},
+{DSO_R_DSO_ALREADY_LOADED                ,"dso already loaded"},
 {DSO_R_FILENAME_TOO_BIG                  ,"filename too big"},
 {DSO_R_FINISH_FAILED                     ,"cleanup method function failed"},
 {DSO_R_LOAD_FAILED                       ,"could not load the shared library"},
+{DSO_R_NAME_TRANSLATION_FAILED           ,"name translation failed"},
+{DSO_R_NO_FILENAME                       ,"no filename"},
 {DSO_R_NULL_HANDLE                       ,"a null shared library handle was used"},
+{DSO_R_SET_FILENAME_FAILED               ,"set filename failed"},
 {DSO_R_STACK_ERROR                       ,"the meth_data stack is corrupt"},
 {DSO_R_SYM_FAILURE                       ,"could not bind to the requested symbol name"},
-{DSO_R_UNKNOWN_COMMAND                   ,"unknown control command"},
 {DSO_R_UNLOAD_FAILED                     ,"could not unload the shared library"},
 {DSO_R_UNSUPPORTED                       ,"functionality not supported"},
 {0,NULL}
@@ -119,7 +126,7 @@ void ERR_load_DSO_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_DSO,DSO_str_functs);
                 ERR_load_strings(ERR_LIB_DSO,DSO_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/dso/dso_lib.c b/src/lib/libcrypto/dso/dso_lib.c
index acd166697e..556069b9b8 100644
--- a/src/lib/libcrypto/dso/dso_lib.c
+++ b/src/lib/libcrypto/dso/dso_lib.c
@@ -108,7 +108,7 @@ DSO *DSO_new_method(DSO_METHOD *meth)
                 }
         memset(ret, 0, sizeof(DSO));
         ret->meth_data = sk_new_null();
-        if((ret->meth_data = sk_new_null()) == NULL)
+        if(ret->meth_data == NULL)
                 {
                 /* sk_new doesn't generate any errors so we do */
                 DSOerr(DSO_F_DSO_NEW_METHOD,ERR_R_MALLOC_FAILURE);
@@ -164,6 +164,10 @@ int DSO_free(DSO *dso)
                 }
         
         sk_free(dso->meth_data);
+        if(dso->filename != NULL)
+                OPENSSL_free(dso->filename);
+        if(dso->loaded_filename != NULL)
+                OPENSSL_free(dso->loaded_filename);
  
         OPENSSL_free(dso);
         return(1);
@@ -175,11 +179,11 @@ int DSO_flags(DSO *dso)
         }
 
 
-int DSO_up(DSO *dso)
+int DSO_up_ref(DSO *dso)
         {
         if (dso == NULL)
                 {
-                DSOerr(DSO_F_DSO_UP,ERR_R_PASSED_NULL_PARAMETER);
+                DSOerr(DSO_F_DSO_UP_REF,ERR_R_PASSED_NULL_PARAMETER);
                 return(0);
                 }
 
@@ -192,48 +196,60 @@ DSO *DSO_load(DSO *dso, const char *filename, DSO_METHOD *meth, int flags)
         DSO *ret;
         int allocated = 0;
 
-        if(filename == NULL)
-                {
-                DSOerr(DSO_F_DSO_LOAD,ERR_R_PASSED_NULL_PARAMETER);
-                return(NULL);
-                }
         if(dso == NULL)
                 {
                 ret = DSO_new_method(meth);
                 if(ret == NULL)
                         {
                         DSOerr(DSO_F_DSO_LOAD,ERR_R_MALLOC_FAILURE);
-                        return(NULL);
+                        goto err;
                         }
                 allocated = 1;
+                /* Pass the provided flags to the new DSO object */
+                if(DSO_ctrl(ret, DSO_CTRL_SET_FLAGS, flags, NULL) < 0)
+                        {
+                        DSOerr(DSO_F_DSO_LOAD,DSO_R_CTRL_FAILED);
+                        goto err;
+                        }
                 }
         else
                 ret = dso;
-        /* Bleurgh ... have to check for negative return values for
-         * errors. <grimace> */
-        if(DSO_ctrl(ret, DSO_CTRL_SET_FLAGS, flags, NULL) < 0)
+        /* Don't load if we're currently already loaded */
+        if(ret->filename != NULL)
                 {
-                DSOerr(DSO_F_DSO_LOAD,DSO_R_CTRL_FAILED);
-                if(allocated)
-                        DSO_free(ret);
-                return(NULL);
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_DSO_ALREADY_LOADED);
+                goto err;
+                }
+        /* filename can only be NULL if we were passed a dso that already has
+         * one set. */
+        if(filename != NULL)
+                if(!DSO_set_filename(ret, filename))
+                        {
+                        DSOerr(DSO_F_DSO_LOAD,DSO_R_SET_FILENAME_FAILED);
+                        goto err;
+                        }
+        filename = ret->filename;
+        if(filename == NULL)
+                {
+                DSOerr(DSO_F_DSO_LOAD,DSO_R_NO_FILENAME);
+                goto err;
                 }
         if(ret->meth->dso_load == NULL)
                 {
                 DSOerr(DSO_F_DSO_LOAD,DSO_R_UNSUPPORTED);
-                if(allocated)
-                        DSO_free(ret);
-                return(NULL);
+                goto err;
                 }
-        if(!ret->meth->dso_load(ret, filename))
+        if(!ret->meth->dso_load(ret))
                 {
                 DSOerr(DSO_F_DSO_LOAD,DSO_R_LOAD_FAILED);
-                if(allocated)
-                        DSO_free(ret);
-                return(NULL);
+                goto err;
                 }
         /* Load succeeded */
         return(ret);
+err:
+        if(allocated)
+                DSO_free(ret);
+        return(NULL);
         }
 
 void *DSO_bind_var(DSO *dso, const char *symname)
@@ -297,6 +313,22 @@ long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg)
                 DSOerr(DSO_F_DSO_CTRL,ERR_R_PASSED_NULL_PARAMETER);
                 return(-1);
                 }
+        /* We should intercept certain generic commands and only pass control
+         * to the method-specific ctrl() function if it's something we don't
+         * handle. */
+        switch(cmd)
+                {
+        case DSO_CTRL_GET_FLAGS:
+                return dso->flags;
+        case DSO_CTRL_SET_FLAGS:
+                dso->flags = (int)larg;
+                return(0);
+        case DSO_CTRL_OR_FLAGS:
+                dso->flags |= (int)larg;
+                return(0);
+        default:
+                break;
+                }
         if((dso->meth == NULL) || (dso->meth->dso_ctrl == NULL))
                 {
                 DSOerr(DSO_F_DSO_CTRL,DSO_R_UNSUPPORTED);
@@ -304,3 +336,104 @@ long DSO_ctrl(DSO *dso, int cmd, long larg, void *parg)
                 }
         return(dso->meth->dso_ctrl(dso,cmd,larg,parg));
         }
+
+int DSO_set_name_converter(DSO *dso, DSO_NAME_CONVERTER_FUNC cb,
+                        DSO_NAME_CONVERTER_FUNC *oldcb)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_SET_NAME_CONVERTER,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(oldcb)
+                *oldcb = dso->name_converter;
+        dso->name_converter = cb;
+        return(1);
+        }
+
+const char *DSO_get_filename(DSO *dso)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_GET_FILENAME,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        return(dso->filename);
+        }
+
+int DSO_set_filename(DSO *dso, const char *filename)
+        {
+        char *copied;
+
+        if((dso == NULL) || (filename == NULL))
+                {
+                DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_PASSED_NULL_PARAMETER);
+                return(0);
+                }
+        if(dso->loaded_filename)
+                {
+                DSOerr(DSO_F_DSO_SET_FILENAME,DSO_R_DSO_ALREADY_LOADED);
+                return(0);
+                }
+        /* We'll duplicate filename */
+        copied = OPENSSL_malloc(strlen(filename) + 1);
+        if(copied == NULL)
+                {
+                DSOerr(DSO_F_DSO_SET_FILENAME,ERR_R_MALLOC_FAILURE);
+                return(0);
+                }
+        strcpy(copied, filename);
+        if(dso->filename)
+                OPENSSL_free(dso->filename);
+        dso->filename = copied;
+        return(1);
+        }
+
+char *DSO_convert_filename(DSO *dso, const char *filename)
+        {
+        char *result = NULL;
+
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_CONVERT_FILENAME,ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        if(filename == NULL)
+                filename = dso->filename;
+        if(filename == NULL)
+                {
+                DSOerr(DSO_F_DSO_CONVERT_FILENAME,DSO_R_NO_FILENAME);
+                return(NULL);
+                }
+        if((dso->flags & DSO_FLAG_NO_NAME_TRANSLATION) == 0)
+                {
+                if(dso->name_converter != NULL)
+                        result = dso->name_converter(dso, filename);
+                else if(dso->meth->dso_name_converter != NULL)
+                        result = dso->meth->dso_name_converter(dso, filename);
+                }
+        if(result == NULL)
+                {
+                result = OPENSSL_malloc(strlen(filename) + 1);
+                if(result == NULL)
+                        {
+                        DSOerr(DSO_F_DSO_CONVERT_FILENAME,
+                                        ERR_R_MALLOC_FAILURE);
+                        return(NULL);
+                        }
+                strcpy(result, filename);
+                }
+        return(result);
+        }
+
+const char *DSO_get_loaded_filename(DSO *dso)
+        {
+        if(dso == NULL)
+                {
+                DSOerr(DSO_F_DSO_GET_LOADED_FILENAME,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                return(NULL);
+                }
+        return(dso->loaded_filename);
+        }
diff --git a/src/lib/libcrypto/dso/dso_vms.c b/src/lib/libcrypto/dso/dso_vms.c
index ab48b63eb7..1674619d17 100644
--- a/src/lib/libcrypto/dso/dso_vms.c
+++ b/src/lib/libcrypto/dso/dso_vms.c
@@ -59,17 +59,17 @@
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
-#ifdef VMS
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#ifdef OPENSSL_SYS_VMS
 #pragma message disable DOLLARID
 #include <lib$routines.h>
 #include <stsdef.h>
 #include <descrip.h>
 #include <starlet.h>
 #endif
-#include "cryptlib.h"
-#include <openssl/dso.h>
 
-#ifndef VMS
+#ifndef OPENSSL_SYS_VMS
 DSO_METHOD *DSO_METHOD_vms(void)
         {
         return NULL;
@@ -77,7 +77,7 @@ DSO_METHOD *DSO_METHOD_vms(void)
 #else
 #pragma message disable DOLLARID
 
-static int vms_load(DSO *dso, const char *filename);
+static int vms_load(DSO *dso);
 static int vms_unload(DSO *dso);
 static void *vms_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname);
@@ -86,8 +86,9 @@ static int vms_unbind_var(DSO *dso, char *symname, void *symptr);
 static int vms_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
 static int vms_init(DSO *dso);
 static int vms_finish(DSO *dso);
-#endif
 static long vms_ctrl(DSO *dso, int cmd, long larg, void *parg);
+#endif
+static char *vms_name_converter(DSO *dso, const char *filename);
 
 static DSO_METHOD dso_meth_vms = {
         "OpenSSL 'VMS' shared library method",
@@ -100,7 +101,8 @@ static DSO_METHOD dso_meth_vms = {
         NULL, /* unbind_var */
         NULL, /* unbind_func */
 #endif
-        vms_ctrl,
+        NULL, /* ctrl */
+        vms_name_converter,
         NULL, /* init */
         NULL  /* finish */
         };
@@ -128,11 +130,20 @@ DSO_METHOD *DSO_METHOD_vms(void)
         return(&dso_meth_vms);
         }
 
-static int vms_load(DSO *dso, const char *filename)
+static int vms_load(DSO *dso)
         {
+        void *ptr = NULL;
+        /* See applicable comments in dso_dl.c */
+        char *filename = DSO_convert_filename(dso, NULL);
         DSO_VMS_INTERNAL *p;
         const char *sp1, *sp2;  /* Search result */
 
+        if(filename == NULL)
+                {
+                DSOerr(DSO_F_DLFCN_LOAD,DSO_R_NO_FILENAME);
+                goto err;
+                }
+
         /* A file specification may look like this:
          *
          *      node::dev:[dir-spec]name.type;ver
@@ -174,14 +185,14 @@ static int vms_load(DSO *dso, const char *filename)
                 || (sp1 - filename) + strlen(sp2) > FILENAME_MAX)
                 {
                 DSOerr(DSO_F_VMS_LOAD,DSO_R_FILENAME_TOO_BIG);
-                return(0);
+                goto err;
                 }
 
         p = (DSO_VMS_INTERNAL *)OPENSSL_malloc(sizeof(DSO_VMS_INTERNAL));
         if(p == NULL)
                 {
                 DSOerr(DSO_F_VMS_LOAD,ERR_R_MALLOC_FAILURE);
-                return(0);
+                goto err;
                 }
 
         strncpy(p->filename, sp1, sp2-sp1);
@@ -203,10 +214,19 @@ static int vms_load(DSO *dso, const char *filename)
         if(!sk_push(dso->meth_data, (char *)p))
                 {
                 DSOerr(DSO_F_VMS_LOAD,DSO_R_STACK_ERROR);
-                OPENSSL_free(p);
-                return(0);
+                goto err;
                 }
+
+        /* Success (for now, we lie.  We actually do not know...) */
+        dso->loaded_filename = filename;
         return(1);
+err:
+        /* Cleanup! */
+        if(p != NULL)
+                OPENSSL_free(p);
+        if(filename != NULL)
+                OPENSSL_free(filename);
+        return(0);
         }
 
 /* Note that this doesn't actually unload the shared image, as there is no
@@ -259,8 +279,12 @@ void vms_bind_sym(DSO *dso, const char *symname, void **sym)
         {
         DSO_VMS_INTERNAL *ptr;
         int status;
+#if 0
         int flags = (1<<4); /* LIB$M_FIS_MIXEDCASE, but this symbol isn't
                                defined in VMS older than 7.0 or so */
+#else
+        int flags = 0;
+#endif
         struct dsc$descriptor_s symname_dsc;
         *sym = NULL;
 
@@ -344,28 +368,12 @@ static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname)
         return sym;
         }
 
-static long vms_ctrl(DSO *dso, int cmd, long larg, void *parg)
-        {
-        if(dso == NULL)
-                {
-                DSOerr(DSO_F_VMS_CTRL,ERR_R_PASSED_NULL_PARAMETER);
-                return(-1);
-                }
-        switch(cmd)
-                {
-        case DSO_CTRL_GET_FLAGS:
-                return dso->flags;
-        case DSO_CTRL_SET_FLAGS:
-                dso->flags = (int)larg;
-                return(0);
-        case DSO_CTRL_OR_FLAGS:
-                dso->flags |= (int)larg;
-                return(0);
-        default:
-                break;
-                }
-        DSOerr(DSO_F_VMS_CTRL,DSO_R_UNKNOWN_COMMAND);
-        return(-1);
-        }
-
-#endif /* VMS */
+static char *vms_name_converter(DSO *dso, const char *filename)
+        {
+        int len = strlen(filename);
+        char *not_translated = OPENSSL_malloc(len+1);
+        strcpy(not_translated,filename);
+        return(not_translated);
+        }
+
+#endif /* OPENSSL_SYS_VMS */
diff --git a/src/lib/libcrypto/dso/dso_win32.c b/src/lib/libcrypto/dso/dso_win32.c
index 7f1d904806..af8586d754 100644
--- a/src/lib/libcrypto/dso/dso_win32.c
+++ b/src/lib/libcrypto/dso/dso_win32.c
@@ -61,7 +61,7 @@
 #include "cryptlib.h"
 #include <openssl/dso.h>
 
-#ifndef WIN32
+#ifndef OPENSSL_SYS_WIN32
 DSO_METHOD *DSO_METHOD_win32(void)
         {
         return NULL;
@@ -71,7 +71,7 @@ DSO_METHOD *DSO_METHOD_win32(void)
 /* Part of the hack in "win32_load" ... */
 #define DSO_MAX_TRANSLATED_SIZE 256
 
-static int win32_load(DSO *dso, const char *filename);
+static int win32_load(DSO *dso);
 static int win32_unload(DSO *dso);
 static void *win32_bind_var(DSO *dso, const char *symname);
 static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname);
@@ -80,8 +80,9 @@ static int win32_unbind_var(DSO *dso, char *symname, void *symptr);
 static int win32_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr);
 static int win32_init(DSO *dso);
 static int win32_finish(DSO *dso);
-#endif
 static long win32_ctrl(DSO *dso, int cmd, long larg, void *parg);
+#endif
+static char *win32_name_converter(DSO *dso, const char *filename);
 
 static DSO_METHOD dso_meth_win32 = {
         "OpenSSL 'win32' shared library method",
@@ -94,7 +95,8 @@ static DSO_METHOD dso_meth_win32 = {
         NULL, /* unbind_var */
         NULL, /* unbind_func */
 #endif
-        win32_ctrl,
+        NULL, /* ctrl */
+        win32_name_converter,
         NULL, /* init */
         NULL  /* finish */
         };
@@ -109,50 +111,48 @@ DSO_METHOD *DSO_METHOD_win32(void)
  *     LoadLibrary(), and copied.
  */
 
-static int win32_load(DSO *dso, const char *filename)
+static int win32_load(DSO *dso)
         {
-        HINSTANCE h, *p;
-        char translated[DSO_MAX_TRANSLATED_SIZE];
-        int len;
+        HINSTANCE h = NULL, *p = NULL;
+        /* See applicable comments from dso_dl.c */
+        char *filename = DSO_convert_filename(dso, NULL);
 
-        /* NB: This is a hideous hack, but I'm not yet sure what
-         * to replace it with. This attempts to convert any filename,
-         * that looks like it has no path information, into a
-         * translated form, e. "blah" -> "blah.dll" ... I'm more
-         * comfortable putting hacks into win32 code though ;-) */
-        len = strlen(filename);
-        if((dso->flags & DSO_FLAG_NAME_TRANSLATION) &&
-                        (len + 4 < DSO_MAX_TRANSLATED_SIZE) &&
-                        (strstr(filename, "/") == NULL) &&
-                        (strstr(filename, "\\") == NULL) &&
-                        (strstr(filename, ":") == NULL))
+        if(filename == NULL)
                 {
-                sprintf(translated, "%s.dll", filename);
-                h = LoadLibrary(translated);
+                DSOerr(DSO_F_WIN32_LOAD,DSO_R_NO_FILENAME);
+                goto err;
                 }
-        else
-                h = LoadLibrary(filename);
+        h = LoadLibrary(filename);
         if(h == NULL)
                 {
                 DSOerr(DSO_F_WIN32_LOAD,DSO_R_LOAD_FAILED);
-                return(0);
+                ERR_add_error_data(3, "filename(", filename, ")");
+                goto err;
                 }
         p = (HINSTANCE *)OPENSSL_malloc(sizeof(HINSTANCE));
         if(p == NULL)
                 {
                 DSOerr(DSO_F_WIN32_LOAD,ERR_R_MALLOC_FAILURE);
-                FreeLibrary(h);
-                return(0);
+                goto err;
                 }
         *p = h;
         if(!sk_push(dso->meth_data, (char *)p))
                 {
                 DSOerr(DSO_F_WIN32_LOAD,DSO_R_STACK_ERROR);
-                FreeLibrary(h);
-                OPENSSL_free(p);
-                return(0);
+                goto err;
                 }
+        /* Success */
+        dso->loaded_filename = filename;
         return(1);
+err:
+        /* Cleanup !*/
+        if(filename != NULL)
+                OPENSSL_free(filename);
+        if(p != NULL)
+                OPENSSL_free(p);
+        if(h != NULL)
+                FreeLibrary(h);
+        return(0);
         }
 
 static int win32_unload(DSO *dso)
@@ -211,6 +211,7 @@ static void *win32_bind_var(DSO *dso, const char *symname)
         if(sym == NULL)
                 {
                 DSOerr(DSO_F_WIN32_BIND_VAR,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(3, "symname(", symname, ")");
                 return(NULL);
                 }
         return(sym);
@@ -241,33 +242,38 @@ static DSO_FUNC_TYPE win32_bind_func(DSO *dso, const char *symname)
         if(sym == NULL)
                 {
                 DSOerr(DSO_F_WIN32_BIND_FUNC,DSO_R_SYM_FAILURE);
+                ERR_add_error_data(3, "symname(", symname, ")");
                 return(NULL);
                 }
         return((DSO_FUNC_TYPE)sym);
         }
 
-static long win32_ctrl(DSO *dso, int cmd, long larg, void *parg)
-        {
-        if(dso == NULL)
-                {
-                DSOerr(DSO_F_WIN32_CTRL,ERR_R_PASSED_NULL_PARAMETER);
-                return(-1);
-                }
-        switch(cmd)
-                {
-        case DSO_CTRL_GET_FLAGS:
-                return dso->flags;
-        case DSO_CTRL_SET_FLAGS:
-                dso->flags = (int)larg;
-                return(0);
-        case DSO_CTRL_OR_FLAGS:
-                dso->flags |= (int)larg;
-                return(0);
-        default:
-                break;
-                }
-        DSOerr(DSO_F_WIN32_CTRL,DSO_R_UNKNOWN_COMMAND);
-        return(-1);
-        }
+static char *win32_name_converter(DSO *dso, const char *filename)
+        {
+        char *translated;
+        int len, transform;
+
+        len = strlen(filename);
+        transform = ((strstr(filename, "/") == NULL) &&
+                        (strstr(filename, "\\") == NULL) &&
+                        (strstr(filename, ":") == NULL));
+        if(transform)
+                /* We will convert this to "%s.dll" */
+                translated = OPENSSL_malloc(len + 5);
+        else
+                /* We will simply duplicate filename */
+                translated = OPENSSL_malloc(len + 1);
+        if(translated == NULL)
+                {
+                DSOerr(DSO_F_WIN32_NAME_CONVERTER,
+                                DSO_R_NAME_TRANSLATION_FAILED); 
+                return(NULL);   
+                }
+        if(transform)
+                sprintf(translated, "%s.dll", filename);
+        else
+                sprintf(translated, "%s", filename);
+        return(translated);
+        }
 
-#endif /* WIN32 */
+#endif /* OPENSSL_SYS_WIN32 */
diff --git a/src/lib/libcrypto/ebcdic.c b/src/lib/libcrypto/ebcdic.c
index 91a7a8bcb4..bc968ea807 100644
--- a/src/lib/libcrypto/ebcdic.c
+++ b/src/lib/libcrypto/ebcdic.c
@@ -211,7 +211,8 @@ ascii2ebcdic(void *dest, const void *srce, size_t count)
 }
 
 #else /*CHARSET_EBCDIC*/
-#if defined(PEDANTIC) || defined(VMS) || defined(__VMS)
+#include <openssl/opensslconf.h>
+#if defined(PEDANTIC) || defined(__DECC)
 static void *dummy=&dummy;
 #endif
 #endif
diff --git a/src/lib/libcrypto/ec/Makefile.ssl b/src/lib/libcrypto/ec/Makefile.ssl
new file mode 100644
index 0000000000..7a21b7195f
--- /dev/null
+++ b/src/lib/libcrypto/ec/Makefile.ssl
@@ -0,0 +1,128 @@
+#
+# crypto/ec/Makefile
+#
+
+DIR=    ec
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=ectest.c
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_recp.c ecp_nist.c ec_cvt.c ec_mult.c \
+        ec_err.c
+
+LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_recp.o ecp_nist.o ec_cvt.o ec_mult.o \
+        ec_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ec.h
+HEADER= ec_lcl.h $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB) || echo Never mind.
+        @touch lib
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+ec_cvt.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
+ec_cvt.o: ../../include/openssl/symhacks.h ec_cvt.c ec_lcl.h
+ec_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ec_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ec_err.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ec_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ec_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ec_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ec_err.o: ec_err.c
+ec_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ec_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ec_lib.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ec_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ec_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ec_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ec_lib.o: ec_lcl.h ec_lib.c
+ec_mult.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ec_mult.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ec_mult.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ec_mult.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ec_mult.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ec_mult.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ec_mult.o: ec_lcl.h ec_mult.c
+ecp_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ecp_mont.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecp_mont.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ecp_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ecp_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecp_mont.o: ec_lcl.h ecp_mont.c
+ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+ecp_nist.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
+ecp_nist.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_nist.c
+ecp_recp.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+ecp_recp.o: ../../include/openssl/ec.h ../../include/openssl/opensslconf.h
+ecp_recp.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_recp.c
+ecp_smpl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ecp_smpl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ecp_smpl.o: ../../include/openssl/ec.h ../../include/openssl/err.h
+ecp_smpl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ecp_smpl.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ecp_smpl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecp_smpl.o: ec_lcl.h ecp_smpl.c
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
new file mode 100644
index 0000000000..a52d4edf14
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec.h
@@ -0,0 +1,245 @@
+/* crypto/ec/ec.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_EC_H
+#define HEADER_EC_H
+
+#ifdef OPENSSL_NO_EC
+#error EC is disabled.
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/symhacks.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+typedef enum {
+        /* values as defined in X9.62 (ECDSA) and elsewhere */
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+
+
+typedef struct ec_method_st EC_METHOD;
+
+typedef struct ec_group_st
+        /*
+         EC_METHOD *meth;
+         -- field definition
+         -- curve coefficients
+         -- optional generator with associated information (order, cofactor)
+         -- optional extra data (TODO: precomputed table for fast computation of multiples of generator)
+        */
+        EC_GROUP;
+
+typedef struct ec_point_st EC_POINT;
+
+
+/* EC_METHODs for curves over GF(p).
+ * EC_GFp_simple_method provides the basis for the optimized methods.
+ */
+const EC_METHOD *EC_GFp_simple_method(void);
+const EC_METHOD *EC_GFp_mont_method(void);
+#if 0
+const EC_METHOD *EC_GFp_recp_method(void); /* TODO */
+const EC_METHOD *EC_GFp_nist_method(void); /* TODO */
+#endif
+
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *);
+void EC_GROUP_free(EC_GROUP *);
+void EC_GROUP_clear_free(EC_GROUP *);
+int EC_GROUP_copy(EC_GROUP *, const EC_GROUP *);
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *);
+        
+
+/* We don't have types for field specifications and field elements in general.
+ * Otherwise we could declare
+ *     int EC_GROUP_set_curve(EC_GROUP *, .....);
+ */
+int EC_GROUP_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int EC_GROUP_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+/* EC_GROUP_new_GFp() calls EC_GROUP_new() and EC_GROUP_set_GFp()
+ * after choosing an appropriate EC_METHOD */
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+
+int EC_GROUP_set_generator(EC_GROUP *, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *);
+int EC_GROUP_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int EC_GROUP_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+EC_POINT *EC_POINT_new(const EC_GROUP *);
+void EC_POINT_free(EC_POINT *);
+void EC_POINT_clear_free(EC_POINT *);
+int EC_POINT_copy(EC_POINT *, const EC_POINT *);
+ 
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *);
+
+int EC_POINT_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+
+size_t EC_POINT_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int EC_POINT_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+
+int EC_POINT_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int EC_POINT_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int EC_POINT_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+int EC_POINT_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int EC_POINT_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int EC_POINT_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+int EC_POINTs_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, size_t num, const EC_POINT *[], const BIGNUM *[], BN_CTX *);
+int EC_POINT_mul(const EC_GROUP *, EC_POINT *r, const BIGNUM *, const EC_POINT *, const BIGNUM *, BN_CTX *);
+int EC_GROUP_precompute_mult(EC_GROUP *, BN_CTX *);
+
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_EC_strings(void);
+
+/* Error codes for the EC functions. */
+
+/* Function codes. */
+#define EC_F_COMPUTE_WNAF                                143
+#define EC_F_EC_GFP_MONT_FIELD_DECODE                    133
+#define EC_F_EC_GFP_MONT_FIELD_ENCODE                    134
+#define EC_F_EC_GFP_MONT_FIELD_MUL                       131
+#define EC_F_EC_GFP_MONT_FIELD_SQR                       132
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP           100
+#define EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR           101
+#define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE                   102
+#define EC_F_EC_GFP_SIMPLE_OCT2POINT                     103
+#define EC_F_EC_GFP_SIMPLE_POINT2OCT                     104
+#define EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE            137
+#define EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP 105
+#define EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP 128
+#define EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP 129
+#define EC_F_EC_GROUP_COPY                               106
+#define EC_F_EC_GROUP_GET0_GENERATOR                     139
+#define EC_F_EC_GROUP_GET_COFACTOR                       140
+#define EC_F_EC_GROUP_GET_CURVE_GFP                      130
+#define EC_F_EC_GROUP_GET_EXTRA_DATA                     107
+#define EC_F_EC_GROUP_GET_ORDER                          141
+#define EC_F_EC_GROUP_NEW                                108
+#define EC_F_EC_GROUP_PRECOMPUTE_MULT                    142
+#define EC_F_EC_GROUP_SET_CURVE_GFP                      109
+#define EC_F_EC_GROUP_SET_EXTRA_DATA                     110
+#define EC_F_EC_GROUP_SET_GENERATOR                      111
+#define EC_F_EC_POINTS_MAKE_AFFINE                       136
+#define EC_F_EC_POINTS_MUL                               138
+#define EC_F_EC_POINT_ADD                                112
+#define EC_F_EC_POINT_CMP                                113
+#define EC_F_EC_POINT_COPY                               114
+#define EC_F_EC_POINT_DBL                                115
+#define EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP         116
+#define EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP    117
+#define EC_F_EC_POINT_IS_AT_INFINITY                     118
+#define EC_F_EC_POINT_IS_ON_CURVE                        119
+#define EC_F_EC_POINT_MAKE_AFFINE                        120
+#define EC_F_EC_POINT_NEW                                121
+#define EC_F_EC_POINT_OCT2POINT                          122
+#define EC_F_EC_POINT_POINT2OCT                          123
+#define EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP         124
+#define EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP     125
+#define EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP    126
+#define EC_F_EC_POINT_SET_TO_INFINITY                    127
+#define EC_F_GFP_MONT_GROUP_SET_CURVE_GFP                135
+
+/* Reason codes. */
+#define EC_R_BUFFER_TOO_SMALL                            100
+#define EC_R_INCOMPATIBLE_OBJECTS                        101
+#define EC_R_INVALID_ARGUMENT                            112
+#define EC_R_INVALID_COMPRESSED_POINT                    110
+#define EC_R_INVALID_COMPRESSION_BIT                     109
+#define EC_R_INVALID_ENCODING                            102
+#define EC_R_INVALID_FIELD                               103
+#define EC_R_INVALID_FORM                                104
+#define EC_R_NOT_INITIALIZED                             111
+#define EC_R_NO_SUCH_EXTRA_DATA                          105
+#define EC_R_POINT_AT_INFINITY                           106
+#define EC_R_POINT_IS_NOT_ON_CURVE                       107
+#define EC_R_SLOT_FULL                                   108
+#define EC_R_UNDEFINED_GENERATOR                         113
+#define EC_R_UNKNOWN_ORDER                               114
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ec/ec_cvt.c b/src/lib/libcrypto/ec/ec_cvt.c
new file mode 100644
index 0000000000..45b0ec33a0
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_cvt.c
@@ -0,0 +1,80 @@
+/* crypto/ec/ec_cvt.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+
+EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        const EC_METHOD *meth;
+        EC_GROUP *ret;
+        
+        /* Finally, this will use EC_GFp_nist_method if 'p' is a special
+         * prime with optimized modular arithmetics (for NIST curves)
+         */
+        meth = EC_GFp_mont_method();
+        
+        ret = EC_GROUP_new(meth);
+        if (ret == NULL)
+                return NULL;
+
+        if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
+                {
+                EC_GROUP_clear_free(ret);
+                return NULL;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
new file mode 100644
index 0000000000..394cdc021f
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -0,0 +1,151 @@
+/* crypto/ec/ec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ec.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA EC_str_functs[]=
+        {
+{ERR_PACK(0,EC_F_COMPUTE_WNAF,0),       "COMPUTE_WNAF"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_DECODE,0),   "ec_GFp_mont_field_decode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),   "ec_GFp_mont_field_encode"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),      "ec_GFp_mont_field_mul"},
+{ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),      "ec_GFp_mont_field_sqr"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),  "ec_GFp_simple_group_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR,0),  "ec_GFp_simple_group_set_generator"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_MAKE_AFFINE,0),  "ec_GFp_simple_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_OCT2POINT,0),    "ec_GFp_simple_oct2point"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT2OCT,0),    "ec_GFp_simple_point2oct"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE,0),   "ec_GFp_simple_points_make_affine"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP,0),     "ec_GFp_simple_point_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP,0),       "ec_GFp_simple_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_COPY,0),      "EC_GROUP_copy"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET0_GENERATOR,0),    "EC_GROUP_get0_generator"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_COFACTOR,0),      "EC_GROUP_get_cofactor"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_CURVE_GFP,0),     "EC_GROUP_get_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_EXTRA_DATA,0),    "EC_GROUP_get_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_GET_ORDER,0), "EC_GROUP_get_order"},
+{ERR_PACK(0,EC_F_EC_GROUP_NEW,0),       "EC_GROUP_new"},
+{ERR_PACK(0,EC_F_EC_GROUP_PRECOMPUTE_MULT,0),   "EC_GROUP_precompute_mult"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_CURVE_GFP,0),     "EC_GROUP_set_curve_GFp"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_EXTRA_DATA,0),    "EC_GROUP_set_extra_data"},
+{ERR_PACK(0,EC_F_EC_GROUP_SET_GENERATOR,0),     "EC_GROUP_set_generator"},
+{ERR_PACK(0,EC_F_EC_POINTS_MAKE_AFFINE,0),      "EC_POINTs_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINTS_MUL,0),      "EC_POINTs_mul"},
+{ERR_PACK(0,EC_F_EC_POINT_ADD,0),       "EC_POINT_add"},
+{ERR_PACK(0,EC_F_EC_POINT_CMP,0),       "EC_POINT_cmp"},
+{ERR_PACK(0,EC_F_EC_POINT_COPY,0),      "EC_POINT_copy"},
+{ERR_PACK(0,EC_F_EC_POINT_DBL,0),       "EC_POINT_dbl"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_get_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_get_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_AT_INFINITY,0),    "EC_POINT_is_at_infinity"},
+{ERR_PACK(0,EC_F_EC_POINT_IS_ON_CURVE,0),       "EC_POINT_is_on_curve"},
+{ERR_PACK(0,EC_F_EC_POINT_MAKE_AFFINE,0),       "EC_POINT_make_affine"},
+{ERR_PACK(0,EC_F_EC_POINT_NEW,0),       "EC_POINT_new"},
+{ERR_PACK(0,EC_F_EC_POINT_OCT2POINT,0), "EC_POINT_oct2point"},
+{ERR_PACK(0,EC_F_EC_POINT_POINT2OCT,0), "EC_POINT_point2oct"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP,0),        "EC_POINT_set_affine_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP,0),    "EC_POINT_set_compressed_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP,0),   "EC_POINT_set_Jprojective_coordinates_GFp"},
+{ERR_PACK(0,EC_F_EC_POINT_SET_TO_INFINITY,0),   "EC_POINT_set_to_infinity"},
+{ERR_PACK(0,EC_F_GFP_MONT_GROUP_SET_CURVE_GFP,0),       "GFP_MONT_GROUP_SET_CURVE_GFP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA EC_str_reasons[]=
+        {
+{EC_R_BUFFER_TOO_SMALL                   ,"buffer too small"},
+{EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
+{EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
+{EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
+{EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
+{EC_R_INVALID_ENCODING                   ,"invalid encoding"},
+{EC_R_INVALID_FIELD                      ,"invalid field"},
+{EC_R_INVALID_FORM                       ,"invalid form"},
+{EC_R_NOT_INITIALIZED                    ,"not initialized"},
+{EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
+{EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
+{EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
+{EC_R_SLOT_FULL                          ,"slot full"},
+{EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
+{EC_R_UNKNOWN_ORDER                      ,"unknown order"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_EC_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_EC,EC_str_functs);
+                ERR_load_strings(ERR_LIB_EC,EC_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ec/ec_lcl.h b/src/lib/libcrypto/ec/ec_lcl.h
new file mode 100644
index 0000000000..cc4cf27755
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_lcl.h
@@ -0,0 +1,277 @@
+/* crypto/ec/ec_lcl.h */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdlib.h>
+
+#include <openssl/ec.h>
+
+
+/* Structure details are not part of the exported interface,
+ * so all this may change in future versions. */
+
+struct ec_method_st {
+        /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */
+        int (*group_init)(EC_GROUP *);
+        void (*group_finish)(EC_GROUP *);
+        void (*group_clear_finish)(EC_GROUP *);
+        int (*group_copy)(EC_GROUP *, const EC_GROUP *);
+
+        /* used by EC_GROUP_set_curve_GFp and EC_GROUP_get_curve_GFp: */
+        int (*group_set_curve_GFp)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*group_get_curve_GFp)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+
+        /* used by EC_GROUP_set_generator, EC_GROUP_get0_generator,
+         * EC_GROUP_get_order, EC_GROUP_get_cofactor:
+         */
+        int (*group_set_generator)(EC_GROUP *, const EC_POINT *generator,
+                const BIGNUM *order, const BIGNUM *cofactor);
+        EC_POINT *(*group_get0_generator)(const EC_GROUP *);
+        int (*group_get_order)(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+        int (*group_get_cofactor)(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+
+        /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */
+        int (*point_init)(EC_POINT *);
+        void (*point_finish)(EC_POINT *);
+        void (*point_clear_finish)(EC_POINT *);
+        int (*point_copy)(EC_POINT *, const EC_POINT *);
+
+        /* used by EC_POINT_set_to_infinity,
+         * EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_get_Jprojective_coordinates_GFp,
+         * EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp,
+         * EC_POINT_set_compressed_coordinates_GFp:
+         */
+        int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
+        int (*point_set_Jprojective_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+        int (*point_get_Jprojective_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+        int (*point_set_affine_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+        int (*point_get_affine_coordinates_GFp)(const EC_GROUP *, const EC_POINT *,
+                BIGNUM *x, BIGNUM *y, BN_CTX *);
+        int (*point_set_compressed_coordinates_GFp)(const EC_GROUP *, EC_POINT *,
+                const BIGNUM *x, int y_bit, BN_CTX *);
+
+        /* used by EC_POINT_point2oct, EC_POINT_oct2point: */
+        size_t (*point2oct)(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+                unsigned char *buf, size_t len, BN_CTX *);
+        int (*oct2point)(const EC_GROUP *, EC_POINT *,
+                const unsigned char *buf, size_t len, BN_CTX *);
+
+        /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */
+        int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+        int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+        int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+
+        /* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: */
+        int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *);
+        int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+        int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+
+        /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */
+        int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *);
+        int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+
+
+        /* internal functions */
+
+        /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that
+         * the same implementations of point operations can be used with different
+         * optimized implementations of expensive field operations: */
+        int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+        int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
+        int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
+        int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+} /* EC_METHOD */;
+
+
+struct ec_group_st {
+        const EC_METHOD *meth;
+
+        void *extra_data;
+        void *(*extra_data_dup_func)(void *);
+        void (*extra_data_free_func)(void *);
+        void (*extra_data_clear_free_func)(void *);
+
+        /* All members except 'meth' and 'extra_data...' are handled by
+         * the method functions, even if they appear generic */
+        
+        BIGNUM field; /* Field specification.
+                       * For curves over GF(p), this is the modulus. */
+
+        BIGNUM a, b; /* Curve coefficients.
+                      * (Here the assumption is that BIGNUMs can be used
+                      * or abused for all kinds of fields, not just GF(p).)
+                      * For characteristic  > 3,  the curve is defined
+                      * by a Weierstrass equation of the form
+                      *     y^2 = x^3 + a*x + b.
+                      */
+        int a_is_minus3; /* enable optimized point arithmetics for special case */
+
+        EC_POINT *generator; /* optional */
+        BIGNUM order, cofactor;
+
+        void *field_data1; /* method-specific (e.g., Montgomery structure) */
+        void *field_data2; /* method-specific */
+} /* EC_GROUP */;
+
+
+/* Basically a 'mixin' for extra data, but available for EC_GROUPs only
+ * (with visibility limited to 'package' level for now).
+ * We use the function pointers as index for retrieval; this obviates
+ * global ex_data-style index tables.
+ * (Currently, we have one slot only, but is is possible to extend this
+ * if necessary.) */
+int EC_GROUP_set_extra_data(EC_GROUP *, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void *EC_GROUP_get_extra_data(const EC_GROUP *, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *));
+void EC_GROUP_free_extra_data(EC_GROUP *);
+void EC_GROUP_clear_free_extra_data(EC_GROUP *);
+
+
+
+struct ec_point_st {
+        const EC_METHOD *meth;
+
+        /* All members except 'meth' are handled by the method functions,
+         * even if they appear generic */
+
+        BIGNUM X;
+        BIGNUM Y;
+        BIGNUM Z; /* Jacobian projective coordinates:
+                   * (X, Y, Z)  represents  (X/Z^2, Y/Z^3)  if  Z != 0 */
+        int Z_is_one; /* enable optimized point arithmetics for special case */
+} /* EC_POINT */;
+
+
+
+/* method functions in ecp_smpl.c */
+int ec_GFp_simple_group_init(EC_GROUP *);
+void ec_GFp_simple_group_finish(EC_GROUP *);
+void ec_GFp_simple_group_clear_finish(EC_GROUP *);
+int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_group_set_generator(EC_GROUP *, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor);
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *);
+int ec_GFp_simple_group_get_order(const EC_GROUP *, BIGNUM *order, BN_CTX *);
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *, BIGNUM *cofactor, BN_CTX *);
+int ec_GFp_simple_point_init(EC_POINT *);
+void ec_GFp_simple_point_finish(EC_POINT *);
+void ec_GFp_simple_point_clear_finish(EC_POINT *);
+int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *, const EC_POINT *,
+        BIGNUM *x, BIGNUM *y, BN_CTX *);
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *, EC_POINT *,
+        const BIGNUM *x, int y_bit, BN_CTX *);
+size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
+        const unsigned char *buf, size_t len, BN_CTX *);
+int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
+int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
+int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
+int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
+int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
+int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_mont.c */
+int ec_GFp_mont_group_init(EC_GROUP *);
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_mont_group_finish(EC_GROUP *);
+void ec_GFp_mont_group_clear_finish(EC_GROUP *);
+int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+
+
+/* method functions in ecp_recp.c */
+int ec_GFp_recp_group_init(EC_GROUP *);
+int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_recp_group_finish(EC_GROUP *);
+void ec_GFp_recp_group_clear_finish(EC_GROUP *);
+int ec_GFp_recp_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_recp_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_recp_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+
+
+/* method functions in ecp_nist.c */
+int ec_GFp_nist_group_init(EC_GROUP *);
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+void ec_GFp_nist_group_finish(EC_GROUP *);
+void ec_GFp_nist_group_clear_finish(EC_GROUP *);
+int ec_GFp_nist_group_copy(EC_GROUP *, const EC_GROUP *);
+int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
+int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
new file mode 100644
index 0000000000..e0d78d67fb
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -0,0 +1,646 @@
+/* crypto/ec/ec_lib.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+
+#include "ec_lcl.h"
+
+static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;
+
+
+/* functions for EC_GROUP objects */
+
+EC_GROUP *EC_GROUP_new(const EC_METHOD *meth)
+        {
+        EC_GROUP *ret;
+
+        if (meth == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (meth->group_init == 0)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = meth;
+
+        ret->extra_data = NULL;
+        ret->extra_data_dup_func = 0;
+        ret->extra_data_free_func = 0;
+        ret->extra_data_clear_free_func = 0;
+        
+        if (!meth->group_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_GROUP_free(EC_GROUP *group)
+        {
+        if (group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_free_extra_data(group);
+
+        OPENSSL_free(group);
+        }
+ 
+
+void EC_GROUP_clear_free(EC_GROUP *group)
+        {
+        if (group->meth->group_clear_finish != 0)
+                group->meth->group_clear_finish(group);
+        else if (group->meth != NULL && group->meth->group_finish != 0)
+                group->meth->group_finish(group);
+
+        EC_GROUP_clear_free_extra_data(group);
+
+        memset(group, 0, sizeof *group);
+        OPENSSL_free(group);
+        }
+
+
+int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->meth->group_copy == 0)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_GROUP_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        
+        EC_GROUP_clear_free_extra_data(dest);
+        if (src->extra_data_dup_func)
+                {
+                if (src->extra_data != NULL)
+                        {
+                        dest->extra_data = src->extra_data_dup_func(src->extra_data);
+                        if (dest->extra_data == NULL)
+                                return 0;
+                        }
+
+                dest->extra_data_dup_func = src->extra_data_dup_func;
+                dest->extra_data_free_func = src->extra_data_free_func;
+                dest->extra_data_clear_free_func = src->extra_data_clear_free_func;
+                }
+
+        return dest->meth->group_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group)
+        {
+        return group->meth;
+        }
+
+
+int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_set_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_curve_GFp == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_CURVE_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_curve_GFp(group, p, a, b, ctx);
+        }
+
+
+int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (group->meth->group_set_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_SET_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_set_generator(group, generator, order, cofactor);
+        }
+
+
+EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group)
+        {
+        if (group->meth->group_get0_generator == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET0_GENERATOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get0_generator(group);
+        }
+
+
+int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_order == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_ORDER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_order(group, order, ctx);
+        }
+
+
+int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (group->meth->group_get_cofactor == 0)
+                {
+                ECerr(EC_F_EC_GROUP_GET_COFACTOR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        return group->meth->group_get_cofactor(group, cofactor, ctx);
+        }
+
+
+/* this has 'package' visibility */
+int EC_GROUP_set_extra_data(EC_GROUP *group, void *extra_data, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data != NULL)
+                || (group->extra_data_dup_func != 0)
+                || (group->extra_data_free_func != 0)
+                || (group->extra_data_clear_free_func != 0))
+                {
+                ECerr(EC_F_EC_GROUP_SET_EXTRA_DATA, EC_R_SLOT_FULL);
+                return 0;
+                }
+
+        group->extra_data = extra_data;
+        group->extra_data_dup_func = extra_data_dup_func;
+        group->extra_data_free_func = extra_data_free_func;
+        group->extra_data_clear_free_func = extra_data_clear_free_func;
+        return 1;
+        }
+
+
+/* this has 'package' visibility */
+void *EC_GROUP_get_extra_data(const EC_GROUP *group, void *(*extra_data_dup_func)(void *),
+        void (*extra_data_free_func)(void *), void (*extra_data_clear_free_func)(void *))
+        {
+        if ((group->extra_data_dup_func != extra_data_dup_func)
+                || (group->extra_data_free_func != extra_data_free_func)
+                || (group->extra_data_clear_free_func != extra_data_clear_free_func))
+                {
+                ECerr(EC_F_EC_GROUP_GET_EXTRA_DATA, EC_R_NO_SUCH_EXTRA_DATA);
+                return NULL;
+                }
+
+        return group->extra_data;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+/* this has 'package' visibility */
+void EC_GROUP_clear_free_extra_data(EC_GROUP *group)
+        {
+        if (group->extra_data_clear_free_func)
+                group->extra_data_clear_free_func(group->extra_data);
+        else if (group->extra_data_free_func)
+                group->extra_data_free_func(group->extra_data);
+        group->extra_data = NULL;
+        group->extra_data_dup_func = 0;
+        group->extra_data_free_func = 0;
+        group->extra_data_clear_free_func = 0;
+        }
+
+
+
+/* functions for EC_POINT objects */
+
+EC_POINT *EC_POINT_new(const EC_GROUP *group)
+        {
+        EC_POINT *ret;
+
+        if (group == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        if (group->meth->point_init == 0)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return NULL;
+                }
+
+        ret = OPENSSL_malloc(sizeof *ret);
+        if (ret == NULL)
+                {
+                ECerr(EC_F_EC_POINT_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+
+        ret->meth = group->meth;
+        
+        if (!ret->meth->point_init(ret))
+                {
+                OPENSSL_free(ret);
+                return NULL;
+                }
+        
+        return ret;
+        }
+
+
+void EC_POINT_free(EC_POINT *point)
+        {
+        if (point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        OPENSSL_free(point);
+        }
+ 
+
+void EC_POINT_clear_free(EC_POINT *point)
+        {
+        if (point->meth->point_clear_finish != 0)
+                point->meth->point_clear_finish(point);
+        else if (point->meth != NULL && point->meth->point_finish != 0)
+                point->meth->point_finish(point);
+        memset(point, 0, sizeof *point);
+        OPENSSL_free(point);
+        }
+
+
+int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (dest->meth->point_copy == 0)
+                {
+                ECerr(EC_F_EC_POINT_COPY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (dest->meth != src->meth)
+                {
+                ECerr(EC_F_EC_POINT_COPY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        if (dest == src)
+                return 1;
+        return dest->meth->point_copy(dest, src);
+        }
+
+
+const EC_METHOD *EC_POINT_method_of(const EC_POINT *point)
+        {
+        return point->meth;
+        }
+
+
+int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        if (group->meth->point_set_to_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_TO_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_to_infinity(group, point);
+        }
+
+
+int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_Jprojective_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_JPROJECTIVE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_Jprojective_coordinates_GFp(group, point, x, y, z, ctx);
+        }
+
+
+int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        if (group->meth->point_get_affine_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_get_affine_coordinates_GFp(group, point, x, y, ctx);
+        }
+
+
+int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, int y_bit, BN_CTX *ctx)
+        {
+        if (group->meth->point_set_compressed_coordinates_GFp == 0)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_SET_COMPRESSED_COORDINATES_GFP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx);
+        }
+
+
+size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->point2oct == 0)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_POINT2OCT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point2oct(group, point, form, buf, len, ctx);
+        }
+
+
+int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        if (group->meth->oct2point == 0)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_OCT2POINT, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->oct2point(group, point, buf, len, ctx);
+        }
+
+
+int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->add == 0)
+                {
+                ECerr(EC_F_EC_POINT_ADD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_ADD, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->add(group, r, a, b, ctx);
+        }
+
+
+int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != r->meth) || (r->meth != a->meth))
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->dbl(group, r, a, ctx);
+        }
+
+
+int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx)
+        {
+        if (group->meth->dbl == 0)
+                {
+                ECerr(EC_F_EC_POINT_DBL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != a->meth)
+                {
+                ECerr(EC_F_EC_POINT_DBL, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->invert(group, a, ctx);
+        }
+
+
+int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        if (group->meth->is_at_infinity == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_AT_INFINITY, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_at_infinity(group, point);
+        }
+
+
+int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->is_on_curve == 0)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_IS_ON_CURVE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->is_on_curve(group, point, ctx);
+        }
+
+
+int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        if (group->meth->point_cmp == 0)
+                {
+                ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if ((group->meth != a->meth) || (a->meth != b->meth))
+                {
+                ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->point_cmp(group, a, b, ctx);
+        }
+
+
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (group->meth->make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        if (group->meth != point->meth)
+                {
+                ECerr(EC_F_EC_POINT_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                return 0;
+                }
+        return group->meth->make_affine(group, point, ctx);
+        }
+
+
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        size_t i;
+
+        if (group->meth->points_make_affine == 0)
+                {
+                ECerr(EC_F_EC_POINTS_MAKE_AFFINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+                return 0;
+                }
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MAKE_AFFINE, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+        return group->meth->points_make_affine(group, num, points, ctx);
+        }
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
new file mode 100644
index 0000000000..603ba31b81
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -0,0 +1,473 @@
+/* crypto/ec/ec_mult.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+/* TODO: optional precomputation of multiples of the generator */
+
+
+
+/*
+ * wNAF-based interleaving multi-exponentation method
+ * (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>)
+ */
+
+
+/* Determine the width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+ * This is an array  r[]  of values that are either zero or odd with an
+ * absolute value less than  2^w  satisfying
+ *     scalar = \sum_j r[j]*2^j
+ * where at most one of any  w+1  consecutive digits is non-zero.
+ */
+static signed char *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len, BN_CTX *ctx)
+        {
+        BIGNUM *c;
+        int ok = 0;
+        signed char *r = NULL;
+        int sign = 1;
+        int bit, next_bit, mask;
+        size_t len = 0, j;
+        
+        BN_CTX_start(ctx);
+        c = BN_CTX_get(ctx);
+        if (c == NULL) goto err;
+        
+        if (w <= 0 || w > 7) /* 'signed char' can represent integers with absolute values less than 2^7 */
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        bit = 1 << w; /* at most 128 */
+        next_bit = bit << 1; /* at most 256 */
+        mask = next_bit - 1; /* at most 255 */
+
+        if (!BN_copy(c, scalar)) goto err;
+        if (c->neg)
+                {
+                sign = -1;
+                c->neg = 0;
+                }
+
+        len = BN_num_bits(c) + 1; /* wNAF may be one digit longer than binary representation */
+        r = OPENSSL_malloc(len);
+        if (r == NULL) goto err;
+
+        j = 0;
+        while (!BN_is_zero(c))
+                {
+                int u = 0;
+
+                if (BN_is_odd(c)) 
+                        {
+                        if (c->d == NULL || c->top == 0)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        u = c->d[0] & mask;
+                        if (u & bit)
+                                {
+                                u -= next_bit;
+                                /* u < 0 */
+                                if (!BN_add_word(c, -u)) goto err;
+                                }
+                        else
+                                {
+                                /* u > 0 */
+                                if (!BN_sub_word(c, u)) goto err;
+                                }
+
+                        if (u <= -bit || u >= bit || !(u & 1) || c->neg)
+                                {
+                                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        }
+
+                r[j++] = sign * u;
+                
+                if (BN_is_odd(c))
+                        {
+                        ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                if (!BN_rshift1(c, c)) goto err;
+                }
+
+        if (j > len)
+                {
+                ECerr(EC_F_COMPUTE_WNAF, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        len = j;
+        ok = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (!ok)
+                {
+                OPENSSL_free(r);
+                r = NULL;
+                }
+        if (ok)
+                *ret_len = len;
+        return r;
+        }
+
+
+/* TODO: table should be optimised for the wNAF-based implementation,
+ *       sometimes smaller windows will give better performance
+ *       (thus the boundaries should be increased)
+ */
+#define EC_window_bits_for_scalar_size(b) \
+                ((b) >= 2000 ? 6 : \
+                 (b) >=  800 ? 5 : \
+                 (b) >=  300 ? 4 : \
+                 (b) >=   70 ? 3 : \
+                 (b) >=   20 ? 2 : \
+                  1)
+
+/* Compute
+ *      \sum scalars[i]*points[i],
+ * also including
+ *      scalar*generator
+ * in the addition if scalar != NULL
+ */
+int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+        size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        EC_POINT *generator = NULL;
+        EC_POINT *tmp = NULL;
+        size_t totalnum;
+        size_t i, j;
+        int k;
+        int r_is_inverted = 0;
+        int r_is_at_infinity = 1;
+        size_t *wsize = NULL; /* individual window sizes */
+        signed char **wNAF = NULL; /* individual wNAFs */
+        size_t *wNAF_len = NULL;
+        size_t max_len = 0;
+        size_t num_val;
+        EC_POINT **val = NULL; /* precomputation */
+        EC_POINT **v;
+        EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
+        int ret = 0;
+        
+        if (scalar != NULL)
+                {
+                generator = EC_GROUP_get0_generator(group);
+                if (generator == NULL)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_UNDEFINED_GENERATOR);
+                        return 0;
+                        }
+                }
+        
+        for (i = 0; i < num; i++)
+                {
+                if (group->meth != points[i]->meth)
+                        {
+                        ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
+                        return 0;
+                        }
+                }
+
+        totalnum = num + (scalar != NULL);
+
+        wsize = OPENSSL_malloc(totalnum * sizeof wsize[0]);
+        wNAF_len = OPENSSL_malloc(totalnum * sizeof wNAF_len[0]);
+        wNAF = OPENSSL_malloc((totalnum + 1) * sizeof wNAF[0]);
+        if (wNAF != NULL)
+                {
+                wNAF[0] = NULL; /* preliminary pivot */
+                }
+        if (wsize == NULL || wNAF_len == NULL || wNAF == NULL) goto err;
+
+        /* num_val := total number of points to precompute */
+        num_val = 0;
+        for (i = 0; i < totalnum; i++)
+                {
+                size_t bits;
+
+                bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+                wsize[i] = EC_window_bits_for_scalar_size(bits);
+                num_val += 1u << (wsize[i] - 1);
+                }
+
+        /* all precomputed points go into a single array 'val',
+         * 'val_sub[i]' is a pointer to the subarray for the i-th point */
+        val = OPENSSL_malloc((num_val + 1) * sizeof val[0]);
+        if (val == NULL) goto err;
+        val[num_val] = NULL; /* pivot element */
+
+        val_sub = OPENSSL_malloc(totalnum * sizeof val_sub[0]);
+        if (val_sub == NULL) goto err;
+
+        /* allocate points for precomputation */
+        v = val;
+        for (i = 0; i < totalnum; i++)
+                {
+                val_sub[i] = v;
+                for (j = 0; j < (1u << (wsize[i] - 1)); j++)
+                        {
+                        *v = EC_POINT_new(group);
+                        if (*v == NULL) goto err;
+                        v++;
+                        }
+                }
+        if (!(v == val + num_val))
+                {
+                ECerr(EC_F_EC_POINTS_MUL, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        goto err;
+                }
+        
+        tmp = EC_POINT_new(group);
+        if (tmp == NULL) goto err;
+
+        /* prepare precomputed values:
+         *    val_sub[i][0] :=     points[i]
+         *    val_sub[i][1] := 3 * points[i]
+         *    val_sub[i][2] := 5 * points[i]
+         *    ...
+         */
+        for (i = 0; i < totalnum; i++)
+                {
+                if (i < num)
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], points[i])) goto err;
+                        }
+                else
+                        {
+                        if (!EC_POINT_copy(val_sub[i][0], generator)) goto err;
+                        }
+
+                if (wsize[i] > 1)
+                        {
+                        if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) goto err;
+                        for (j = 1; j < (1u << (wsize[i] - 1)); j++)
+                                {
+                                if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) goto err;
+                                }
+                        }
+
+                wNAF[i + 1] = NULL; /* make sure we always have a pivot */
+                wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i], ctx);
+                if (wNAF[i] == NULL) goto err;
+                if (wNAF_len[i] > max_len)
+                        max_len = wNAF_len[i];
+                }
+
+#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
+        if (!EC_POINTs_make_affine(group, num_val, val, ctx)) goto err;
+#endif
+
+        r_is_at_infinity = 1;
+
+        for (k = max_len - 1; k >= 0; k--)
+                {
+                if (!r_is_at_infinity)
+                        {
+                        if (!EC_POINT_dbl(group, r, r, ctx)) goto err;
+                        }
+                
+                for (i = 0; i < totalnum; i++)
+                        {
+                        if (wNAF_len[i] > (size_t)k)
+                                {
+                                int digit = wNAF[i][k];
+                                int is_neg;
+
+                                if (digit) 
+                                        {
+                                        is_neg = digit < 0;
+
+                                        if (is_neg)
+                                                digit = -digit;
+
+                                        if (is_neg != r_is_inverted)
+                                                {
+                                                if (!r_is_at_infinity)
+                                                        {
+                                                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                                                        }
+                                                r_is_inverted = !r_is_inverted;
+                                                }
+
+                                        /* digit > 0 */
+
+                                        if (r_is_at_infinity)
+                                                {
+                                                if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) goto err;
+                                                r_is_at_infinity = 0;
+                                                }
+                                        else
+                                                {
+                                                if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) goto err;
+                                                }
+                                        }
+                                }
+                        }
+                }
+
+        if (r_is_at_infinity)
+                {
+                if (!EC_POINT_set_to_infinity(group, r)) goto err;
+                }
+        else
+                {
+                if (r_is_inverted)
+                        if (!EC_POINT_invert(group, r, ctx)) goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (tmp != NULL)
+                EC_POINT_free(tmp);
+        if (wsize != NULL)
+                OPENSSL_free(wsize);
+        if (wNAF_len != NULL)
+                OPENSSL_free(wNAF_len);
+        if (wNAF != NULL)
+                {
+                signed char **w;
+                
+                for (w = wNAF; *w != NULL; w++)
+                        OPENSSL_free(*w);
+                
+                OPENSSL_free(wNAF);
+                }
+        if (val != NULL)
+                {
+                for (v = val; *v != NULL; v++)
+                        EC_POINT_clear_free(*v);
+
+                OPENSSL_free(val);
+                }
+        if (val_sub != NULL)
+                {
+                OPENSSL_free(val_sub);
+                }
+        return ret;
+        }
+
+
+int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx)
+        {
+        const EC_POINT *points[1];
+        const BIGNUM *scalars[1];
+
+        points[0] = point;
+        scalars[0] = p_scalar;
+
+        return EC_POINTs_mul(group, r, g_scalar, (point != NULL && p_scalar != NULL), points, scalars, ctx);
+        }
+
+
+int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
+        {
+        const EC_POINT *generator;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *order;
+        int ret = 0;
+
+        generator = EC_GROUP_get0_generator(group);
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNDEFINED_GENERATOR);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+        
+        BN_CTX_start(ctx);
+        order = BN_CTX_get(ctx);
+        if (order == NULL) goto err;
+        
+        if (!EC_GROUP_get_order(group, order, ctx)) return 0;
+        if (BN_is_zero(order))
+                {
+                ECerr(EC_F_EC_GROUP_PRECOMPUTE_MULT, EC_R_UNKNOWN_ORDER);
+                goto err;
+                }
+
+        /* TODO */
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
new file mode 100644
index 0000000000..7b30d4c38a
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -0,0 +1,304 @@
+/* crypto/ec/ecp_mont.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_mont_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_mont_group_init,
+                ec_GFp_mont_group_finish,
+                ec_GFp_mont_group_clear_finish,
+                ec_GFp_mont_group_copy,
+                ec_GFp_mont_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_mont_field_mul,
+                ec_GFp_mont_field_sqr,
+                ec_GFp_mont_field_encode,
+                ec_GFp_mont_field_decode,
+                ec_GFp_mont_field_set_to_one };
+
+        return &ret;
+        }
+
+
+int ec_GFp_mont_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        group->field_data2 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_mont_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BN_MONT_CTX *mont = NULL;
+        BIGNUM *one = NULL;
+        int ret = 0;
+
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        mont = BN_MONT_CTX_new();
+        if (mont == NULL) goto err;
+        if (!BN_MONT_CTX_set(mont, p, ctx))
+                {
+                ECerr(EC_F_GFP_MONT_GROUP_SET_CURVE_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        one = BN_new();
+        if (one == NULL) goto err;
+        if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err;
+
+        group->field_data1 = mont;
+        mont = NULL;
+        group->field_data2 = one;
+        one = NULL;
+
+        ret = ec_GFp_simple_group_set_curve_GFp(group, p, a, b, ctx);
+
+        if (!ret)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (mont != NULL)
+                BN_MONT_CTX_free(mont);
+        return ret;
+        }
+
+
+void ec_GFp_mont_group_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_finish(group);
+        }
+
+
+void ec_GFp_mont_group_clear_finish(EC_GROUP *group)
+        {
+        if (group->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(group->field_data1);
+                group->field_data1 = NULL;
+                }
+        if (group->field_data2 != NULL)
+                {
+                BN_clear_free(group->field_data2);
+                group->field_data2 = NULL;
+                }
+        ec_GFp_simple_group_clear_finish(group);
+        }
+
+
+int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        if (dest->field_data2 != NULL)
+                {
+                BN_clear_free(dest->field_data2);
+                dest->field_data2 = NULL;
+                }
+
+        if (!ec_GFp_simple_group_copy(dest, src)) return 0;
+
+        if (src->field_data1 != NULL)
+                {
+                dest->field_data1 = BN_MONT_CTX_new();
+                if (dest->field_data1 == NULL) return 0;
+                if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1)) goto err;
+                }
+        if (src->field_data2 != NULL)
+                {
+                dest->field_data2 = BN_dup(src->field_data2);
+                if (dest->field_data2 == NULL) goto err;
+                }
+
+        return 1;
+
+ err:
+        if (dest->field_data1 != NULL)
+                {
+                BN_MONT_CTX_free(dest->field_data1);
+                dest->field_data1 = NULL;
+                }
+        return 0;       
+        }
+
+
+int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_MUL, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_SQR, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_ENCODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        if (group->field_data1 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        return BN_from_montgomery(r, a, group->field_data1, ctx);
+        }
+
+
+int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
+        {
+        if (group->field_data2 == NULL)
+                {
+                ECerr(EC_F_EC_GFP_MONT_FIELD_DECODE, EC_R_NOT_INITIALIZED);
+                return 0;
+                }
+
+        if (!BN_copy(r, group->field_data2)) return 0;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/ec/ecp_nist.c b/src/lib/libcrypto/ec/ecp_nist.c
new file mode 100644
index 0000000000..ed07748675
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_nist.c
@@ -0,0 +1,134 @@
+/* crypto/ec/ecp_nist.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+#if 0
+const EC_METHOD *EC_GFp_nist_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_nist_group_init,
+                ec_GFp_nist_group_finish,
+                ec_GFp_nist_group_clear_finish,
+                ec_GFp_nist_group_copy,
+                ec_GFp_nist_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_nist_field_mul,
+                ec_GFp_nist_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+#endif
+
+
+int ec_GFp_nist_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_nist_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+void ec_GFp_nist_group_finish(EC_GROUP *group);
+/* TODO */
+
+
+void ec_GFp_nist_group_clear_finish(EC_GROUP *group);
+/* TODO */
+
+
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+/* TODO */
+
+
+int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/* TODO */
diff --git a/src/lib/libcrypto/ec/ecp_recp.c b/src/lib/libcrypto/ec/ecp_recp.c
new file mode 100644
index 0000000000..fec843b5c8
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_recp.c
@@ -0,0 +1,133 @@
+/* crypto/ec/ecp_recp.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "ec_lcl.h"
+
+#if 0
+const EC_METHOD *EC_GFp_recp_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_recp_group_init,
+                ec_GFp_recp_group_finish,
+                ec_GFp_recp_group_clear_finish,
+                ec_GFp_recp_group_copy,
+                ec_GFp_recp_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_recp_field_mul,
+                ec_GFp_recp_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+#endif
+
+int ec_GFp_recp_group_init(EC_GROUP *group)
+        {
+        int ok;
+
+        ok = ec_GFp_simple_group_init(group);
+        group->field_data1 = NULL;
+        return ok;
+        }
+
+
+int ec_GFp_recp_group_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+void ec_GFp_recp_group_finish(EC_GROUP *group);
+/* TODO */
+
+
+void ec_GFp_recp_group_clear_finish(EC_GROUP *group);
+/* TODO */
+
+
+int ec_GFp_recp_group_copy(EC_GROUP *dest, const EC_GROUP *src);
+/* TODO */
+
+
+int ec_GFp_recp_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+/* TODO */
+
+
+int ec_GFp_recp_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+/* TODO */
diff --git a/src/lib/libcrypto/ec/ecp_smpl.c b/src/lib/libcrypto/ec/ecp_smpl.c
new file mode 100644
index 0000000000..4666a052bf
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_smpl.c
@@ -0,0 +1,1717 @@
+/* crypto/ec/ecp_smpl.c */
+/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
+ * for the OpenSSL project. */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#include "ec_lcl.h"
+
+
+const EC_METHOD *EC_GFp_simple_method(void)
+        {
+        static const EC_METHOD ret = {
+                ec_GFp_simple_group_init,
+                ec_GFp_simple_group_finish,
+                ec_GFp_simple_group_clear_finish,
+                ec_GFp_simple_group_copy,
+                ec_GFp_simple_group_set_curve_GFp,
+                ec_GFp_simple_group_get_curve_GFp,
+                ec_GFp_simple_group_set_generator,
+                ec_GFp_simple_group_get0_generator,
+                ec_GFp_simple_group_get_order,
+                ec_GFp_simple_group_get_cofactor,
+                ec_GFp_simple_point_init,
+                ec_GFp_simple_point_finish,
+                ec_GFp_simple_point_clear_finish,
+                ec_GFp_simple_point_copy,
+                ec_GFp_simple_point_set_to_infinity,
+                ec_GFp_simple_set_Jprojective_coordinates_GFp,
+                ec_GFp_simple_get_Jprojective_coordinates_GFp,
+                ec_GFp_simple_point_set_affine_coordinates_GFp,
+                ec_GFp_simple_point_get_affine_coordinates_GFp,
+                ec_GFp_simple_set_compressed_coordinates_GFp,
+                ec_GFp_simple_point2oct,
+                ec_GFp_simple_oct2point,
+                ec_GFp_simple_add,
+                ec_GFp_simple_dbl,
+                ec_GFp_simple_invert,
+                ec_GFp_simple_is_at_infinity,
+                ec_GFp_simple_is_on_curve,
+                ec_GFp_simple_cmp,
+                ec_GFp_simple_make_affine,
+                ec_GFp_simple_points_make_affine,
+                ec_GFp_simple_field_mul,
+                ec_GFp_simple_field_sqr,
+                0 /* field_encode */,
+                0 /* field_decode */,
+                0 /* field_set_to_one */ };
+
+        return &ret;
+        }
+
+
+int ec_GFp_simple_group_init(EC_GROUP *group)
+        {
+        BN_init(&group->field);
+        BN_init(&group->a);
+        BN_init(&group->b);
+        group->a_is_minus3 = 0;
+        group->generator = NULL;
+        BN_init(&group->order);
+        BN_init(&group->cofactor);
+        return 1;
+        }
+
+
+void ec_GFp_simple_group_finish(EC_GROUP *group)
+        {
+        BN_free(&group->field);
+        BN_free(&group->a);
+        BN_free(&group->b);
+        if (group->generator != NULL)
+                EC_POINT_free(group->generator);
+        BN_free(&group->order);
+        BN_free(&group->cofactor);
+        }
+
+
+void ec_GFp_simple_group_clear_finish(EC_GROUP *group)
+        {
+        BN_clear_free(&group->field);
+        BN_clear_free(&group->a);
+        BN_clear_free(&group->b);
+        if (group->generator != NULL)
+                {
+                EC_POINT_clear_free(group->generator);
+                group->generator = NULL;
+                }
+        BN_clear_free(&group->order);
+        BN_clear_free(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+        {
+        if (!BN_copy(&dest->field, &src->field)) return 0;
+        if (!BN_copy(&dest->a, &src->a)) return 0;
+        if (!BN_copy(&dest->b, &src->b)) return 0;
+
+        dest->a_is_minus3 = src->a_is_minus3;
+
+        if (src->generator != NULL)
+                {
+                if (dest->generator == NULL)
+                        {
+                        dest->generator = EC_POINT_new(dest);
+                        if (dest->generator == NULL) return 0;
+                        }
+                if (!EC_POINT_copy(dest->generator, src->generator)) return 0;
+                }
+        else
+                {
+                /* src->generator == NULL */
+                if (dest->generator != NULL)
+                        {
+                        EC_POINT_clear_free(dest->generator);
+                        dest->generator = NULL;
+                        }
+                }
+
+        if (!BN_copy(&dest->order, &src->order)) return 0;
+        if (!BN_copy(&dest->cofactor, &src->cofactor)) return 0;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_group_set_curve_GFp(EC_GROUP *group,
+        const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp_a;
+        
+        /* p must be a prime > 3 */
+        if (BN_num_bits(p) <= 2 || !BN_is_odd(p))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP, EC_R_INVALID_FIELD);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp_a = BN_CTX_get(ctx);
+        if (tmp_a == NULL) goto err;
+
+        /* group->field */
+        if (!BN_copy(&group->field, p)) goto err;
+        group->field.neg = 0;
+
+        /* group->a */
+        if (!BN_nnmod(tmp_a, a, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; }     
+        else
+                if (!BN_copy(&group->a, tmp_a)) goto err;
+        
+        /* group->b */
+        if (!BN_nnmod(&group->b, b, p, ctx)) goto err;
+        if (group->meth->field_encode)
+                if (!group->meth->field_encode(group, &group->b, &group->b, ctx)) goto err;
+        
+        /* group->a_is_minus3 */
+        if (!BN_add_word(tmp_a, 3)) goto err;
+        group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_group_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx)
+        {
+        int ret = 0;
+        BN_CTX *new_ctx = NULL;
+        
+        if (p != NULL)
+                {
+                if (!BN_copy(p, &group->field)) return 0;
+                }
+
+        if (a != NULL || b != NULL)
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (ctx == NULL)
+                                {
+                                ctx = new_ctx = BN_CTX_new();
+                                if (ctx == NULL)
+                                        return 0;
+                                }
+                        if (a != NULL)
+                                {
+                                if (!group->meth->field_decode(group, a, &group->a, ctx)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err;
+                                }
+                        }
+                else
+                        {
+                        if (a != NULL)
+                                {
+                                if (!BN_copy(a, &group->a)) goto err;
+                                }
+                        if (b != NULL)
+                                {
+                                if (!BN_copy(b, &group->b)) goto err;
+                                }
+                        }
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+
+int ec_GFp_simple_group_set_generator(EC_GROUP *group, const EC_POINT *generator,
+        const BIGNUM *order, const BIGNUM *cofactor)
+        {
+        if (generator == NULL)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_GENERATOR, ERR_R_PASSED_NULL_PARAMETER);
+                return 0   ;
+                }
+
+        if (group->generator == NULL)
+                {
+                group->generator = EC_POINT_new(group);
+                if (group->generator == NULL) return 0;
+                }
+        if (!EC_POINT_copy(group->generator, generator)) return 0;
+
+        if (order != NULL)
+                { if (!BN_copy(&group->order, order)) return 0; }       
+        else
+                { if (!BN_zero(&group->order)) return 0; }      
+
+        if (cofactor != NULL)
+                { if (!BN_copy(&group->cofactor, cofactor)) return 0; } 
+        else
+                { if (!BN_zero(&group->cofactor)) return 0; }   
+
+        return 1;
+        }
+
+
+EC_POINT *ec_GFp_simple_group_get0_generator(const EC_GROUP *group)
+        {
+        return group->generator;
+        }
+
+
+int ec_GFp_simple_group_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx)
+        {
+        if (!BN_copy(order, &group->order))
+                return 0;
+
+        return !BN_is_zero(&group->order);
+        }
+
+
+int ec_GFp_simple_group_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx)
+        {
+        if (!BN_copy(cofactor, &group->cofactor))
+                return 0;
+
+        return !BN_is_zero(&group->cofactor);
+        }
+
+
+int ec_GFp_simple_point_init(EC_POINT *point)
+        {
+        BN_init(&point->X);
+        BN_init(&point->Y);
+        BN_init(&point->Z);
+        point->Z_is_one = 0;
+
+        return 1;
+        }
+
+
+void ec_GFp_simple_point_finish(EC_POINT *point)
+        {
+        BN_free(&point->X);
+        BN_free(&point->Y);
+        BN_free(&point->Z);
+        }
+
+
+void ec_GFp_simple_point_clear_finish(EC_POINT *point)
+        {
+        BN_clear_free(&point->X);
+        BN_clear_free(&point->Y);
+        BN_clear_free(&point->Z);
+        point->Z_is_one = 0;
+        }
+
+
+int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src)
+        {
+        if (!BN_copy(&dest->X, &src->X)) return 0;
+        if (!BN_copy(&dest->Y, &src->Y)) return 0;
+        if (!BN_copy(&dest->Z, &src->Z)) return 0;
+        dest->Z_is_one = src->Z_is_one;
+
+        return 1;
+        }
+
+
+int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+        {
+        point->Z_is_one = 0;
+        return (BN_zero(&point->Z));
+        }
+
+
+int ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        if (x != NULL)
+                {
+                if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err;
+                        }
+                }
+        
+        if (y != NULL)
+                {
+                if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err;
+                if (group->meth->field_encode)
+                        {
+                        if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err;
+                        }
+                }
+        
+        if (z != NULL)
+                {
+                int Z_is_one;
+
+                if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err;
+                Z_is_one = BN_is_one(&point->Z);
+                if (group->meth->field_encode)
+                        {
+                        if (Z_is_one && (group->meth->field_set_to_one != 0))
+                                {
+                                if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) goto err;
+                                }
+                        }
+                point->Z_is_one = Z_is_one;
+                }
+        
+        ret = 1;
+        
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        int ret = 0;
+        
+        if (group->meth->field_decode != 0)
+                {
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                if (x != NULL)
+                        {
+                        if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!group->meth->field_decode(group, y, &point->Y, ctx)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!group->meth->field_decode(group, z, &point->Z, ctx)) goto err;
+                        }
+                }
+        else    
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, &point->X)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, &point->Y)) goto err;
+                        }
+                if (z != NULL)
+                        {
+                        if (!BN_copy(z, &point->Z)) goto err;
+                        }
+                }
+        
+        ret = 1;
+
+ err:
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_point_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+        {
+        if (x == NULL || y == NULL)
+                {
+                /* unlike for projective coordinates, we do not tolerate this */
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_SET_AFFINE_COORDINATES_GFP, ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+
+        return EC_POINT_set_Jprojective_coordinates_GFp(group, point, x, y, BN_value_one(), ctx);
+        }
+
+
+int ec_GFp_simple_point_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point,
+        BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *X, *Y, *Z, *Z_1, *Z_2, *Z_3;
+        const BIGNUM *X_, *Y_, *Z_;
+        int ret = 0;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, EC_R_POINT_AT_INFINITY);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        X = BN_CTX_get(ctx);
+        Y = BN_CTX_get(ctx);
+        Z = BN_CTX_get(ctx);
+        Z_1 = BN_CTX_get(ctx);
+        Z_2 = BN_CTX_get(ctx);
+        Z_3 = BN_CTX_get(ctx);
+        if (Z_3 == NULL) goto err;
+
+        /* transform  (X, Y, Z)  into  (x, y) := (X/Z^2, Y/Z^3) */
+        
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, X, &point->X, ctx)) goto err;
+                if (!group->meth->field_decode(group, Y, &point->Y, ctx)) goto err;
+                if (!group->meth->field_decode(group, Z, &point->Z, ctx)) goto err;
+                X_ = X; Y_ = Y; Z_ = Z;
+                }
+        else
+                {
+                X_ = &point->X;
+                Y_ = &point->Y;
+                Z_ = &point->Z;
+                }
+        
+        if (BN_is_one(Z_))
+                {
+                if (x != NULL)
+                        {
+                        if (!BN_copy(x, X_)) goto err;
+                        }
+                if (y != NULL)
+                        {
+                        if (!BN_copy(y, Y_)) goto err;
+                        }
+                }
+        else
+                {
+                if (!BN_mod_inverse(Z_1, Z_, &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES_GFP, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                
+                if (group->meth->field_encode == 0)
+                        {
+                        /* field_sqr works on standard representation */
+                        if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) goto err;
+                        }
+        
+                if (x != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, x, X_, Z_2, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(x, X_, Z_2, &group->field, ctx)) goto err;
+                                }
+                        }
+
+                if (y != NULL)
+                        {
+                        if (group->meth->field_encode == 0)
+                                {
+                                /* field_mul works on standard representation */
+                                if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) goto err;
+                                if (!group->meth->field_mul(group, y, Y_, Z_3, ctx)) goto err;
+                                
+                                }
+                        else
+                                {
+                                if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) goto err;
+                                if (!BN_mod_mul(y, Y_, Z_3, &group->field, ctx)) goto err;
+                                }
+                        }
+                }
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
+        const BIGNUM *x_, int y_bit, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *x, *y;
+        int ret = 0;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        y_bit = (y_bit != 0);
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        /* Recover y.  We have a Weierstrass equation
+         *     y^2 = x^3 + a*x + b,
+         * so  y  is one of the square roots of  x^3 + a*x + b.
+         */
+
+        /* tmp1 := x^3 */
+        if (!BN_nnmod(x, x_, &group->field,ctx)) goto err;
+        if (group->meth->field_decode == 0)
+                {
+                /* field_{sqr,mul} work on standard representation */
+                if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err;
+                if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_sqr(tmp2, x_, &group->field, ctx)) goto err;
+                if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + a*x */
+        if (group->a_is_minus3)
+                {
+                if (!BN_mod_lshift1_quick(tmp2, x, &group->field)) goto err;
+                if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field)) goto err;
+                if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (group->meth->field_decode)
+                        {
+                        if (!group->meth->field_decode(group, tmp2, &group->a, ctx)) goto err;
+                        if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx)) goto err;
+                        }
+                else
+                        {
+                        /* field_mul works on standard representation */
+                        if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) goto err;
+                        }
+                
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        
+        /* tmp1 := tmp1 + b */
+        if (group->meth->field_decode)
+                {
+                if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err;
+                if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) goto err;
+                }
+        else
+                {
+                if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field)) goto err;
+                }
+        
+        if (!BN_mod_sqrt(y, tmp1, &group->field, ctx))
+                {
+                unsigned long err = ERR_peek_error();
+                
+                if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE)
+                        {
+                        (void)ERR_get_error();
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        }
+                else
+                        ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_BN_LIB);
+                goto err;
+                }
+        /* If tmp1 is not a square (i.e. there is no point on the curve with
+         * our x), then y now is a nonsense value too */
+
+        if (y_bit != BN_is_odd(y))
+                {
+                if (BN_is_zero(y))
+                        {
+                        int kron;
+
+                        kron = BN_kronecker(x, &group->field, ctx);
+                        if (kron == -2) goto err;
+
+                        if (kron == 1)
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSION_BIT);
+                        else
+                                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, EC_R_INVALID_COMPRESSED_POINT);
+                        goto err;
+                        }
+                if (!BN_usub(y, &group->field, y)) goto err;
+                }
+        if (y_bit != BN_is_odd(y))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_SET_COMPRESSED_COORDINATES_GFP, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+size_t ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form,
+        unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        size_t ret;
+        BN_CTX *new_ctx = NULL;
+        int used_ctx = 0;
+        BIGNUM *x, *y;
+        size_t field_len, i, skip;
+
+        if ((form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_INVALID_FORM);
+                goto err;
+                }
+
+        if (EC_POINT_is_at_infinity(group, point))
+                {
+                /* encodes to a single 0 octet */
+                if (buf != NULL)
+                        {
+                        if (len < 1)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                                return 0;
+                                }
+                        buf[0] = 0;
+                        }
+                return 1;
+                }
+
+
+        /* ret := required output buffer length */
+        field_len = BN_num_bytes(&group->field);
+        ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        /* if 'buf' is NULL, just return required length */
+        if (buf != NULL)
+                {
+                if (len < ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL);
+                        goto err;
+                        }
+
+                if (ctx == NULL)
+                        {
+                        ctx = new_ctx = BN_CTX_new();
+                        if (ctx == NULL)
+                                return 0;
+                        }
+
+                BN_CTX_start(ctx);
+                used_ctx = 1;
+                x = BN_CTX_get(ctx);
+                y = BN_CTX_get(ctx);
+                if (y == NULL) goto err;
+
+                if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+
+                if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
+                        buf[0] = form + 1;
+                else
+                        buf[0] = form;
+        
+                i = 1;
+                
+                skip = field_len - BN_num_bytes(x);
+                if (skip > field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                while (skip > 0)
+                        {
+                        buf[i++] = 0;
+                        skip--;
+                        }
+                skip = BN_bn2bin(x, buf + i);
+                i += skip;
+                if (i != 1 + field_len)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+
+                if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID)
+                        {
+                        skip = field_len - BN_num_bytes(y);
+                        if (skip > field_len)
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                                goto err;
+                                }
+                        while (skip > 0)
+                                {
+                                buf[i++] = 0;
+                                skip--;
+                                }
+                        skip = BN_bn2bin(y, buf + i);
+                        i += skip;
+                        }
+
+                if (i != ret)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, ERR_R_INTERNAL_ERROR);
+                        goto err;
+                        }
+                }
+        
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+
+ err:
+        if (used_ctx)
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return 0;
+        }
+
+
+int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
+        const unsigned char *buf, size_t len, BN_CTX *ctx)
+        {
+        point_conversion_form_t form;
+        int y_bit;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        size_t field_len, enc_len;
+        int ret = 0;
+
+        if (len == 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_BUFFER_TOO_SMALL);
+                return 0;
+                }
+        form = buf[0];
+        y_bit = form & 1;
+        form = form & ~1;
+        if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
+                && (form != POINT_CONVERSION_UNCOMPRESSED)
+                && (form != POINT_CONVERSION_HYBRID))
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+        if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (form == 0)
+                {
+                if (len != 1)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        return 0;
+                        }
+
+                return EC_POINT_set_to_infinity(group, point);
+                }
+        
+        field_len = BN_num_bytes(&group->field);
+        enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2*field_len;
+
+        if (len != enc_len)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                return 0;
+                }
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!BN_bin2bn(buf + 1, field_len, x)) goto err;
+        if (BN_ucmp(x, &group->field) >= 0)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                goto err;
+                }
+
+        if (form == POINT_CONVERSION_COMPRESSED)
+                {
+                if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) goto err;
+                }
+        else
+                {
+                if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) goto err;
+                if (BN_ucmp(y, &group->field) >= 0)
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                        goto err;
+                        }
+                if (form == POINT_CONVERSION_HYBRID)
+                        {
+                        if (y_bit != BN_is_odd(y))
+                                {
+                                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_INVALID_ENCODING);
+                                goto err;
+                                }
+                        }
+
+                if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+                }
+        
+        if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE);
+                goto err;
+                }
+
+        ret = 1;
+        
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
+        int ret = 0;
+        
+        if (a == b)
+                return EC_POINT_dbl(group, r, a, ctx);
+        if (EC_POINT_is_at_infinity(group, a))
+                return EC_POINT_copy(r, b);
+        if (EC_POINT_is_at_infinity(group, b))
+                return EC_POINT_copy(r, a);
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        n4 = BN_CTX_get(ctx);
+        n5 = BN_CTX_get(ctx);
+        n6 = BN_CTX_get(ctx);
+        if (n6 == NULL) goto end;
+
+        /* Note that in this function we must not read components of 'a' or 'b'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might be one of 'a' or 'b'.)
+         */
+
+        /* n1, n2 */
+        if (b->Z_is_one)
+                {
+                if (!BN_copy(n1, &a->X)) goto end;
+                if (!BN_copy(n2, &a->Y)) goto end;
+                /* n1 = X_a */
+                /* n2 = Y_a */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n1, &a->X, n0, ctx)) goto end;
+                /* n1 = X_a * Z_b^2 */
+
+                if (!field_mul(group, n0, n0, &b->Z, ctx)) goto end;
+                if (!field_mul(group, n2, &a->Y, n0, ctx)) goto end;
+                /* n2 = Y_a * Z_b^3 */
+                }
+
+        /* n3, n4 */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n3, &b->X)) goto end;
+                if (!BN_copy(n4, &b->Y)) goto end;
+                /* n3 = X_b */
+                /* n4 = Y_b */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n3, &b->X, n0, ctx)) goto end;
+                /* n3 = X_b * Z_a^2 */
+
+                if (!field_mul(group, n0, n0, &a->Z, ctx)) goto end;
+                if (!field_mul(group, n4, &b->Y, n0, ctx)) goto end;
+                /* n4 = Y_b * Z_a^3 */
+                }
+
+        /* n5, n6 */
+        if (!BN_mod_sub_quick(n5, n1, n3, p)) goto end;
+        if (!BN_mod_sub_quick(n6, n2, n4, p)) goto end;
+        /* n5 = n1 - n3 */
+        /* n6 = n2 - n4 */
+
+        if (BN_is_zero(n5))
+                {
+                if (BN_is_zero(n6))
+                        {
+                        /* a is the same point as b */
+                        BN_CTX_end(ctx);
+                        ret = EC_POINT_dbl(group, r, a, ctx);
+                        ctx = NULL;
+                        goto end;
+                        }
+                else
+                        {
+                        /* a is the inverse of b */
+                        if (!BN_zero(&r->Z)) goto end;
+                        r->Z_is_one = 0;
+                        ret = 1;
+                        goto end;
+                        }
+                }
+
+        /* 'n7', 'n8' */
+        if (!BN_mod_add_quick(n1, n1, n3, p)) goto end;
+        if (!BN_mod_add_quick(n2, n2, n4, p)) goto end;
+        /* 'n7' = n1 + n3 */
+        /* 'n8' = n2 + n4 */
+
+        /* Z_r */
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                if (!BN_copy(&r->Z, n5)) goto end;
+                }
+        else
+                {
+                if (a->Z_is_one)
+                        { if (!BN_copy(n0, &b->Z)) goto end; }
+                else if (b->Z_is_one)
+                        { if (!BN_copy(n0, &a->Z)) goto end; }
+                else
+                        { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) goto end; }
+                if (!field_mul(group, &r->Z, n0, n5, ctx)) goto end;
+                }
+        r->Z_is_one = 0;
+        /* Z_r = Z_a * Z_b * n5 */
+
+        /* X_r */
+        if (!field_sqr(group, n0, n6, ctx)) goto end;
+        if (!field_sqr(group, n4, n5, ctx)) goto end;
+        if (!field_mul(group, n3, n1, n4, ctx)) goto end;
+        if (!BN_mod_sub_quick(&r->X, n0, n3, p)) goto end;
+        /* X_r = n6^2 - n5^2 * 'n7' */
+        
+        /* 'n9' */
+        if (!BN_mod_lshift1_quick(n0, &r->X, p)) goto end;
+        if (!BN_mod_sub_quick(n0, n3, n0, p)) goto end;
+        /* n9 = n5^2 * 'n7' - 2 * X_r */
+
+        /* Y_r */
+        if (!field_mul(group, n0, n0, n6, ctx)) goto end;
+        if (!field_mul(group, n5, n4, n5, ctx)) goto end; /* now n5 is n5^3 */
+        if (!field_mul(group, n1, n2, n5, ctx)) goto end;
+        if (!BN_mod_sub_quick(n0, n0, n1, p)) goto end;
+        if (BN_is_odd(n0))
+                if (!BN_add(n0, n0, p)) goto end;
+        /* now  0 <= n0 < 2*p,  and n0 is even */
+        if (!BN_rshift1(&r->Y, n0)) goto end;
+        /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
+
+        ret = 1;
+
+ end:
+        if (ctx) /* otherwise we already called BN_CTX_end */
+                BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *n0, *n1, *n2, *n3;
+        int ret = 0;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                if (!BN_zero(&r->Z)) return 0;
+                r->Z_is_one = 0;
+                return 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        n0 = BN_CTX_get(ctx);
+        n1 = BN_CTX_get(ctx);
+        n2 = BN_CTX_get(ctx);
+        n3 = BN_CTX_get(ctx);
+        if (n3 == NULL) goto err;
+
+        /* Note that in this function we must not read components of 'a'
+         * once we have written the corresponding components of 'r'.
+         * ('r' might the same as 'a'.)
+         */
+
+        /* n1 */
+        if (a->Z_is_one)
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, &group->a, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve */
+                }
+        else if (group->a_is_minus3)
+                {
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!BN_mod_add_quick(n0, &a->X, n1, p)) goto err;
+                if (!BN_mod_sub_quick(n2, &a->X, n1, p)) goto err;
+                if (!field_mul(group, n1, n0, n2, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n0, n1, p)) goto err;
+                if (!BN_mod_add_quick(n1, n0, n1, p)) goto err;
+                /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
+                 *    = 3 * X_a^2 - 3 * Z_a^4 */
+                }
+        else
+                {
+                if (!field_sqr(group, n0, &a->X, ctx)) goto err;
+                if (!BN_mod_lshift1_quick(n1, n0, p)) goto err;
+                if (!BN_mod_add_quick(n0, n0, n1, p)) goto err;
+                if (!field_sqr(group, n1, &a->Z, ctx)) goto err;
+                if (!field_sqr(group, n1, n1, ctx)) goto err;
+                if (!field_mul(group, n1, n1, &group->a, ctx)) goto err;
+                if (!BN_mod_add_quick(n1, n1, n0, p)) goto err;
+                /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
+                }
+
+        /* Z_r */
+        if (a->Z_is_one)
+                {
+                if (!BN_copy(n0, &a->Y)) goto err;
+                }
+        else
+                {
+                if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) goto err;
+                }
+        if (!BN_mod_lshift1_quick(&r->Z, n0, p)) goto err;
+        r->Z_is_one = 0;
+        /* Z_r = 2 * Y_a * Z_a */
+
+        /* n2 */
+        if (!field_sqr(group, n3, &a->Y, ctx)) goto err;
+        if (!field_mul(group, n2, &a->X, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n2, n2, 2, p)) goto err;
+        /* n2 = 4 * X_a * Y_a^2 */
+
+        /* X_r */
+        if (!BN_mod_lshift1_quick(n0, n2, p)) goto err;
+        if (!field_sqr(group, &r->X, n1, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->X, &r->X, n0, p)) goto err;
+        /* X_r = n1^2 - 2 * n2 */
+        
+        /* n3 */
+        if (!field_sqr(group, n0, n3, ctx)) goto err;
+        if (!BN_mod_lshift_quick(n3, n0, 3, p)) goto err;
+        /* n3 = 8 * Y_a^4 */
+        
+        /* Y_r */
+        if (!BN_mod_sub_quick(n0, n2, &r->X, p)) goto err;
+        if (!field_mul(group, n0, n1, n0, ctx)) goto err;
+        if (!BN_mod_sub_quick(&r->Y, n0, n3, p)) goto err;
+        /* Y_r = n1 * (n2 - X_r) - n3 */
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+                /* point is its own inverse */
+                return 1;
+        
+        return BN_usub(&point->Y, &group->field, &point->Y);
+        }
+
+
+int ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+        {
+        return BN_is_zero(&point->Z);
+        }
+
+
+int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+        {
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        const BIGNUM *p;
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *rh, *tmp1, *tmp2, *Z4, *Z6;
+        int ret = -1;
+
+        if (EC_POINT_is_at_infinity(group, point))
+                return 1;
+        
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+        p = &group->field;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        rh = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Z4 = BN_CTX_get(ctx);
+        Z6 = BN_CTX_get(ctx);
+        if (Z6 == NULL) goto err;
+
+        /* We have a curve defined by a Weierstrass equation
+         *      y^2 = x^3 + a*x + b.
+         * The point to consider is given in Jacobian projective coordinates
+         * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3).
+         * Substituting this and multiplying by  Z^6  transforms the above equation into
+         *      Y^2 = X^3 + a*X*Z^4 + b*Z^6.
+         * To test this, we add up the right-hand side in 'rh'.
+         */
+
+        /* rh := X^3 */
+        if (!field_sqr(group, rh, &point->X, ctx)) goto err;
+        if (!field_mul(group, rh, rh, &point->X, ctx)) goto err;
+
+        if (!point->Z_is_one)
+                {
+                if (!field_sqr(group, tmp1, &point->Z, ctx)) goto err;
+                if (!field_sqr(group, Z4, tmp1, ctx)) goto err;
+                if (!field_mul(group, Z6, Z4, tmp1, ctx)) goto err;
+
+                /* rh := rh + a*X*Z^4 */
+                if (!field_mul(group, tmp1, &point->X, Z4, ctx)) goto err;
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, tmp1, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, tmp1, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b*Z^6 */
+                if (!field_mul(group, tmp1, &group->b, Z6, ctx)) goto err;
+                if (!BN_mod_add_quick(rh, rh, tmp1, p)) goto err;
+                }
+        else
+                {
+                /* point->Z_is_one */
+
+                /* rh := rh + a*X */
+                if (group->a_is_minus3)
+                        {
+                        if (!BN_mod_lshift1_quick(tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_add_quick(tmp2, tmp2, &point->X, p)) goto err;
+                        if (!BN_mod_sub_quick(rh, rh, tmp2, p)) goto err;
+                        }
+                else
+                        {
+                        if (!field_mul(group, tmp2, &point->X, &group->a, ctx)) goto err;
+                        if (!BN_mod_add_quick(rh, rh, tmp2, p)) goto err;
+                        }
+
+                /* rh := rh + b */
+                if (!BN_mod_add_quick(rh, rh, &group->b, p)) goto err;
+                }
+
+        /* 'lh' := Y^2 */
+        if (!field_sqr(group, tmp1, &point->Y, ctx)) goto err;
+
+        ret = (0 == BN_cmp(tmp1, rh));
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+        {
+        /* return values:
+         *  -1   error
+         *   0   equal (in affine coordinates)
+         *   1   not equal
+         */
+
+        int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+        int (*field_sqr)(const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *);
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
+        const BIGNUM *tmp1_, *tmp2_;
+        int ret = -1;
+        
+        if (EC_POINT_is_at_infinity(group, a))
+                {
+                return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
+                }
+        
+        if (a->Z_is_one && b->Z_is_one)
+                {
+                return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
+                }
+
+        field_mul = group->meth->field_mul;
+        field_sqr = group->meth->field_sqr;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return -1;
+                }
+
+        BN_CTX_start(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        tmp2 = BN_CTX_get(ctx);
+        Za23 = BN_CTX_get(ctx);
+        Zb23 = BN_CTX_get(ctx);
+        if (Zb23 == NULL) goto end;
+
+        /* We have to decide whether
+         *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
+         * or equivalently, whether
+         *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
+         */
+
+        if (!b->Z_is_one)
+                {
+                if (!field_sqr(group, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->X, Zb23, ctx)) goto end;
+                tmp1_ = tmp1;
+                }
+        else
+                tmp1_ = &a->X;
+        if (!a->Z_is_one)
+                {
+                if (!field_sqr(group, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->X, Za23, ctx)) goto end;
+                tmp2_ = tmp2;
+                }
+        else
+                tmp2_ = &b->X;
+        
+        /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+
+        if (!b->Z_is_one)
+                {
+                if (!field_mul(group, Zb23, Zb23, &b->Z, ctx)) goto end;
+                if (!field_mul(group, tmp1, &a->Y, Zb23, ctx)) goto end;
+                /* tmp1_ = tmp1 */
+                }
+        else
+                tmp1_ = &a->Y;
+        if (!a->Z_is_one)
+                {
+                if (!field_mul(group, Za23, Za23, &a->Z, ctx)) goto end;
+                if (!field_mul(group, tmp2, &b->Y, Za23, ctx)) goto end;
+                /* tmp2_ = tmp2 */
+                }
+        else
+                tmp2_ = &b->Y;
+
+        /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
+        if (BN_cmp(tmp1_, tmp2_) != 0)
+                {
+                ret = 1; /* points differ */
+                goto end;
+                }
+
+        /* points are equal */
+        ret = 0;
+
+ end:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *x, *y;
+        int ret = 0;
+
+        if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        x = BN_CTX_get(ctx);
+        y = BN_CTX_get(ctx);
+        if (y == NULL) goto err;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) goto err;
+        if (!point->Z_is_one)
+                {
+                ECerr(EC_F_EC_GFP_SIMPLE_MAKE_AFFINE, ERR_R_INTERNAL_ERROR);
+                goto err;
+                }
+        
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        return ret;
+        }
+
+
+int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx)
+        {
+        BN_CTX *new_ctx = NULL;
+        BIGNUM *tmp0, *tmp1;
+        size_t pow2 = 0;
+        BIGNUM **heap = NULL;
+        size_t i;
+        int ret = 0;
+
+        if (num == 0)
+                return 1;
+
+        if (ctx == NULL)
+                {
+                ctx = new_ctx = BN_CTX_new();
+                if (ctx == NULL)
+                        return 0;
+                }
+
+        BN_CTX_start(ctx);
+        tmp0 = BN_CTX_get(ctx);
+        tmp1 = BN_CTX_get(ctx);
+        if (tmp0  == NULL || tmp1 == NULL) goto err;
+
+        /* Before converting the individual points, compute inverses of all Z values.
+         * Modular inversion is rather slow, but luckily we can do with a single
+         * explicit inversion, plus about 3 multiplications per input value.
+         */
+
+        pow2 = 1;
+        while (num > pow2)
+                pow2 <<= 1;
+        /* Now pow2 is the smallest power of 2 satifsying pow2 >= num.
+         * We need twice that. */
+        pow2 <<= 1;
+
+        heap = OPENSSL_malloc(pow2 * sizeof heap[0]);
+        if (heap == NULL) goto err;
+        
+        /* The array is used as a binary tree, exactly as in heapsort:
+         *
+         *                               heap[1]
+         *                 heap[2]                     heap[3]
+         *          heap[4]       heap[5]       heap[6]       heap[7]
+         *   heap[8]heap[9] heap[10]heap[11] heap[12]heap[13] heap[14] heap[15]
+         *
+         * We put the Z's in the last line;
+         * then we set each other node to the product of its two child-nodes (where
+         * empty or 0 entries are treated as ones);
+         * then we invert heap[1];
+         * then we invert each other node by replacing it by the product of its
+         * parent (after inversion) and its sibling (before inversion).
+         */
+        heap[0] = NULL;
+        for (i = pow2/2 - 1; i > 0; i--)
+                heap[i] = NULL;
+        for (i = 0; i < num; i++)
+                heap[pow2/2 + i] = &points[i]->Z;
+        for (i = pow2/2 + num; i < pow2; i++)
+                heap[i] = NULL;
+        
+        /* set each node to the product of its children */
+        for (i = pow2/2 - 1; i > 0; i--)
+                {
+                heap[i] = BN_new();
+                if (heap[i] == NULL) goto err;
+                
+                if (heap[2*i] != NULL)
+                        {
+                        if ((heap[2*i + 1] == NULL) || BN_is_zero(heap[2*i + 1]))
+                                {
+                                if (!BN_copy(heap[i], heap[2*i])) goto err;
+                                }
+                        else
+                                {
+                                if (BN_is_zero(heap[2*i]))
+                                        {
+                                        if (!BN_copy(heap[i], heap[2*i + 1])) goto err;
+                                        }
+                                else
+                                        {
+                                        if (!group->meth->field_mul(group, heap[i],
+                                                heap[2*i], heap[2*i + 1], ctx)) goto err;
+                                        }
+                                }
+                        }
+                }
+
+        /* invert heap[1] */
+        if (!BN_is_zero(heap[1]))
+                {
+                if (!BN_mod_inverse(heap[1], heap[1], &group->field, ctx))
+                        {
+                        ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
+                        goto err;
+                        }
+                }
+        if (group->meth->field_encode != 0)
+                {
+                /* in the Montgomery case, we just turned  R*H  (representing H)
+                 * into  1/(R*H),  but we need  R*(1/H)  (representing 1/H);
+                 * i.e. we have need to multiply by the Montgomery factor twice */
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                if (!group->meth->field_encode(group, heap[1], heap[1], ctx)) goto err;
+                }
+
+        /* set other heap[i]'s to their inverses */
+        for (i = 2; i < pow2/2 + num; i += 2)
+                {
+                /* i is even */
+                if ((heap[i + 1] != NULL) && !BN_is_zero(heap[i + 1]))
+                        {
+                        if (!group->meth->field_mul(group, tmp0, heap[i/2], heap[i + 1], ctx)) goto err;
+                        if (!group->meth->field_mul(group, tmp1, heap[i/2], heap[i], ctx)) goto err;
+                        if (!BN_copy(heap[i], tmp0)) goto err;
+                        if (!BN_copy(heap[i + 1], tmp1)) goto err;
+                        }
+                else
+                        {
+                        if (!BN_copy(heap[i], heap[i/2])) goto err;
+                        }
+                }
+
+        /* we have replaced all non-zero Z's by their inverses, now fix up all the points */
+        for (i = 0; i < num; i++)
+                {
+                EC_POINT *p = points[i];
+                
+                if (!BN_is_zero(&p->Z))
+                        {
+                        /* turn  (X, Y, 1/Z)  into  (X/Z^2, Y/Z^3, 1) */
+
+                        if (!group->meth->field_sqr(group, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->X, &p->X, tmp1, ctx)) goto err;
+
+                        if (!group->meth->field_mul(group, tmp1, tmp1, &p->Z, ctx)) goto err;
+                        if (!group->meth->field_mul(group, &p->Y, &p->Y, tmp1, ctx)) goto err;
+                
+                        if (group->meth->field_set_to_one != 0)
+                                {
+                                if (!group->meth->field_set_to_one(group, &p->Z, ctx)) goto err;
+                                }
+                        else
+                                {
+                                if (!BN_one(&p->Z)) goto err;
+                                }
+                        p->Z_is_one = 1;
+                        }
+                }
+
+        ret = 1;
+                
+ err:
+        BN_CTX_end(ctx);
+        if (new_ctx != NULL)
+                BN_CTX_free(new_ctx);
+        if (heap != NULL)
+                {
+                /* heap[pow2/2] .. heap[pow2-1] have not been allocated locally! */
+                for (i = pow2/2 - 1; i > 0; i--)
+                        {
+                        if (heap[i] != NULL)
+                                BN_clear_free(heap[i]);
+                        }
+                OPENSSL_free(heap);
+                }
+        return ret;
+        }
+
+
+int ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+        {
+        return BN_mod_mul(r, a, b, &group->field, ctx);
+        }
+
+
+int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
+        {
+        return BN_mod_sqr(r, a, &group->field, ctx);
+        }
diff --git a/src/lib/libcrypto/ec/ectest.c b/src/lib/libcrypto/ec/ectest.c
new file mode 100644
index 0000000000..243cd83fb5
--- /dev/null
+++ b/src/lib/libcrypto/ec/ectest.c
@@ -0,0 +1,634 @@
+/* crypto/ec/ectest.c */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+
+#ifdef OPENSSL_NO_EC
+int main(int argc, char * argv[]) { puts("Elliptic curves are disabled."); return 0; }
+#else
+
+
+#include <openssl/ec.h>
+#include <openssl/engine.h>
+#include <openssl/err.h>
+
+#define ABORT do { \
+        fflush(stdout); \
+        fprintf(stderr, "%s:%d: ABORT\n", __FILE__, __LINE__); \
+        ERR_print_errors_fp(stderr); \
+        exit(1); \
+} while (0)
+
+
+void timings(EC_GROUP *group, int multi, BN_CTX *ctx)
+        {
+        clock_t clck;
+        int i, j;
+        BIGNUM *s, *s0;
+        EC_POINT *P;
+                
+        s = BN_new();
+        s0 = BN_new();
+        if (s == NULL || s0 == NULL) ABORT;
+
+        if (!EC_GROUP_get_curve_GFp(group, s, NULL, NULL, ctx)) ABORT;
+        fprintf(stdout, "Timings for %d bit prime, ", (int)BN_num_bits(s));
+        if (!EC_GROUP_get_order(group, s, ctx)) ABORT;
+        fprintf(stdout, "%d bit scalars ", (int)BN_num_bits(s));
+        fflush(stdout);
+
+        P = EC_POINT_new(group);
+        if (P == NULL) ABORT;
+        EC_POINT_copy(P, EC_GROUP_get0_generator(group));
+
+        clck = clock();
+        for (i = 0; i < 10; i++)
+                {
+                if (!BN_pseudo_rand(s, BN_num_bits(s), 0, 0)) ABORT;
+                if (multi)
+                        {
+                        if (!BN_pseudo_rand(s0, BN_num_bits(s), 0, 0)) ABORT;
+                        }
+                for (j = 0; j < 10; j++)
+                        {
+                        if (!EC_POINT_mul(group, P, s, multi ? P : NULL, multi ? s0 : NULL, ctx)) ABORT;
+                        }
+                fprintf(stdout, ".");
+                fflush(stdout);
+                }
+        fprintf(stdout, "\n");
+        
+        clck = clock() - clck;
+
+#ifdef CLOCKS_PER_SEC
+        /* "To determine the time in seconds, the value returned
+         * by the clock function should be divided by the value
+         * of the macro CLOCKS_PER_SEC."
+         *                                       -- ISO/IEC 9899 */
+#       define UNIT "s"
+#else
+        /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
+         *                            -- cc on NeXTstep/OpenStep */
+#       define UNIT "units"
+#       define CLOCKS_PER_SEC 1
+#endif
+
+        fprintf(stdout, "%i %s in %.2f " UNIT "\n", i*j,
+                multi ? "s*P+t*Q operations" : "point multiplications",
+                (double)clck/CLOCKS_PER_SEC);
+        fprintf(stdout, "average: %.4f " UNIT "\n", (double)clck/(CLOCKS_PER_SEC*i*j));
+
+        EC_POINT_free(P);
+        BN_free(s);
+        BN_free(s0);
+        }
+
+
+int main(int argc, char *argv[])
+        {       
+        BN_CTX *ctx = NULL;
+        BIGNUM *p, *a, *b;
+        EC_GROUP *group;
+        EC_GROUP *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL;
+        EC_POINT *P, *Q, *R;
+        BIGNUM *x, *y, *z;
+        unsigned char buf[100];
+        size_t i, len;
+        int k;
+        
+        /* enable memory leak checking unless explicitly disabled */
+        if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+                {
+                CRYPTO_malloc_debug_init();
+                CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+                }
+        else
+                {
+                /* OPENSSL_DEBUG_MEMORY=off */
+                CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+                }
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+        ERR_load_crypto_strings();
+
+#if 1 /* optional */
+        ctx = BN_CTX_new();
+        if (!ctx) ABORT;
+#endif
+
+        p = BN_new();
+        a = BN_new();
+        b = BN_new();
+        if (!p || !a || !b) ABORT;
+
+        if (!BN_hex2bn(&p, "17")) ABORT;
+        if (!BN_hex2bn(&a, "1")) ABORT;
+        if (!BN_hex2bn(&b, "1")) ABORT;
+        
+        group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp
+                                                     * so that the library gets to choose the EC_METHOD */
+        if (!group) ABORT;
+
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        {
+                EC_GROUP *tmp;
+                tmp = EC_GROUP_new(EC_GROUP_method_of(group));
+                if (!tmp) ABORT;
+                if (!EC_GROUP_copy(tmp, group));
+                EC_GROUP_free(group);
+                group = tmp;
+        }
+        
+        if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        fprintf(stdout, "Curve defined by Weierstrass equation\n     y^2 = x^3 + a*x + b  (mod 0x");
+        BN_print_fp(stdout, p);
+        fprintf(stdout, ")\n     a = 0x");
+        BN_print_fp(stdout, a);
+        fprintf(stdout, "\n     b = 0x");
+        BN_print_fp(stdout, b);
+        fprintf(stdout, "\n");
+
+        P = EC_POINT_new(group);
+        Q = EC_POINT_new(group);
+        R = EC_POINT_new(group);
+        if (!P || !Q || !R) ABORT;
+        
+        if (!EC_POINT_set_to_infinity(group, P)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        buf[0] = 0;
+        if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT;
+
+        if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        x = BN_new();
+        y = BN_new();
+        z = BN_new();
+        if (!x || !y || !z) ABORT;
+
+        if (!BN_hex2bn(&x, "D")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, Q, ctx))
+                {
+                if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT;
+                fprintf(stderr, "Point is not on curve: x = 0x");
+                BN_print_fp(stderr, x);
+                fprintf(stderr, ", y = 0x");
+                BN_print_fp(stderr, y);
+                fprintf(stderr, "\n");
+                ABORT;
+                }
+
+        fprintf(stdout, "A cyclic subgroup:\n");
+        k = 100;
+        do
+                {
+                if (k-- == 0) ABORT;
+
+                if (EC_POINT_is_at_infinity(group, P))
+                        fprintf(stdout, "     point at infinity\n");
+                else
+                        {
+                        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+
+                        fprintf(stdout, "     x = 0x");
+                        BN_print_fp(stdout, x);
+                        fprintf(stdout, ", y = 0x");
+                        BN_print_fp(stdout, y);
+                        fprintf(stdout, "\n");
+                        }
+                
+                if (!EC_POINT_copy(R, P)) ABORT;
+                if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT;
+
+#if 0 /* optional */
+                {
+                        EC_POINT *points[3];
+                
+                        points[0] = R;
+                        points[1] = Q;
+                        points[2] = P;
+                        if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT;
+                }
+#endif
+
+                }
+        while (!EC_POINT_is_at_infinity(group, P));
+
+        if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "Generator as octect string, compressed form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx);
+        if (len == 0) ABORT;
+        if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT;
+        fprintf(stdout, "\nGenerator as octect string, hybrid form:\n     ");
+        for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]);
+        
+        if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT;
+        fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n     X = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, ", Y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, ", Z = 0x");
+        BN_print_fp(stdout, z);
+        fprintf(stdout, "\n");
+
+        if (!EC_POINT_invert(group, P, ctx)) ABORT;
+        if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+
+
+        /* Curve P-192 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-192 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_192, group)) ABORT;
+
+
+        /* Curve P-224 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT;
+        if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-224 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_224, group)) ABORT;
+
+
+        /* Curve P-256 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E"
+                "84F3B9CAC2FC632551")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-256 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_256, group)) ABORT;
+
+
+        /* Curve P-384 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141"
+                "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B"
+                "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-384 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14"
+                "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_384, group)) ABORT;
+
+
+        /* Curve P-521 (FIPS PUB 186-2, App. 6) */
+        
+        if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT;
+        if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT;
+        if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT;
+        if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B"
+                "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573"
+                "DF883D2C34F1EF451FD46B503F00")) ABORT;
+        if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT;
+
+        if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F"
+                "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B"
+                "3C1856A429BF97E7E31C2E5BD66")) ABORT;
+        if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+                "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5"
+                "C9B8899C47AEBB6FB71E91386409")) ABORT;
+        if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT;
+
+        if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT;
+        fprintf(stdout, "\nNIST curve P-521 -- Generator:\n     x = 0x");
+        BN_print_fp(stdout, x);
+        fprintf(stdout, "\n     y = 0x");
+        BN_print_fp(stdout, y);
+        fprintf(stdout, "\n");
+        /* G_y value taken from the standard: */
+        if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579"
+                "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C"
+                "7086A272C24088BE94769FD16650")) ABORT;
+        if (0 != BN_cmp(y, z)) ABORT;
+        
+        fprintf(stdout, "verify group order ...");
+        fflush(stdout);
+        if (!EC_GROUP_get_order(group, z, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, ".");
+        fflush(stdout);
+        if (!EC_GROUP_precompute_mult(group, ctx)) ABORT;
+        if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, Q)) ABORT;
+        fprintf(stdout, " ok\n");
+
+        if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT;
+        if (!EC_GROUP_copy(P_521, group)) ABORT;
+
+
+        /* more tests using the last curve */
+
+        if (!EC_POINT_copy(Q, P)) ABORT;
+        if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+        if (!EC_POINT_dbl(group, P, P, ctx)) ABORT;
+        if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT;
+        if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */
+
+        if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT;
+        if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT;
+        if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */
+
+        {
+                const EC_POINT *points[3];
+                const BIGNUM *scalars[3];
+        
+                if (EC_POINT_is_at_infinity(group, Q)) ABORT;
+                points[0] = Q;
+                points[1] = Q;
+                points[2] = Q;
+
+                if (!BN_add(y, z, BN_value_one())) ABORT;
+                if (BN_is_odd(y)) ABORT;
+                if (!BN_rshift1(y, y)) ABORT;
+                scalars[0] = y; /* (group order + 1)/2,  so  y*Q + y*Q = Q */
+                scalars[1] = y;
+
+                fprintf(stdout, "combined multiplication ...");
+                fflush(stdout);
+
+                /* z is still the group order */
+                if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+                if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT;
+                if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT;
+                if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT;
+
+                fprintf(stdout, ".");
+                fflush(stdout);
+
+                if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT;
+                if (!BN_add(z, z, y)) ABORT;
+                z->neg = 1;
+                scalars[0] = y;
+                scalars[1] = z; /* z = -(order + y) */
+
+                if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT;
+                if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+                fprintf(stdout, ".");
+                fflush(stdout);
+
+                if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT;
+                if (!BN_add(z, x, y)) ABORT;
+                z->neg = 1;
+                scalars[0] = x;
+                scalars[1] = y;
+                scalars[2] = z; /* z = -(x+y) */
+
+                if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT;
+                if (!EC_POINT_is_at_infinity(group, P)) ABORT;
+
+                fprintf(stdout, " ok\n\n");
+        }
+
+
+#if 0
+        timings(P_192, 0, ctx);
+        timings(P_192, 1, ctx);
+        timings(P_224, 0, ctx);
+        timings(P_224, 1, ctx);
+        timings(P_256, 0, ctx);
+        timings(P_256, 1, ctx);
+        timings(P_384, 0, ctx);
+        timings(P_384, 1, ctx);
+        timings(P_521, 0, ctx);
+        timings(P_521, 1, ctx);
+#endif
+
+
+        if (ctx)
+                BN_CTX_free(ctx);
+        BN_free(p); BN_free(a); BN_free(b);
+        EC_GROUP_free(group);
+        EC_POINT_free(P);
+        EC_POINT_free(Q);
+        EC_POINT_free(R);
+        BN_free(x); BN_free(y); BN_free(z);
+
+        if (P_192) EC_GROUP_free(P_192);
+        if (P_224) EC_GROUP_free(P_224);
+        if (P_256) EC_GROUP_free(P_256);
+        if (P_384) EC_GROUP_free(P_384);
+        if (P_521) EC_GROUP_free(P_521);
+
+        ENGINE_cleanup();
+        CRYPTO_cleanup_all_ex_data();
+        ERR_free_strings();
+        ERR_remove_state(0);
+        CRYPTO_mem_leaks_fp(stderr);
+        
+        return 0;
+        }
+#endif
diff --git a/src/lib/libcrypto/engine/Makefile.ssl b/src/lib/libcrypto/engine/Makefile.ssl
index d49b7c8159..eeea47fbf5 100644
--- a/src/lib/libcrypto/engine/Makefile.ssl
+++ b/src/lib/libcrypto/engine/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    engine
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,10 +23,18 @@ TEST= enginetest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= engine_err.c engine_lib.c engine_list.c engine_openssl.c \
-        hw_atalla.c hw_cswift.c hw_ncipher.c
-LIBOBJ= engine_err.o engine_lib.o engine_list.o engine_openssl.o \
-        hw_atalla.o hw_cswift.o hw_ncipher.o
+LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \
+        eng_table.c eng_pkey.c eng_fat.c eng_all.c \
+        tb_rsa.c tb_dsa.c tb_dh.c tb_rand.c tb_cipher.c tb_digest.c \
+        eng_openssl.c eng_dyn.c eng_cnf.c \
+        hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \
+        hw_openbsd_dev_crypto.c hw_aep.c hw_sureware.c hw_4758_cca.c
+LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+        eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+        tb_rsa.o tb_dsa.o tb_dh.o tb_rand.o tb_cipher.o tb_digest.o \
+        eng_openssl.o eng_dyn.o eng_cnf.o \
+        hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \
+        hw_openbsd_dev_crypto.o hw_aep.o hw_sureware.o hw_4758_cca.o
 
 SRC= $(LIBSRC)
 
@@ -48,7 +57,7 @@ files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
-        @$(SHELL) $(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
         @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
         @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
@@ -63,6 +72,10 @@ install:
 tags:
         ctags $(SRC)
 
+errors:
+        $(PERL) $(TOP)/util/mkerr.pl -conf hw.ec \
+                -nostatic -staticloader -write hw_*.c; \
+
 tests:
 
 lint:
@@ -80,141 +93,361 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-engine_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-engine_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-engine_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-engine_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-engine_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-engine_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-engine_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-engine_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-engine_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-engine_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-engine_err.o: ../../include/openssl/objects.h
-engine_err.o: ../../include/openssl/opensslconf.h
-engine_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-engine_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-engine_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-engine_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-engine_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-engine_err.o: ../../include/openssl/symhacks.h
-engine_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-engine_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-engine_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-engine_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-engine_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-engine_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-engine_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-engine_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-engine_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-engine_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-engine_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-engine_lib.o: ../../include/openssl/objects.h
-engine_lib.o: ../../include/openssl/opensslconf.h
-engine_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-engine_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-engine_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-engine_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-engine_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-engine_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
-engine_list.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-engine_list.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-engine_list.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-engine_list.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-engine_list.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-engine_list.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-engine_list.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-engine_list.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-engine_list.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-engine_list.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-engine_list.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-engine_list.o: ../../include/openssl/objects.h
-engine_list.o: ../../include/openssl/opensslconf.h
-engine_list.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-engine_list.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-engine_list.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-engine_list.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-engine_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-engine_list.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
-engine_openssl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-engine_openssl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-engine_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-engine_openssl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-engine_openssl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-engine_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
-engine_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-engine_openssl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-engine_openssl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-engine_openssl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-engine_openssl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-engine_openssl.o: ../../include/openssl/obj_mac.h
-engine_openssl.o: ../../include/openssl/objects.h
-engine_openssl.o: ../../include/openssl/opensslconf.h
-engine_openssl.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-engine_openssl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-engine_openssl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-engine_openssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-engine_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-engine_openssl.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
-hw_atalla.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_atalla.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_atalla.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_atalla.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+eng_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_all.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+eng_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_all.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_all.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+eng_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_all.o: ../../include/openssl/ui.h eng_all.c eng_int.h
+eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+eng_cnf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+eng_cnf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_cnf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_cnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_cnf.o: ../cryptlib.h eng_cnf.c
+eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_ctrl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_ctrl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_ctrl.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_ctrl.o: ../../include/openssl/opensslconf.h
+eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_ctrl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_ctrl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_ctrl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_ctrl.o: ../cryptlib.h eng_ctrl.c eng_int.h
+eng_dyn.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_dyn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_dyn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_dyn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_dyn.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_dyn.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_dyn.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
+eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+eng_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+eng_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_err.o: ../../include/openssl/ui.h eng_err.c
+eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_fat.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+eng_fat.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+eng_fat.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_fat.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_fat.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
+eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_init.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_init.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_init.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_init.o: ../../include/openssl/opensslconf.h
+eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_init.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_init.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_init.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_init.o: ../cryptlib.h eng_init.c eng_int.h
+eng_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+eng_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_lib.o: ../../include/openssl/ui.h ../cryptlib.h eng_int.h eng_lib.c
+eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_list.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_list.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_list.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_list.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_list.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_list.o: ../../include/openssl/opensslconf.h
+eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_list.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_list.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_list.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_list.o: ../cryptlib.h eng_int.h eng_list.c
+eng_openssl.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_openssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_openssl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_openssl.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+eng_openssl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+eng_openssl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+eng_openssl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_openssl.o: ../../include/openssl/opensslconf.h
+eng_openssl.o: ../../include/openssl/opensslv.h
+eng_openssl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+eng_openssl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+eng_openssl.o: ../../include/openssl/rand.h ../../include/openssl/rc4.h
+eng_openssl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+eng_openssl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_openssl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_openssl.o: ../cryptlib.h eng_openssl.c
+eng_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+eng_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+eng_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+eng_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+eng_pkey.o: ../../include/openssl/opensslconf.h
+eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_pkey.o: ../cryptlib.h eng_int.h eng_pkey.c
+eng_table.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+eng_table.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+eng_table.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+eng_table.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+eng_table.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_table.o: ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/opensslconf.h
+eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_table.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+eng_table.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+eng_table.o: eng_int.h eng_table.c
+hw_4758_cca.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_4758_cca.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_4758_cca.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+hw_4758_cca.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_4758_cca.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_4758_cca.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_4758_cca.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+hw_4758_cca.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_4758_cca.o: ../../include/openssl/opensslconf.h
+hw_4758_cca.o: ../../include/openssl/opensslv.h
+hw_4758_cca.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+hw_4758_cca.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_4758_cca.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hw_4758_cca.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hw_4758_cca.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
+hw_4758_cca.o: ../../include/openssl/x509_vfy.h ../cryptlib.h hw_4758_cca.c
+hw_4758_cca.o: hw_4758_cca_err.c hw_4758_cca_err.h vendor_defns/hw_4758_cca.h
+hw_aep.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+hw_aep.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+hw_aep.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_aep.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_aep.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_aep.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+hw_aep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_aep.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_aep.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hw_aep.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_aep.c
+hw_aep.o: hw_aep_err.c hw_aep_err.h vendor_defns/aep.h
+hw_atalla.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_atalla.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_atalla.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 hw_atalla.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_atalla.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
-hw_atalla.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_atalla.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_atalla.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_atalla.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_atalla.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hw_atalla.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hw_atalla.o: ../../include/openssl/opensslconf.h
-hw_atalla.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-hw_atalla.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hw_atalla.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hw_atalla.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hw_atalla.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hw_atalla.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_atalla.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_atalla.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_atalla.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+hw_atalla.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_atalla.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h
 hw_atalla.o: vendor_defns/atalla.h
-hw_cswift.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_cswift.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_cswift.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 hw_cswift.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_cswift.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
-hw_cswift.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_cswift.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_cswift.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_cswift.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_cswift.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-hw_cswift.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-hw_cswift.o: ../../include/openssl/opensslconf.h
-hw_cswift.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-hw_cswift.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-hw_cswift.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-hw_cswift.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-hw_cswift.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-hw_cswift.o: ../../include/openssl/symhacks.h ../cryptlib.h engine_int.h
+hw_cswift.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_cswift.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_cswift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+hw_cswift.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_cswift.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_cswift.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hw_cswift.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_cswift.o: ../cryptlib.h hw_cswift.c hw_cswift_err.c hw_cswift_err.h
 hw_cswift.o: vendor_defns/cswift.h
-hw_ncipher.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hw_ncipher.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hw_ncipher.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-hw_ncipher.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+hw_ncipher.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_ncipher.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_ncipher.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 hw_ncipher.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-hw_ncipher.o: ../../include/openssl/dso.h ../../include/openssl/e_os.h
-hw_ncipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
-hw_ncipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-hw_ncipher.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-hw_ncipher.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-hw_ncipher.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+hw_ncipher.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_ncipher.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_ncipher.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 hw_ncipher.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 hw_ncipher.o: ../../include/openssl/opensslconf.h
-hw_ncipher.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-hw_ncipher.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-hw_ncipher.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-hw_ncipher.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-hw_ncipher.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-hw_ncipher.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-hw_ncipher.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hw_ncipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_ncipher.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+hw_ncipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+hw_ncipher.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+hw_ncipher.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+hw_ncipher.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 hw_ncipher.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-hw_ncipher.o: ../cryptlib.h engine_int.h vendor_defns/hwcryptohook.h
+hw_ncipher.o: ../cryptlib.h hw_ncipher.c hw_ncipher_err.c hw_ncipher_err.h
+hw_ncipher.o: vendor_defns/hwcryptohook.h
+hw_nuron.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_nuron.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_nuron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+hw_nuron.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_nuron.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_nuron.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_nuron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+hw_nuron.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/asn1.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/conf.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/crypto.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/e_os2.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/engine.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/err.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/evp.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/lhash.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/obj_mac.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/objects.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/opensslconf.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/opensslv.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/ossl_typ.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/rand.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/rsa.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/safestack.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/stack.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/symhacks.h
+hw_openbsd_dev_crypto.o: ../../include/openssl/ui.h ../evp/evp_locl.h eng_int.h
+hw_openbsd_dev_crypto.o: hw_openbsd_dev_crypto.c
+hw_sureware.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_sureware.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_sureware.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+hw_sureware.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_sureware.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_sureware.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_sureware.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+hw_sureware.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+hw_sureware.o: ../../include/openssl/opensslconf.h
+hw_sureware.o: ../../include/openssl/opensslv.h
+hw_sureware.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+hw_sureware.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+hw_sureware.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_sureware.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+hw_sureware.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hw_sureware.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
+hw_sureware.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
+hw_sureware.o: engine.h hw_sureware.c hw_sureware_err.c hw_sureware_err.h
+hw_sureware.o: vendor_defns/sureware.h
+hw_ubsec.o: ../../e_os.h ../../include/openssl/asn1.h
+hw_ubsec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+hw_ubsec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+hw_ubsec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+hw_ubsec.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+hw_ubsec.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+hw_ubsec.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+hw_ubsec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hw_ubsec.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+hw_ubsec.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hw_ubsec.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+hw_ubsec.o: ../cryptlib.h hw_ubsec.c hw_ubsec_err.c hw_ubsec_err.h
+hw_ubsec.o: vendor_defns/hw_ubsec.h
+tb_cipher.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_cipher.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_cipher.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_cipher.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_cipher.o: ../../include/openssl/objects.h
+tb_cipher.o: ../../include/openssl/opensslconf.h
+tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_cipher.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_cipher.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_cipher.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+tb_cipher.o: eng_int.h tb_cipher.c
+tb_dh.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_dh.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_dh.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_dh.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_dh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_dh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_dh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_dh.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_dh.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_int.h
+tb_dh.o: tb_dh.c
+tb_digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_digest.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_digest.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_digest.o: ../../include/openssl/objects.h
+tb_digest.o: ../../include/openssl/opensslconf.h
+tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_digest.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_digest.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_digest.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+tb_digest.o: eng_int.h tb_digest.c
+tb_dsa.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_dsa.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_dsa.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_dsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_dsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_dsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_dsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_dsa.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_dsa.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_int.h
+tb_dsa.o: tb_dsa.c
+tb_rand.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_rand.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_rand.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rand.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_rand.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+tb_rand.o: eng_int.h tb_rand.c
+tb_rsa.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+tb_rsa.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+tb_rsa.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+tb_rsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+tb_rsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rsa.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+tb_rsa.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h eng_int.h
+tb_rsa.o: tb_rsa.c
diff --git a/src/lib/libcrypto/engine/README b/src/lib/libcrypto/engine/README
index 96595e6f35..6b69b70f57 100644
--- a/src/lib/libcrypto/engine/README
+++ b/src/lib/libcrypto/engine/README
@@ -1,278 +1,211 @@
-NOTES, THOUGHTS, and EVERYTHING
--------------------------------
-
-(1) Concurrency and locking ... I made a change to the ENGINE_free code
-    because I spotted a potential hold-up in proceedings (doing too
-    much inside a lock including calling a callback), there may be
-    other bits like this. What do the speed/optimisation freaks think
-    of this aspect of the code and design? There's lots of locking for
-    manipulation functions and I need that to keep things nice and
-    solid, but this manipulation is mostly (de)initialisation, I would
-    think that most run-time locking is purely in the ENGINE_init and
-    ENGINE_finish calls that might be made when getting handles for
-    RSA (and friends') structures. These would be mostly reference
-    count operations as the functional references should always be 1
-    or greater at run-time to prevent init/deinit thrashing.
-
-(2) nCipher support, via the HWCryptoHook API, is now in the code.
-    Apparently this hasn't been tested too much yet, but it looks
-    good. :-) Atalla support has been added too, but shares a lot in
-    common with Ben's original hooks in bn_exp.c (although it has been
-    ENGINE-ified, and error handling wrapped around it) and it's also
-    had some low-volume testing, so it should be usable.
-
-(3) Of more concern, we need to work out (a) how to put together usable
-    RAND_METHODs for units that just have one "get n or less random
-    bytes" function, (b) we also need to determine how to hook the code
-    in crypto/rand/ to use the ENGINE defaults in a way similar to what
-    has been done in crypto/rsa/, crypto/dsa/, etc.
-
-(4) ENGINE should really grow to encompass more than 3 public key
-    algorithms and randomness gathering. The structure/data level of
-    the engine code is hidden from code outside the crypto/engine/
-    directory so change shouldn't be too viral. More important though
-    is how things should evolve ... this needs thought and discussion.
-
-
------------------------------------==*==-----------------------------------
-
-More notes 2000-08-01
----------------------
-
-Geoff Thorpe, who designed the engine part, wrote a pretty good description
-of the thoughts he had when he built it, good enough to include verbatim here
-(with his permission)                                   -- Richard Levitte
-
-
-Date: Tue, 1 Aug 2000 16:54:08 +0100 (BST)
-From: Geoff Thorpe
-Subject: Re: The thoughts to merge BRANCH_engine into the main trunk are
- emerging
-
-Hi there,
-
-I'm going to try and do some justice to this, but I'm a little short on
-time and the there is an endless amount that could be discussed on this
-subject. sigh ... please bear with me :-)
-
-> The changes in BRANCH_engine dig deep into the core of OpenSSL, for example
-> into the RSA and RAND routines, adding a level of indirection which is needed
-> to keep the abstraction, as far as I understand.  It would be a good thing if
-> those who do play with those things took a look at the changes that have been
-> done in the branch and say out loud how much (or hopefully little) we've made
-> fools of ourselves.
-
-The point here is that the code that has emerged in the BRANCH_engine
-branch was based on some initial requirements of mine that I went in and
-addressed, and Richard has picked up the ball and run with it too. It
-would be really useful to get some review of the approach we've taken, but
-first I think I need to describe as best I can the reasons behind what has
-been done so far, in particular what issues we have tried to address when
-doing this, and what issues we have intentionally (or necessarily) tried
-to avoid.
-
-methods, engines, and evps
---------------------------
-
-There has been some dicussion, particularly with Steve, about where this
-ENGINE stuff might fit into the conceptual picture as/when we start to
-abstract algorithms a little bit to make the library more extensible. In
-particular, it would desirable to have algorithms (symmetric, hash, pkc,
-etc) abstracted in some way that allows them to be just objects sitting in
-a list (or database) ... it'll just happen that the "DSA" object doesn't
-support encryption whereas the "RSA" object does. This requires a lot of
-consideration to begin to know how to tackle it; in particular how
-encapsulated should these things be? If the objects also understand their
-own ASN1 encodings and what-not, then it would for example be possible to
-add support for elliptic-curve DSA in as a new algorithm and automatically
-have ECC-DSA certificates supported in SSL applications. Possible, but not
-easy. :-)
-
-Whatever, it seems that the way to go (if I've grok'd Steve's comments on
-this in the past) is to amalgamate these things in EVP as is already done
-(I think) for ciphers or hashes (Steve, please correct/elaborate). I
-certainly think something should be done in this direction because right
-now we have different source directories, types, functions, and methods
-for each algorithm - even when conceptually they are very much different
-feathers of the same bird. (This is certainly all true for the public-key
-stuff, and may be partially true for the other parts.)
-
-ENGINE was *not* conceived as a way of solving this, far from it. Nor was
-it conceived as a way of replacing the various "***_METHOD"s. It was
-conceived as an abstraction of a sort of "virtual crypto device". If we
-lived in a world where "EVP_ALGO"s (or something like them) encapsulated
-particular algorithms like RSA,DSA,MD5,RC4,etc, and "***_METHOD"s
-encapsulated interfaces to algorithms (eg. some algo's might support a
-PKC_METHOD, a HASH_METHOD, or a CIPHER_METHOD, who knows?), then I would
-think that ENGINE would encapsulate an implementation of arbitrarily many
-of those algorithms - perhaps as alternatives to existing algorithms
-and/or perhaps as new previously unimplemented algorithms. An ENGINE could
-be used to contain an alternative software implementation, a wrapper for a
-hardware acceleration and/or key-management unit, a comms-wrapper for
-distributing cryptographic operations to remote machines, or any other
-"devices" your imagination can dream up.
-
-However, what has been done in the ENGINE branch so far is nothing more
-than starting to get our toes wet. I had a couple of self-imposed
-requirements when putting the initial abstraction together, and I may have
-already posed these in one form or another on the list, but briefly;
-
-   (i) only bother with public key algorithms for now, and maybe RAND too
-       (motivated by the need to get hardware support going and the fact
-       this was a comparitively easy subset to address to begin with).
-
-  (ii) don't change (if at all possible) the existing crypto code, ie. the
-       implementations, the way the ***_METHODs work, etc.
-
- (iii) ensure that if no function from the ENGINE code is ever called then
-       things work the way they always did, and there is no memory
-       allocation (otherwise the failure to cleanup would be a problem -
-       this is part of the reason no STACKs were used, the other part of
-       the reason being I found them inappropriate).
-
-  (iv) ensure that all the built-in crypto was encapsulated by one of
-       these "ENGINE"s and that this engine was automatically selected as
-       the default.
-
-   (v) provide the minimum hooking possible in the existing crypto code
-       so that global functions (eg. RSA_public_encrypt) do not need any
-       extra parameter, yet will use whatever the current default ENGINE
-       for that RSA key is, and that the default can be set "per-key"
-       and globally (new keys will assume the global default, and keys
-       without their own default will be operated on using the global
-       default). NB: Try and make (v) conflict as little as possible with
-       (ii). :-)
-
-  (vi) wrap the ENGINE code up in duct tape so you can't even see the
-       corners. Ie. expose no structures at all, just black-box pointers.
-
-   (v) maintain internally a list of ENGINEs on which a calling
-       application can iterate, interrogate, etc. Allow a calling
-       application to hook in new ENGINEs, remove ENGINEs from the list,
-       and enforce uniqueness within the global list of each ENGINE's
-       "unique id".
-
-  (vi) keep reference counts for everything - eg. this includes storing a
-       reference inside each RSA structure to the ENGINE that it uses.
-       This is freed when the RSA structure is destroyed, or has its
-       ENGINE explicitly changed. The net effect needs to be that at any
-       time, it is deterministic to know whether an ENGINE is in use or
-       can be safely removed (or unloaded in the case of the other type
-       of reference) without invalidating function pointers that may or
-       may not be used indavertently in the future. This was actually
-       one of the biggest problems to overcome in the existing OpenSSL
-       code - implementations had always been assumed to be ever-present,
-       so there was no trivial way to get round this.
-
- (vii) distinguish between structural references and functional
-       references.
-
-A *little* detail
+Notes: 2001-09-24
 -----------------
 
-While my mind is on it; I'll illustrate the bit in item (vii). This idea
-turned out to be very handy - the ENGINEs themselves need to be operated
-on and manipulated simply as objects without necessarily trying to
-"enable" them for use. Eg. most host machines will not have the necessary
-hardware or software to support all the engines one might compile into
-OpenSSL, yet it needs to be possible to iterate across the ENGINEs,
-querying their names, properties, etc - all happening in a thread-safe
-manner that uses reference counts (if you imagine two threads iterating
-through a list and one thread removing the ENGINE the other is currently
-looking at - you can see the gotcha waiting to happen). For all of this,
-*structural references* are used and operate much like the other reference
-counts in OpenSSL.
-
-The other kind of reference count is for *functional* references - these
-indicate a reference on which the caller can actually assume the
-particular ENGINE to be initialised and usable to perform the operations
-it implements. Any increment or decrement of the functional reference
-count automatically invokes a corresponding change in the structural
-reference count, as it is fairly obvious that a functional reference is a
-restricted case of a structural reference. So struct_ref >= funct_ref at
-all times. NB: functional references are usually obtained by a call to
-ENGINE_init(), but can also be created implicitly by calls that require a
-new functional reference to be created, eg. ENGINE_set_default(). Either
-way the only time the underlying ENGINE's "init" function is really called
-is when the (functional) reference count increases to 1, similarly the
-underlying "finish" handler is only called as the count goes down to 0.
-The effect of this, for example, is that if you set the default ENGINE for
-RSA operations to be "cswift", then its functional reference count will
-already be at least 1 so the CryptoSwift shared-library and the card will
-stay loaded and initialised until such time as all RSA keys using the
-cswift ENGINE are changed or destroyed and the default ENGINE for RSA
-operations has been changed. This prevents repeated thrashing of init and
-finish handling if the count keeps getting down as far as zero.
-
-Otherwise, the way the ENGINE code has been put together I think pretty
-much reflects the above points. The reason for the ENGINE structure having
-individual RSA_METHOD, DSA_METHOD, etc pointers is simply that it was the
-easiest way to go about things for now, to hook it all into the raw
-RSA,DSA,etc code, and I was trying to the keep the structure invisible
-anyway so that the way this is internally managed could be easily changed
-later on when we start to work out what's to be done about these other
-abstractions.
-
-Down the line, if some EVP-based technique emerges for adequately
-encapsulating algorithms and all their various bits and pieces, then I can
-imagine that "ENGINE" would turn into a reference-counting database of
-these EVP things, of which the default "openssl" ENGINE would be the
-library's own object database of pre-built software implemented algorithms
-(and such). It would also be cool to see the idea of "METHOD"s detached
-from the algorithms themselves ... so RSA, DSA, ElGamal, etc can all
-expose essentially the same METHOD (aka interface), which would include
-any querying/flagging stuff to identify what the algorithm can/can't do,
-its name, and other stuff like max/min block sizes, key sizes, etc. This
-would result in ENGINE similarly detaching its internal database of
-algorithm implementations from the function definitions that return
-interfaces to them. I think ...
-
-As for DSOs etc. Well the DSO code is pretty handy (but could be made much
-more so) for loading vendor's driver-libraries and talking to them in some
-generic way, but right now there's still big problems associated with
-actually putting OpenSSL code (ie. new ENGINEs, or anything else for that
-matter) in dynamically loadable libraries. These problems won't go away in
-a hurry so I don't think we should expect to have any kind of
-shared-library extensions any time soon - but solving the problems is a
-good thing to aim for, and would as a side-effect probably help make
-OpenSSL more usable as a shared-library itself (looking at the things
-needed to do this will show you why).
-
-One of the problems is that if you look at any of the ENGINE
-implementations, eg. hw_cswift.c or hw_ncipher.c, you'll see how it needs
-a variety of functionality and definitions from various areas of OpenSSL,
-including crypto/bn/, crypto/err/, crypto/ itself (locking for example),
-crypto/dso/, crypto/engine/, crypto/rsa, etc etc etc. So if similar code
-were to be suctioned off into shared libraries, the shared libraries would
-either have to duplicate all the definitions and code and avoid loader
-conflicts, or OpenSSL would have to somehow expose all that functionality
-to the shared-library. If this isn't a big enough problem, the issue of
-binary compatibility will be - anyone writing Apache modules can tell you
-that (Ralf? Ben? :-). However, I don't think OpenSSL would need to be
-quite so forgiving as Apache should be, so OpenSSL could simply tell its
-version to the DSO and leave the DSO with the problem of deciding whether
-to proceed or bail out for fear of binary incompatibilities.
-
-Certainly one thing that would go a long way to addressing this is to
-embark on a bit of an opaqueness mission. I've set the ENGINE code up with
-this in mind - it's so draconian that even to declare your own ENGINE, you
-have to get the engine code to create the underlying ENGINE structure, and
-then feed in the new ENGINE's function/method pointers through various
-"set" functions. The more of the code that takes on such a black-box
-approach, the more of the code that will be (a) easy to expose to shared
-libraries that need it, and (b) easy to expose to applications wanting to
-use OpenSSL itself as a shared-library. From my own explorations in
-OpenSSL, the biggest leviathan I've seen that is a problem in this respect
-is the BIGNUM code. Trying to "expose" the bignum code through any kind of
-organised "METHODs", let alone do all the necessary bignum operations
-solely through functions rather than direct access to the structures and
-macros, will be a massive pain in the "r"s.
-
-Anyway, I'm done for now - hope it was readable. Thoughts?
-
-Cheers,
-Geoff
-
-
------------------------------------==*==-----------------------------------
+This "description" (if one chooses to call it that) needed some major updating
+so here goes. This update addresses a change being made at the same time to
+OpenSSL, and it pretty much completely restructures the underlying mechanics of
+the "ENGINE" code. So it serves a double purpose of being a "ENGINE internals
+for masochists" document *and* a rather extensive commit log message. (I'd get
+lynched for sticking all this in CHANGES or the commit mails :-).
+
+ENGINE_TABLE underlies this restructuring, as described in the internal header
+"eng_int.h", implemented in eng_table.c, and used in each of the "class" files;
+tb_rsa.c, tb_dsa.c, etc.
+
+However, "EVP_CIPHER" underlies the motivation and design of ENGINE_TABLE so
+I'll mention a bit about that first. EVP_CIPHER (and most of this applies
+equally to EVP_MD for digests) is both a "method" and a algorithm/mode
+identifier that, in the current API, "lingers". These cipher description +
+implementation structures can be defined or obtained directly by applications,
+or can be loaded "en masse" into EVP storage so that they can be catalogued and
+searched in various ways, ie. two ways of encrypting with the "des_cbc"
+algorithm/mode pair are;
+
+(i) directly;
+     const EVP_CIPHER *cipher = EVP_des_cbc();
+     EVP_EncryptInit(&ctx, cipher, key, iv);
+     [ ... use EVP_EncryptUpdate() and EVP_EncryptFinal() ...]
+
+(ii) indirectly; 
+     OpenSSL_add_all_ciphers();
+     cipher = EVP_get_cipherbyname("des_cbc");
+     EVP_EncryptInit(&ctx, cipher, key, iv);
+     [ ... etc ... ]
+
+The latter is more generally used because it also allows ciphers/digests to be
+looked up based on other identifiers which can be useful for automatic cipher
+selection, eg. in SSL/TLS, or by user-controllable configuration.
+
+The important point about this is that EVP_CIPHER definitions and structures are
+passed around with impunity and there is no safe way, without requiring massive
+rewrites of many applications, to assume that EVP_CIPHERs can be reference
+counted. One an EVP_CIPHER is exposed to the caller, neither it nor anything it
+comes from can "safely" be destroyed. Unless of course the way of getting to
+such ciphers is via entirely distinct API calls that didn't exist before.
+However existing API usage cannot be made to understand when an EVP_CIPHER
+pointer, that has been passed to the caller, is no longer being used.
+
+The other problem with the existing API w.r.t. to hooking EVP_CIPHER support
+into ENGINE is storage - the OBJ_NAME-based storage used by EVP to register
+ciphers simultaneously registers cipher *types* and cipher *implementations* -
+they are effectively the same thing, an "EVP_CIPHER" pointer. The problem with
+hooking in ENGINEs is that multiple ENGINEs may implement the same ciphers. The
+solution is necessarily that ENGINE-provided ciphers simply are not registered,
+stored, or exposed to the caller in the same manner as existing ciphers. This is
+especially necessary considering the fact ENGINE uses reference counts to allow
+for cleanup, modularity, and DSO support - yet EVP_CIPHERs, as exposed to
+callers in the current API, support no such controls.
+
+Another sticking point for integrating cipher support into ENGINE is linkage.
+Already there is a problem with the way ENGINE supports RSA, DSA, etc whereby
+they are available *because* they're part of a giant ENGINE called "openssl".
+Ie. all implementations *have* to come from an ENGINE, but we get round that by
+having a giant ENGINE with all the software support encapsulated. This creates
+linker hassles if nothing else - linking a 1-line application that calls 2 basic
+RSA functions (eg. "RSA_free(RSA_new());") will result in large quantities of
+ENGINE code being linked in *and* because of that DSA, DH, and RAND also. If we
+continue with this approach for EVP_CIPHER support (even if it *was* possible)
+we would lose our ability to link selectively by selectively loading certain
+implementations of certain functionality. Touching any part of any kind of
+crypto would result in massive static linkage of everything else. So the
+solution is to change the way ENGINE feeds existing "classes", ie. how the
+hooking to ENGINE works from RSA, DSA, DH, RAND, as well as adding new hooking
+for EVP_CIPHER, and EVP_MD.
+
+The way this is now being done is by mostly reverting back to how things used to
+work prior to ENGINE :-). Ie. RSA now has a "RSA_METHOD" pointer again - this
+was previously replaced by an "ENGINE" pointer and all RSA code that required
+the RSA_METHOD would call ENGINE_get_RSA() each time on its ENGINE handle to
+temporarily get and use the ENGINE's RSA implementation. Apart from being more
+efficient, switching back to each RSA having an RSA_METHOD pointer also allows
+us to conceivably operate with *no* ENGINE. As we'll see, this removes any need
+for a fallback ENGINE that encapsulates default implementations - we can simply
+have our RSA structure pointing its RSA_METHOD pointer to the software
+implementation and have its ENGINE pointer set to NULL.
+
+A look at the EVP_CIPHER hooking is most explanatory, the RSA, DSA (etc) cases
+turn out to be degenerate forms of the same thing. The EVP storage of ciphers,
+and the existing EVP API functions that return "software" implementations and
+descriptions remain untouched. However, the storage takes more meaning in terms
+of "cipher description" and less meaning in terms of "implementation". When an
+EVP_CIPHER_CTX is actually initialised with an EVP_CIPHER method and is about to
+begin en/decryption, the hooking to ENGINE comes into play. What happens is that
+cipher-specific ENGINE code is asked for an ENGINE pointer (a functional
+reference) for any ENGINE that is registered to perform the algo/mode that the
+provided EVP_CIPHER structure represents. Under normal circumstances, that
+ENGINE code will return NULL because no ENGINEs will have had any cipher
+implementations *registered*. As such, a NULL ENGINE pointer is stored in the
+EVP_CIPHER_CTX context, and the EVP_CIPHER structure is left hooked into the
+context and so is used as the implementation. Pretty much how things work now
+except we'd have a redundant ENGINE pointer set to NULL and doing nothing.
+
+Conversely, if an ENGINE *has* been registered to perform the algorithm/mode
+combination represented by the provided EVP_CIPHER, then a functional reference
+to that ENGINE will be returned to the EVP_CIPHER_CTX during initialisation.
+That functional reference will be stored in the context (and released on
+cleanup) - and having that reference provides a *safe* way to use an EVP_CIPHER
+definition that is private to the ENGINE. Ie. the EVP_CIPHER provided by the
+application will actually be replaced by an EVP_CIPHER from the registered
+ENGINE - it will support the same algorithm/mode as the original but will be a
+completely different implementation. Because this EVP_CIPHER isn't stored in the
+EVP storage, nor is it returned to applications from traditional API functions,
+there is no associated problem with it not having reference counts. And of
+course, when one of these "private" cipher implementations is hooked into
+EVP_CIPHER_CTX, it is done whilst the EVP_CIPHER_CTX holds a functional
+reference to the ENGINE that owns it, thus the use of the ENGINE's EVP_CIPHER is
+safe.
+
+The "cipher-specific ENGINE code" I mentioned is implemented in tb_cipher.c but
+in essence it is simply an instantiation of "ENGINE_TABLE" code for use by
+EVP_CIPHER code. tb_digest.c is virtually identical but, of course, it is for
+use by EVP_MD code. Ditto for tb_rsa.c, tb_dsa.c, etc. These instantiations of
+ENGINE_TABLE essentially provide linker-separation of the classes so that even
+if ENGINEs implement *all* possible algorithms, an application using only
+EVP_CIPHER code will link at most code relating to EVP_CIPHER, tb_cipher.c, core
+ENGINE code that is independant of class, and of course the ENGINE
+implementation that the application loaded. It will *not* however link any
+class-specific ENGINE code for digests, RSA, etc nor will it bleed over into
+other APIs, such as the RSA/DSA/etc library code.
+
+ENGINE_TABLE is a little more complicated than may seem necessary but this is
+mostly to avoid a lot of "init()"-thrashing on ENGINEs (that may have to load
+DSOs, and other expensive setup that shouldn't be thrashed unnecessarily) *and*
+to duplicate "default" behaviour. Basically an ENGINE_TABLE instantiation, for
+example tb_cipher.c, implements a hash-table keyed by integer "nid" values.
+These nids provide the uniquenness of an algorithm/mode - and each nid will hash
+to a potentially NULL "ENGINE_PILE". An ENGINE_PILE is essentially a list of
+pointers to ENGINEs that implement that particular 'nid'. Each "pile" uses some
+caching tricks such that requests on that 'nid' will be cached and all future
+requests will return immediately (well, at least with minimal operation) unless
+a change is made to the pile, eg. perhaps an ENGINE was unloaded. The reason is
+that an application could have support for 10 ENGINEs statically linked
+in, and the machine in question may not have any of the hardware those 10
+ENGINEs support. If each of those ENGINEs has a "des_cbc" implementation, we
+want to avoid every EVP_CIPHER_CTX setup from trying (and failing) to initialise
+each of those 10 ENGINEs. Instead, the first such request will try to do that
+and will either return (and cache) a NULL ENGINE pointer or will return a
+functional reference to the first that successfully initialised. In the latter
+case it will also cache an extra functional reference to the ENGINE as a
+"default" for that 'nid'. The caching is acknowledged by a 'uptodate' variable
+that is unset only if un/registration takes place on that pile. Ie. if
+implementations of "des_cbc" are added or removed. This behaviour can be
+tweaked; the ENGINE_TABLE_FLAG_NOINIT value can be passed to
+ENGINE_set_table_flags(), in which case the only ENGINEs that tb_cipher.c will
+try to initialise from the "pile" will be those that are already initialised
+(ie. it's simply an increment of the functional reference count, and no real
+"initialisation" will take place).
+
+RSA, DSA, DH, and RAND all have their own ENGINE_TABLE code as well, and the
+difference is that they all use an implicit 'nid' of 1. Whereas EVP_CIPHERs are
+actually qualitatively different depending on 'nid' (the "des_cbc" EVP_CIPHER is
+not an interoperable implementation of "aes_256_cbc"), RSA_METHODs are
+necessarily interoperable and don't have different flavours, only different
+implementations. In other words, the ENGINE_TABLE for RSA will either be empty,
+or will have a single ENGING_PILE hashed to by the 'nid' 1 and that pile
+represents ENGINEs that implement the single "type" of RSA there is.
+
+Cleanup - the registration and unregistration may pose questions about how
+cleanup works with the ENGINE_PILE doing all this caching nonsense (ie. when the
+application or EVP_CIPHER code releases its last reference to an ENGINE, the
+ENGINE_PILE code may still have references and thus those ENGINEs will stay
+hooked in forever). The way this is handled is via "unregistration". With these
+new ENGINE changes, an abstract ENGINE can be loaded and initialised, but that
+is an algorithm-agnostic process. Even if initialised, it will not have
+registered any of its implementations (to do so would link all class "table"
+code despite the fact the application may use only ciphers, for example). This
+is deliberately a distinct step. Moreover, registration and unregistration has
+nothing to do with whether an ENGINE is *functional* or not (ie. you can even
+register an ENGINE and its implementations without it being operational, you may
+not even have the drivers to make it operate). What actually happens with
+respect to cleanup is managed inside eng_lib.c with the "engine_cleanup_***"
+functions. These functions are internal-only and each part of ENGINE code that
+could require cleanup will, upon performing its first allocation, register a
+callback with the "engine_cleanup" code. The other part of this that makes it
+tick is that the ENGINE_TABLE instantiations (tb_***.c) use NULL as their
+initialised state. So if RSA code asks for an ENGINE and no ENGINE has
+registered an implementation, the code will simply return NULL and the tb_rsa.c
+state will be unchanged. Thus, no cleanup is required unless registration takes
+place. ENGINE_cleanup() will simply iterate across a list of registered cleanup
+callbacks calling each in turn, and will then internally delete its own storage
+(a STACK). When a cleanup callback is next registered (eg. if the cleanup() is
+part of a gracefull restart and the application wants to cleanup all state then
+start again), the internal STACK storage will be freshly allocated. This is much
+the same as the situation in the ENGINE_TABLE instantiations ... NULL is the
+initialised state, so only modification operations (not queries) will cause that
+code to have to register a cleanup.
+
+What else? The bignum callbacks and associated ENGINE functions have been
+removed for two obvious reasons; (i) there was no way to generalise them to the
+mechanism now used by RSA/DSA/..., because there's no such thing as a BIGNUM
+method, and (ii) because of (i), there was no meaningful way for library or
+application code to automatically hook and use ENGINE supplied bignum functions
+anyway. Also, ENGINE_cpy() has been removed (although an internal-only version
+exists) - the idea of providing an ENGINE_cpy() function probably wasn't a good
+one and now certainly doesn't make sense in any generalised way. Some of the
+RSA, DSA, DH, and RAND functions that were fiddled during the original ENGINE
+changes have now, as a consequence, been reverted back. This is because the
+hooking of ENGINE is now automatic (and passive, it can interally use a NULL
+ENGINE pointer to simply ignore ENGINE from then on).
+
+Hell, that should be enough for now ... comments welcome: geoff@openssl.org
 
diff --git a/src/lib/libcrypto/engine/eng_all.c b/src/lib/libcrypto/engine/eng_all.c
new file mode 100644
index 0000000000..a35b3db9e8
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_all.c
@@ -0,0 +1,118 @@
+/* crypto/engine/eng_all.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+#ifdef __OpenBSD__
+static int openbsd_default_loaded = 0;
+#endif
+
+void ENGINE_load_builtin_engines(void)
+        {
+        /* There's no longer any need for an "openssl" ENGINE unless, one day,
+         * it is the *only* way for standard builtin implementations to be be
+         * accessed (ie. it would be possible to statically link binaries with
+         * *no* builtin implementations). */
+#if 0
+        ENGINE_load_openssl();
+#endif
+        ENGINE_load_dynamic();
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CSWIFT
+        ENGINE_load_cswift();
+#endif
+#ifndef OPENSSL_NO_HW_NCIPHER
+        ENGINE_load_chil();
+#endif
+#ifndef OPENSSL_NO_HW_ATALLA
+        ENGINE_load_atalla();
+#endif
+#ifndef OPENSSL_NO_HW_NURON
+        ENGINE_load_nuron();
+#endif
+#ifndef OPENSSL_NO_HW_UBSEC
+        ENGINE_load_ubsec();
+#endif
+#ifndef OPENSSL_NO_HW_AEP
+        ENGINE_load_aep();
+#endif
+#ifndef OPENSSL_NO_HW_SUREWARE
+        ENGINE_load_sureware();
+#endif
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+        ENGINE_load_openbsd_dev_crypto();
+#endif
+#ifdef __OpenBSD__
+        ENGINE_load_cryptodev();
+#endif
+#endif
+        }
+
+#ifdef __OpenBSD__
+void ENGINE_setup_openbsd(void) {
+        if (!openbsd_default_loaded) {
+                ENGINE_load_cryptodev();
+                ENGINE_register_all_complete();
+        }
+        openbsd_default_loaded=1;
+}
+#endif
+
+
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
new file mode 100644
index 0000000000..8c0ae8a1ad
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -0,0 +1,242 @@
+/* eng_cnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+/* #define ENGINE_CONF_DEBUG */
+
+/* ENGINE config module */
+
+static char *skip_dot(char *name)
+        {
+        char *p;
+        p = strchr(name, '.');
+        if (p)
+                return p + 1;
+        return name;
+        }
+
+static STACK_OF(ENGINE) *initialized_engines = NULL;
+
+static int int_engine_init(ENGINE *e)
+        {
+        if (!ENGINE_init(e))
+                return 0;
+        if (!initialized_engines)
+                initialized_engines = sk_ENGINE_new_null();
+        if (!initialized_engines || !sk_ENGINE_push(initialized_engines, e))
+                {
+                ENGINE_finish(e);
+                return 0;
+                }
+        return 1;
+        }
+        
+
+int int_engine_configure(char *name, char *value, const CONF *cnf)
+        {
+        int i;
+        int ret = 0;
+        long do_init = -1;
+        STACK_OF(CONF_VALUE) *ecmds;
+        CONF_VALUE *ecmd;
+        char *ctrlname, *ctrlvalue;
+        ENGINE *e = NULL;
+        name = skip_dot(name);
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Configuring engine %s\n", name);
+#endif
+        /* Value is a section containing ENGINE commands */
+        ecmds = NCONF_get_section(cnf, value);
+
+        if (!ecmds)
+                {
+                ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++)
+                {
+                ecmd = sk_CONF_VALUE_value(ecmds, i);
+                ctrlname = skip_dot(ecmd->name);
+                ctrlvalue = ecmd->value;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "ENGINE conf: doing ctrl(%s,%s)\n", ctrlname, ctrlvalue);
+#endif
+
+                /* First handle some special pseudo ctrls */
+
+                /* Override engine name to use */
+                if (!strcmp(ctrlname, "engine_id"))
+                        name = ctrlvalue;
+                /* Load a dynamic ENGINE */
+                else if (!strcmp(ctrlname, "dynamic_path"))
+                        {
+                        e = ENGINE_by_id("dynamic");
+                        if (!e)
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", ctrlvalue, 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LIST_ADD", "2", 0))
+                                goto err;
+                        if (!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
+                                goto err;
+                        }
+                /* ... add other pseudos here ... */
+                else
+                        {
+                        /* At this point we need an ENGINE structural reference
+                         * if we don't already have one.
+                         */
+                        if (!e)
+                                {
+                                e = ENGINE_by_id(name);
+                                if (!e)
+                                        return 0;
+                                }
+                        /* Allow "EMPTY" to mean no value: this allows a valid
+                         * "value" to be passed to ctrls of type NO_INPUT
+                         */
+                        if (!strcmp(ctrlvalue, "EMPTY"))
+                                ctrlvalue = NULL;
+                        else if (!strcmp(ctrlname, "init"))
+                                {
+                                if (!NCONF_get_number_e(cnf, value, "init", &do_init))
+                                        goto err;
+                                if (do_init == 1)
+                                        {
+                                        if (!int_engine_init(e))
+                                                goto err;
+                                        }
+                                else if (do_init != 0)
+                                        {
+                                        ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_INVALID_INIT_VALUE);
+                                        goto err;
+                                        }
+                                }
+                        else if (!strcmp(ctrlname, "default_algorithms"))
+                                {
+                                if (!ENGINE_set_default_string(e, ctrlvalue))
+                                        goto err;
+                                }
+                        else if (!ENGINE_ctrl_cmd_string(e,
+                                        ctrlname, ctrlvalue, 0))
+                                return 0;
+                        }
+
+
+
+                }
+        if (e && (do_init == -1) && !int_engine_init(e))
+                goto err;
+        ret = 1;
+        err:
+        if (e)
+                ENGINE_free(e);
+        return ret;
+        }
+
+
+static int int_engine_module_init(CONF_IMODULE *md, const CONF *cnf)
+        {
+        STACK_OF(CONF_VALUE) *elist;
+        CONF_VALUE *cval;
+        int i;
+#ifdef ENGINE_CONF_DEBUG
+        fprintf(stderr, "Called engine module: name %s, value %s\n",
+                        CONF_imodule_get_name(md), CONF_imodule_get_value(md));
+#endif
+        /* Value is a section containing ENGINEs to configure */
+        elist = NCONF_get_section(cnf, CONF_imodule_get_value(md));
+
+        if (!elist)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_MODULE_INIT, ENGINE_R_ENGINES_SECTION_ERROR);
+                return 0;
+                }
+
+        for (i = 0; i < sk_CONF_VALUE_num(elist); i++)
+                {
+                cval = sk_CONF_VALUE_value(elist, i);
+                if (!int_engine_configure(cval->name, cval->value, cnf))
+                        return 0;
+                }
+
+        return 1;
+        }
+
+static void int_engine_module_finish(CONF_IMODULE *md)
+        {
+        ENGINE *e;
+        while ((e = sk_ENGINE_pop(initialized_engines)))
+                ENGINE_finish(e);
+        sk_ENGINE_free(initialized_engines);
+        initialized_engines = NULL;
+        }
+        
+
+void ENGINE_add_conf_module(void)
+        {
+        CONF_module_add("engines",
+                        int_engine_module_init,
+                        int_engine_module_finish);
+        }
diff --git a/src/lib/libcrypto/engine/eng_ctrl.c b/src/lib/libcrypto/engine/eng_ctrl.c
new file mode 100644
index 0000000000..ad3858395b
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_ctrl.c
@@ -0,0 +1,387 @@
+/* crypto/engine/eng_ctrl.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* When querying a ENGINE-specific control command's 'description', this string
+ * is used if the ENGINE_CMD_DEFN has cmd_desc set to NULL. */
+static const char *int_no_description = "";
+
+/* These internal functions handle 'CMD'-related control commands when the
+ * ENGINE in question has asked us to take care of it (ie. the ENGINE did not
+ * set the ENGINE_FLAGS_MANUAL_CMD_CTRL flag. */
+
+static int int_ctrl_cmd_is_null(const ENGINE_CMD_DEFN *defn)
+        {
+        if((defn->cmd_num == 0) || (defn->cmd_name == NULL))
+                return 1;
+        return 0;
+        }
+
+static int int_ctrl_cmd_by_name(const ENGINE_CMD_DEFN *defn, const char *s)
+        {
+        int idx = 0;
+        while(!int_ctrl_cmd_is_null(defn) && (strcmp(defn->cmd_name, s) != 0))
+                {
+                idx++;
+                defn++;
+                }
+        if(int_ctrl_cmd_is_null(defn))
+                /* The given name wasn't found */
+                return -1;
+        return idx;
+        }
+
+static int int_ctrl_cmd_by_num(const ENGINE_CMD_DEFN *defn, unsigned int num)
+        {
+        int idx = 0;
+        /* NB: It is stipulated that 'cmd_defn' lists are ordered by cmd_num. So
+         * our searches don't need to take any longer than necessary. */
+        while(!int_ctrl_cmd_is_null(defn) && (defn->cmd_num < num))
+                {
+                idx++;
+                defn++;
+                }
+        if(defn->cmd_num == num)
+                return idx;
+        /* The given cmd_num wasn't found */
+        return -1;
+        }
+
+static int int_ctrl_helper(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int idx;
+        char *s = (char *)p;
+        /* Take care of the easy one first (eg. it requires no searches) */
+        if(cmd == ENGINE_CTRL_GET_FIRST_CMD_TYPE)
+                {
+                if((e->cmd_defns == NULL) || int_ctrl_cmd_is_null(e->cmd_defns))
+                        return 0;
+                return e->cmd_defns->cmd_num;
+                }
+        /* One or two commands require that "p" be a valid string buffer */
+        if((cmd == ENGINE_CTRL_GET_CMD_FROM_NAME) ||
+                        (cmd == ENGINE_CTRL_GET_NAME_FROM_CMD) ||
+                        (cmd == ENGINE_CTRL_GET_DESC_FROM_CMD))
+                {
+                if(s == NULL)
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                        return -1;
+                        }
+                }
+        /* Now handle cmd_name -> cmd_num conversion */
+        if(cmd == ENGINE_CTRL_GET_CMD_FROM_NAME)
+                {
+                if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_name(
+                                                e->cmd_defns, s)) < 0))
+                        {
+                        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                                ENGINE_R_INVALID_CMD_NAME);
+                        return -1;
+                        }
+                return e->cmd_defns[idx].cmd_num;
+                }
+        /* For the rest of the commands, the 'long' argument must specify a
+         * valie command number - so we need to conduct a search. */
+        if((e->cmd_defns == NULL) || ((idx = int_ctrl_cmd_by_num(e->cmd_defns,
+                                        (unsigned int)i)) < 0))
+                {
+                ENGINEerr(ENGINE_F_INT_CTRL_HELPER,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return -1;
+                }
+        /* Now the logic splits depending on command type */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+                idx++;
+                if(int_ctrl_cmd_is_null(e->cmd_defns + idx))
+                        /* end-of-list */
+                        return 0;
+                else
+                        return e->cmd_defns[idx].cmd_num;
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+                return strlen(e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+                return sprintf(s, "%s", e->cmd_defns[idx].cmd_name);
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return strlen(e->cmd_defns[idx].cmd_desc);
+                return strlen(int_no_description);
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+                if(e->cmd_defns[idx].cmd_desc)
+                        return sprintf(s, "%s", e->cmd_defns[idx].cmd_desc);
+                return sprintf(s, "%s", int_no_description);
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                return e->cmd_defns[idx].cmd_flags;
+                }
+        /* Shouldn't really be here ... */
+        ENGINEerr(ENGINE_F_INT_CTRL_HELPER,ENGINE_R_INTERNAL_LIST_ERROR);
+        return -1;
+        }
+
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int ctrl_exists, ref_exists;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ref_exists = ((e->struct_ref > 0) ? 1 : 0);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        ctrl_exists = ((e->ctrl == NULL) ? 0 : 1);
+        if(!ref_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_REFERENCE);
+                return 0;
+                }
+        /* Intercept any "root-level" commands before trying to hand them on to
+         * ctrl() handlers. */
+        switch(cmd)
+                {
+        case ENGINE_CTRL_HAS_CTRL_FUNCTION:
+                return ctrl_exists;
+        case ENGINE_CTRL_GET_FIRST_CMD_TYPE:
+        case ENGINE_CTRL_GET_NEXT_CMD_TYPE:
+        case ENGINE_CTRL_GET_CMD_FROM_NAME:
+        case ENGINE_CTRL_GET_NAME_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_NAME_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_LEN_FROM_CMD:
+        case ENGINE_CTRL_GET_DESC_FROM_CMD:
+        case ENGINE_CTRL_GET_CMD_FLAGS:
+                if(ctrl_exists && !(e->flags & ENGINE_FLAGS_MANUAL_CMD_CTRL))
+                        return int_ctrl_helper(e,cmd,i,p,f);
+                if(!ctrl_exists)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                        /* For these cmd-related functions, failure is indicated
+                         * by a -1 return value (because 0 is used as a valid
+                         * return in some places). */
+                        return -1;
+                        }
+        default:
+                break;
+                }
+        /* Anything else requires a ctrl() handler to exist. */
+        if(!ctrl_exists)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL,ENGINE_R_NO_CONTROL_FUNCTION);
+                return 0;
+                }
+        return e->ctrl(e, cmd, i, p, f);
+        }
+
+int ENGINE_cmd_is_executable(ENGINE *e, int cmd)
+        {
+        int flags;
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, cmd, NULL, NULL)) < 0)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,
+                        ENGINE_R_INVALID_CMD_NUMBER);
+                return 0;
+                }
+        if(!(flags & ENGINE_CMD_FLAG_NO_INPUT) &&
+                        !(flags & ENGINE_CMD_FLAG_NUMERIC) &&
+                        !(flags & ENGINE_CMD_FLAG_STRING))
+                return 0;
+        return 1;
+        }
+
+int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
+        long i, void *p, void (*f)(), int cmd_optional)
+        {
+        int num;
+
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if (ENGINE_ctrl(e, num, i, p, f))
+                return 1;
+        return 0;
+        }
+
+int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
+                                int cmd_optional)
+        {
+        int num, flags;
+        long l;
+        char *ptr;
+        if((e == NULL) || (cmd_name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->ctrl == NULL) || ((num = ENGINE_ctrl(e,
+                                        ENGINE_CTRL_GET_CMD_FROM_NAME,
+                                        0, (void *)cmd_name, NULL)) <= 0))
+                {
+                /* If the command didn't *have* to be supported, we fake
+                 * success. This allows certain settings to be specified for
+                 * multiple ENGINEs and only require a change of ENGINE id
+                 * (without having to selectively apply settings). Eg. changing
+                 * from a hardware device back to the regular software ENGINE
+                 * without editing the config file, etc. */
+                if(cmd_optional)
+                        {
+                        ERR_clear_error();
+                        return 1;
+                        }
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INVALID_CMD_NAME);
+                return 0;
+                }
+        if(!ENGINE_cmd_is_executable(e, num))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_CMD_NOT_EXECUTABLE);
+                return 0;
+                }
+        if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, NULL, NULL)) < 0)
+                {
+                /* Shouldn't happen, given that ENGINE_cmd_is_executable()
+                 * returned success. */
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        /* If the command takes no input, there must be no input. And vice
+         * versa. */
+        if(flags & ENGINE_CMD_FLAG_NO_INPUT)
+                {
+                if(arg != NULL)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                                ENGINE_R_COMMAND_TAKES_NO_INPUT);
+                        return 0;
+                        }
+                /* We deliberately force the result of ENGINE_ctrl() to 0 or 1
+                 * rather than returning it as "return data". This is to ensure
+                 * usage of these commands is consistent across applications and
+                 * that certain applications don't understand it one way, and
+                 * others another. */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* So, we require input */
+        if(arg == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_COMMAND_TAKES_INPUT);
+                return 0;
+                }
+        /* If it takes string input, that's easy */
+        if(flags & ENGINE_CMD_FLAG_STRING)
+                {
+                /* Same explanation as above */
+                if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+                        return 1;
+                return 0;
+                }
+        /* If it doesn't take numeric either, then it is unsupported for use in
+         * a config-setting situation, which is what this function is for. This
+         * should never happen though, because ENGINE_cmd_is_executable() was
+         * used. */
+        if(!(flags & ENGINE_CMD_FLAG_NUMERIC))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                return 0;
+                }
+        l = strtol(arg, &ptr, 10);
+        if((arg == ptr) || (*ptr != '\0'))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_CTRL_CMD_STRING,
+                        ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER);
+                return 0;
+                }
+        /* Force the result of the control command to 0 or 1, for the reasons
+         * mentioned before. */
+        if(ENGINE_ctrl(e, num, l, NULL, NULL))
+                return 1;
+        return 0;
+        }
diff --git a/src/lib/libcrypto/engine/eng_dyn.c b/src/lib/libcrypto/engine/eng_dyn.c
new file mode 100644
index 0000000000..4fefcc0cae
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_dyn.c
@@ -0,0 +1,446 @@
+/* crypto/engine/eng_dyn.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+
+/* Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE loader
+ * should implement the hook-up functions with the following prototypes. */
+
+/* Our ENGINE handlers */
+static int dynamic_init(ENGINE *e);
+static int dynamic_finish(ENGINE *e);
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+/* Predeclare our context type */
+typedef struct st_dynamic_data_ctx dynamic_data_ctx;
+/* The implementation for the important control command */
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
+
+#define DYNAMIC_CMD_SO_PATH             ENGINE_CMD_BASE
+#define DYNAMIC_CMD_NO_VCHECK           (ENGINE_CMD_BASE + 1)
+#define DYNAMIC_CMD_ID                  (ENGINE_CMD_BASE + 2)
+#define DYNAMIC_CMD_LIST_ADD            (ENGINE_CMD_BASE + 3)
+#define DYNAMIC_CMD_LOAD                (ENGINE_CMD_BASE + 4)
+
+/* The constants used when creating the ENGINE */
+static const char *engine_dynamic_id = "dynamic";
+static const char *engine_dynamic_name = "Dynamic engine loading support";
+static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
+        {DYNAMIC_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the new ENGINE shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_NO_VCHECK,
+                "NO_VCHECK",
+                "Specifies to continue even if version checking fails (boolean)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_ID,
+                "ID",
+                "Specifies an ENGINE id name for loading",
+                ENGINE_CMD_FLAG_STRING},
+        {DYNAMIC_CMD_LIST_ADD,
+                "LIST_ADD",
+                "Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {DYNAMIC_CMD_LOAD,
+                "LOAD",
+                "Load up the ENGINE specified by other settings",
+                ENGINE_CMD_FLAG_NO_INPUT},
+        {0, NULL, NULL, 0}
+        };
+static const ENGINE_CMD_DEFN dynamic_cmd_defns_empty[] = {
+        {0, NULL, NULL, 0}
+        };
+
+/* Loading code stores state inside the ENGINE structure via the "ex_data"
+ * element. We load all our state into a single structure and use that as a
+ * single context in the "ex_data" stack. */
+struct st_dynamic_data_ctx
+        {
+        /* The DSO object we load that supplies the ENGINE code */
+        DSO *dynamic_dso;
+        /* The function pointer to the version checking shared library function */
+        dynamic_v_check_fn v_check;
+        /* The function pointer to the engine-binding shared library function */
+        dynamic_bind_engine bind_engine;
+        /* The default name/path for loading the shared library */
+        const char *DYNAMIC_LIBNAME;
+        /* Whether to continue loading on a version check failure */
+        int no_vcheck;
+        /* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */
+        const char *engine_id;
+        /* If non-zero, a successfully loaded ENGINE should be added to the internal
+         * ENGINE list. If 2, the add must succeed or the entire load should fail. */
+        int list_add_value;
+        /* The symbol name for the version checking function */
+        const char *DYNAMIC_F1;
+        /* The symbol name for the "initialise ENGINE structure" function */
+        const char *DYNAMIC_F2;
+        };
+
+/* This is the "ex_data" index we obtain and reserve for use with our context
+ * structure. */
+static int dynamic_ex_data_idx = -1;
+
+/* Because our ex_data element may or may not get allocated depending on whether
+ * a "first-use" occurs before the ENGINE is freed, we have a memory leak
+ * problem to solve. We can't declare a "new" handler for the ex_data as we
+ * don't want a dynamic_data_ctx in *all* ENGINE structures of all types (this
+ * is a bug in the design of CRYPTO_EX_DATA). As such, we just declare a "free"
+ * handler and that will get called if an ENGINE is being destroyed and there
+ * was an ex_data element corresponding to our context type. */
+static void dynamic_data_ctx_free_func(void *parent, void *ptr,
+                        CRYPTO_EX_DATA *ad, int idx, long argl, void *argp)
+        {
+        if(ptr)
+                {
+                dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
+                if(ctx->dynamic_dso)
+                        DSO_free(ctx->dynamic_dso);
+                OPENSSL_free(ctx);
+                }
+        }
+
+/* Construct the per-ENGINE context. We create it blindly and then use a lock to
+ * check for a race - if so, all but one of the threads "racing" will have
+ * wasted their time. The alternative involves creating everything inside the
+ * lock which is far worse. */
+static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
+        {
+        dynamic_data_ctx *c;
+        c = OPENSSL_malloc(sizeof(dynamic_data_ctx));
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_SET_DATA_CTX,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        memset(c, 0, sizeof(dynamic_data_ctx));
+        c->dynamic_dso = NULL;
+        c->v_check = NULL;
+        c->bind_engine = NULL;
+        c->DYNAMIC_LIBNAME = NULL;
+        c->no_vcheck = 0;
+        c->engine_id = NULL;
+        c->list_add_value = 0;
+        c->DYNAMIC_F1 = "v_check";
+        c->DYNAMIC_F2 = "bind_engine";
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
+                                dynamic_ex_data_idx)) == NULL)
+                {
+                /* Good, we're the first */
+                ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
+                *ctx = c;
+                c = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* If we lost the race to set the context, c is non-NULL and *ctx is the
+         * context of the thread that won. */
+        if(c)
+                OPENSSL_free(c);
+        return 1;
+        }
+
+/* This function retrieves the context structure from an ENGINE's "ex_data", or
+ * if it doesn't exist yet, sets it up. */
+static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
+        {
+        dynamic_data_ctx *ctx;
+        if(dynamic_ex_data_idx < 0)
+                {
+                /* Create and register the ENGINE ex_data, and associate our
+                 * "free" function with it to ensure any allocated contexts get
+                 * freed when an ENGINE goes underground. */
+                int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
+                                        dynamic_data_ctx_free_func);
+                if(new_idx == -1)
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_GET_DATA_CTX,ENGINE_R_NO_INDEX);
+                        return NULL;
+                        }
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                /* Avoid a race by checking again inside this lock */
+                if(dynamic_ex_data_idx < 0)
+                        {
+                        /* Good, someone didn't beat us to it */
+                        dynamic_ex_data_idx = new_idx;
+                        new_idx = -1;
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                /* In theory we could "give back" the index here if
+                 * (new_idx>-1), but it's not possible and wouldn't gain us much
+                 * if it were. */
+                }
+        ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
+        /* Check if the context needs to be created */
+        if((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
+                /* "set_data" will set errors if necessary */
+                return NULL;
+        return ctx;
+        }
+
+static ENGINE *engine_dynamic(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!ENGINE_set_id(ret, engine_dynamic_id) ||
+                        !ENGINE_set_name(ret, engine_dynamic_name) ||
+                        !ENGINE_set_init_function(ret, dynamic_init) ||
+                        !ENGINE_set_finish_function(ret, dynamic_finish) ||
+                        !ENGINE_set_ctrl_function(ret, dynamic_ctrl) ||
+                        !ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) ||
+                        !ENGINE_set_cmd_defns(ret, dynamic_cmd_defns))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_dynamic(void)
+        {
+        ENGINE *toadd = engine_dynamic();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        /* If the "add" didn't work, it was probably a conflict because it was
+         * already added (eg. someone calling ENGINE_load_blah then calling
+         * ENGINE_load_builtin_engines() perhaps). */
+        ERR_clear_error();
+        }
+
+static int dynamic_init(ENGINE *e)
+        {
+        /* We always return failure - the "dyanamic" engine itself can't be used
+         * for anything. */
+        return 0;
+        }
+
+static int dynamic_finish(ENGINE *e)
+        {
+        /* This should never be called on account of "dynamic_init" always
+         * failing. */
+        return 0;
+        }
+
+static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
+        int initialised;
+        
+        if(!ctx)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_NOT_LOADED);
+                return 0;
+                }
+        initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1);
+        /* All our control commands require the ENGINE to be uninitialised */
+        if(initialised)
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                        ENGINE_R_ALREADY_LOADED);
+                return 0;
+                }
+        switch(cmd)
+                {
+        case DYNAMIC_CMD_SO_PATH:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->DYNAMIC_LIBNAME = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_NO_VCHECK:
+                ctx->no_vcheck = ((i == 0) ? 0 : 1);
+                return 1;
+        case DYNAMIC_CMD_ID:
+                /* a NULL 'p' or a string of zero-length is the same thing */
+                if(p && (strlen((const char *)p) < 1))
+                        p = NULL;
+                ctx->engine_id = (const char *)p;
+                return 1;
+        case DYNAMIC_CMD_LIST_ADD:
+                if((i < 0) || (i > 2))
+                        {
+                        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,
+                                ENGINE_R_INVALID_ARGUMENT);
+                        return 0;
+                        }
+                ctx->list_add_value = (int)i;
+                return 1;
+        case DYNAMIC_CMD_LOAD:
+                return dynamic_load(e, ctx);
+        default:
+                break;
+                }
+        ENGINEerr(ENGINE_F_DYNAMIC_CTRL,ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
+        {
+        ENGINE cpy;
+        dynamic_fns fns;
+
+        if(!ctx->DYNAMIC_LIBNAME || ((ctx->dynamic_dso = DSO_load(NULL,
+                                ctx->DYNAMIC_LIBNAME, NULL, 0)) == NULL))
+                {
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_NOT_FOUND);
+                return 0;
+                }
+        /* We have to find a bind function otherwise it'll always end badly */
+        if(!(ctx->bind_engine = (dynamic_bind_engine)DSO_bind_func(
+                                        ctx->dynamic_dso, ctx->DYNAMIC_F2)))
+                {
+                ctx->bind_engine = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                        ENGINE_R_DSO_FAILURE);
+                return 0;
+                }
+        /* Do we perform version checking? */
+        if(!ctx->no_vcheck)
+                {
+                unsigned long vcheck_res = 0;
+                /* Now we try to find a version checking function and decide how
+                 * to cope with failure if/when it fails. */
+                ctx->v_check = (dynamic_v_check_fn)DSO_bind_func(
+                                ctx->dynamic_dso, ctx->DYNAMIC_F1);
+                if(ctx->v_check)
+                        vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION);
+                /* We fail if the version checker veto'd the load *or* if it is
+                 * deferring to us (by returning its version) and we think it is
+                 * too old. */
+                if(vcheck_res < OSSL_DYNAMIC_OLDEST)
+                        {
+                        /* Fail */
+                        ctx->bind_engine = NULL;
+                        ctx->v_check = NULL;
+                        DSO_free(ctx->dynamic_dso);
+                        ctx->dynamic_dso = NULL;
+                        ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                ENGINE_R_VERSION_INCOMPATIBILITY);
+                        return 0;
+                        }
+                }
+        /* First binary copy the ENGINE structure so that we can roll back if
+         * the hand-over fails */
+        memcpy(&cpy, e, sizeof(ENGINE));
+        /* Provide the ERR, "ex_data", memory, and locking callbacks so the
+         * loaded library uses our state rather than its own. FIXME: As noted in
+         * engine.h, much of this would be simplified if each area of code
+         * provided its own "summary" structure of all related callbacks. It
+         * would also increase opaqueness. */
+        fns.err_fns = ERR_get_implementation();
+        fns.ex_data_fns = CRYPTO_get_ex_data_implementation();
+        CRYPTO_get_mem_functions(&fns.mem_fns.malloc_cb,
+                                &fns.mem_fns.realloc_cb,
+                                &fns.mem_fns.free_cb);
+        fns.lock_fns.lock_locking_cb = CRYPTO_get_locking_callback();
+        fns.lock_fns.lock_add_lock_cb = CRYPTO_get_add_lock_callback();
+        fns.lock_fns.dynlock_create_cb = CRYPTO_get_dynlock_create_callback();
+        fns.lock_fns.dynlock_lock_cb = CRYPTO_get_dynlock_lock_callback();
+        fns.lock_fns.dynlock_destroy_cb = CRYPTO_get_dynlock_destroy_callback();
+        /* Now that we've loaded the dynamic engine, make sure no "dynamic"
+         * ENGINE elements will show through. */
+        engine_set_all_null(e);
+
+        /* Try to bind the ENGINE onto our own ENGINE structure */
+        if(!ctx->bind_engine(e, ctx->engine_id, &fns))
+                {
+                ctx->bind_engine = NULL;
+                ctx->v_check = NULL;
+                DSO_free(ctx->dynamic_dso);
+                ctx->dynamic_dso = NULL;
+                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,ENGINE_R_INIT_FAILED);
+                /* Copy the original ENGINE structure back */
+                memcpy(e, &cpy, sizeof(ENGINE));
+                return 0;
+                }
+        /* Do we try to add this ENGINE to the internal list too? */
+        if(ctx->list_add_value > 0)
+                {
+                if(!ENGINE_add(e))
+                        {
+                        /* Do we tolerate this or fail? */
+                        if(ctx->list_add_value > 1)
+                                {
+                                /* Fail - NB: By this time, it's too late to
+                                 * rollback, and trying to do so allows the
+                                 * bind_engine() code to have created leaks. We
+                                 * just have to fail where we are, after the
+                                 * ENGINE has changed. */
+                                ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
+                                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                                return 0;
+                                }
+                        /* Tolerate */
+                        ERR_clear_error();
+                        }
+                }
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/eng_err.c b/src/lib/libcrypto/engine/eng_err.c
new file mode 100644
index 0000000000..f6c5630395
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_err.c
@@ -0,0 +1,165 @@
+/* crypto/engine/eng_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ENGINE_str_functs[]=
+        {
+{ERR_PACK(0,ENGINE_F_DYNAMIC_CTRL,0),   "DYNAMIC_CTRL"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_GET_DATA_CTX,0),   "DYNAMIC_GET_DATA_CTX"},
+{ERR_PACK(0,ENGINE_F_DYNAMIC_LOAD,0),   "DYNAMIC_LOAD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_ADD,0),     "ENGINE_add"},
+{ERR_PACK(0,ENGINE_F_ENGINE_BY_ID,0),   "ENGINE_by_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CMD_IS_EXECUTABLE,0),       "ENGINE_cmd_is_executable"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL,0),    "ENGINE_ctrl"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD,0),        "ENGINE_ctrl_cmd"},
+{ERR_PACK(0,ENGINE_F_ENGINE_CTRL_CMD_STRING,0), "ENGINE_ctrl_cmd_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FINISH,0),  "ENGINE_finish"},
+{ERR_PACK(0,ENGINE_F_ENGINE_FREE,0),    "ENGINE_free"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_CIPHER,0),      "ENGINE_get_cipher"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DEFAULT_TYPE,0),        "ENGINE_GET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_DIGEST,0),      "ENGINE_get_digest"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_NEXT,0),        "ENGINE_get_next"},
+{ERR_PACK(0,ENGINE_F_ENGINE_GET_PREV,0),        "ENGINE_get_prev"},
+{ERR_PACK(0,ENGINE_F_ENGINE_INIT,0),    "ENGINE_init"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_ADD,0),        "ENGINE_LIST_ADD"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LIST_REMOVE,0),     "ENGINE_LIST_REMOVE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,0),        "ENGINE_load_private_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,0), "ENGINE_load_public_key"},
+{ERR_PACK(0,ENGINE_F_ENGINE_MODULE_INIT,0),     "ENGINE_MODULE_INIT"},
+{ERR_PACK(0,ENGINE_F_ENGINE_NEW,0),     "ENGINE_new"},
+{ERR_PACK(0,ENGINE_F_ENGINE_REMOVE,0),  "ENGINE_remove"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_STRING,0),      "ENGINE_set_default_string"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_DEFAULT_TYPE,0),        "ENGINE_SET_DEFAULT_TYPE"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_ID,0),  "ENGINE_set_id"},
+{ERR_PACK(0,ENGINE_F_ENGINE_SET_NAME,0),        "ENGINE_set_name"},
+{ERR_PACK(0,ENGINE_F_ENGINE_TABLE_REGISTER,0),  "ENGINE_TABLE_REGISTER"},
+{ERR_PACK(0,ENGINE_F_ENGINE_UNLOAD_KEY,0),      "ENGINE_UNLOAD_KEY"},
+{ERR_PACK(0,ENGINE_F_INT_CTRL_HELPER,0),        "INT_CTRL_HELPER"},
+{ERR_PACK(0,ENGINE_F_INT_ENGINE_CONFIGURE,0),   "INT_ENGINE_CONFIGURE"},
+{ERR_PACK(0,ENGINE_F_LOG_MESSAGE,0),    "LOG_MESSAGE"},
+{ERR_PACK(0,ENGINE_F_SET_DATA_CTX,0),   "SET_DATA_CTX"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ENGINE_str_reasons[]=
+        {
+{ENGINE_R_ALREADY_LOADED                 ,"already loaded"},
+{ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER       ,"argument is not a number"},
+{ENGINE_R_CMD_NOT_EXECUTABLE             ,"cmd not executable"},
+{ENGINE_R_COMMAND_TAKES_INPUT            ,"command takes input"},
+{ENGINE_R_COMMAND_TAKES_NO_INPUT         ,"command takes no input"},
+{ENGINE_R_CONFLICTING_ENGINE_ID          ,"conflicting engine id"},
+{ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ENGINE_R_DH_NOT_IMPLEMENTED             ,"dh not implemented"},
+{ENGINE_R_DSA_NOT_IMPLEMENTED            ,"dsa not implemented"},
+{ENGINE_R_DSO_FAILURE                    ,"DSO failure"},
+{ENGINE_R_DSO_NOT_FOUND                  ,"dso not found"},
+{ENGINE_R_ENGINES_SECTION_ERROR          ,"engines section error"},
+{ENGINE_R_ENGINE_IS_NOT_IN_LIST          ,"engine is not in the list"},
+{ENGINE_R_ENGINE_SECTION_ERROR           ,"engine section error"},
+{ENGINE_R_FAILED_LOADING_PRIVATE_KEY     ,"failed loading private key"},
+{ENGINE_R_FAILED_LOADING_PUBLIC_KEY      ,"failed loading public key"},
+{ENGINE_R_FINISH_FAILED                  ,"finish failed"},
+{ENGINE_R_GET_HANDLE_FAILED              ,"could not obtain hardware handle"},
+{ENGINE_R_ID_OR_NAME_MISSING             ,"'id' or 'name' missing"},
+{ENGINE_R_INIT_FAILED                    ,"init failed"},
+{ENGINE_R_INTERNAL_LIST_ERROR            ,"internal list error"},
+{ENGINE_R_INVALID_ARGUMENT               ,"invalid argument"},
+{ENGINE_R_INVALID_CMD_NAME               ,"invalid cmd name"},
+{ENGINE_R_INVALID_CMD_NUMBER             ,"invalid cmd number"},
+{ENGINE_R_INVALID_INIT_VALUE             ,"invalid init value"},
+{ENGINE_R_INVALID_STRING                 ,"invalid string"},
+{ENGINE_R_NOT_INITIALISED                ,"not initialised"},
+{ENGINE_R_NOT_LOADED                     ,"not loaded"},
+{ENGINE_R_NO_CONTROL_FUNCTION            ,"no control function"},
+{ENGINE_R_NO_INDEX                       ,"no index"},
+{ENGINE_R_NO_LOAD_FUNCTION               ,"no load function"},
+{ENGINE_R_NO_REFERENCE                   ,"no reference"},
+{ENGINE_R_NO_SUCH_ENGINE                 ,"no such engine"},
+{ENGINE_R_NO_UNLOAD_FUNCTION             ,"no unload function"},
+{ENGINE_R_PROVIDE_PARAMETERS             ,"provide parameters"},
+{ENGINE_R_RSA_NOT_IMPLEMENTED            ,"rsa not implemented"},
+{ENGINE_R_UNIMPLEMENTED_CIPHER           ,"unimplemented cipher"},
+{ENGINE_R_UNIMPLEMENTED_DIGEST           ,"unimplemented digest"},
+{ENGINE_R_VERSION_INCOMPATIBILITY        ,"version incompatibility"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_ENGINE_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_functs);
+                ERR_load_strings(ERR_LIB_ENGINE,ENGINE_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/engine/eng_fat.c b/src/lib/libcrypto/engine/eng_fat.c
new file mode 100644
index 0000000000..af918b1499
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_fat.c
@@ -0,0 +1,148 @@
+/* crypto/engine/eng_fat.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+
+int ENGINE_set_default(ENGINE *e, unsigned int flags)
+        {
+        if((flags & ENGINE_METHOD_CIPHERS) && !ENGINE_set_default_ciphers(e))
+                return 0;
+        if((flags & ENGINE_METHOD_DIGESTS) && !ENGINE_set_default_digests(e))
+                return 0;
+#ifndef OPENSSL_NO_RSA
+        if((flags & ENGINE_METHOD_RSA) & !ENGINE_set_default_RSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DSA
+        if((flags & ENGINE_METHOD_DSA) & !ENGINE_set_default_DSA(e))
+                return 0;
+#endif
+#ifndef OPENSSL_NO_DH
+        if((flags & ENGINE_METHOD_DH) & !ENGINE_set_default_DH(e))
+                return 0;
+#endif
+        if((flags & ENGINE_METHOD_RAND) & !ENGINE_set_default_RAND(e))
+                return 0;
+        return 1;
+        }
+
+/* Set default algorithms using a string */
+
+int int_def_cb(const char *alg, int len, void *arg)
+        {
+        unsigned int *pflags = arg;
+        if (!strncmp(alg, "ALL", len))
+                *pflags |= ENGINE_METHOD_ALL;
+        else if (!strncmp(alg, "RSA", len))
+                *pflags |= ENGINE_METHOD_RSA;
+        else if (!strncmp(alg, "DSA", len))
+                *pflags |= ENGINE_METHOD_DSA;
+        else if (!strncmp(alg, "DH", len))
+                *pflags |= ENGINE_METHOD_DH;
+        else if (!strncmp(alg, "RAND", len))
+                *pflags |= ENGINE_METHOD_RAND;
+        else if (!strncmp(alg, "CIPHERS", len))
+                *pflags |= ENGINE_METHOD_CIPHERS;
+        else if (!strncmp(alg, "DIGESTS", len))
+                *pflags |= ENGINE_METHOD_DIGESTS;
+        else
+                return 0;
+        return 1;
+        }
+
+
+int ENGINE_set_default_string(ENGINE *e, const char *list)
+        {
+        unsigned int flags = 0;
+        if (!CONF_parse_list(list, ',', 1, int_def_cb, &flags))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_DEFAULT_STRING,
+                                        ENGINE_R_INVALID_STRING);
+                ERR_add_error_data(2, "str=",list);
+                return 0;
+                }
+        return ENGINE_set_default(e, flags);
+        }
+
+int ENGINE_register_complete(ENGINE *e)
+        {
+        ENGINE_register_ciphers(e);
+        ENGINE_register_digests(e);
+#ifndef OPENSSL_NO_RSA
+        ENGINE_register_RSA(e);
+#endif
+#ifndef OPENSSL_NO_DSA
+        ENGINE_register_DSA(e);
+#endif
+#ifndef OPENSSL_NO_DH
+        ENGINE_register_DH(e);
+#endif
+        ENGINE_register_RAND(e);
+        return 1;
+        }
+
+int ENGINE_register_all_complete(void)
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) {
+                ENGINE_register_complete(e);
+        }
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/eng_init.c b/src/lib/libcrypto/engine/eng_init.c
new file mode 100644
index 0000000000..cc9396e863
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_init.c
@@ -0,0 +1,158 @@
+/* crypto/engine/eng_init.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Initialise a engine type for use (or up its functional reference count
+ * if it's already in use). This version is only used internally. */
+int engine_unlocked_init(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if((e->funct_ref == 0) && e->init)
+                /* This is the first functional reference and the engine
+                 * requires initialisation so we do it now. */
+                to_return = e->init(e);
+        if(to_return)
+                {
+                /* OK, we return a functional reference which is also a
+                 * structural reference. */
+                e->struct_ref++;
+                e->funct_ref++;
+                engine_ref_debug(e, 0, 1)
+                engine_ref_debug(e, 1, 1)
+                }
+        return to_return;
+        }
+
+/* Free a functional reference to a engine type. This version is only used
+ * internally. */
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers)
+        {
+        int to_return = 1;
+
+        /* Reduce the functional reference count here so if it's the terminating
+         * case, we can release the lock safely and call the finish() handler
+         * without risk of a race. We get a race if we leave the count until
+         * after and something else is calling "finish" at the same time -
+         * there's a chance that both threads will together take the count from
+         * 2 to 0 without either calling finish(). */
+        e->funct_ref--;
+        engine_ref_debug(e, 1, -1);
+        if((e->funct_ref == 0) && e->finish)
+                {
+                if(unlock_for_handlers)
+                        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                to_return = e->finish(e);
+                if(unlock_for_handlers)
+                        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                if(!to_return)
+                        return 0;
+                }
+#ifdef REF_CHECK
+        if(e->funct_ref < 0)
+                {
+                fprintf(stderr,"ENGINE_finish, bad functional reference count\n");
+                abort();
+                }
+#endif
+        /* Release the structural reference too */
+        if(!engine_free_util(e, 0))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
+/* The API (locked) version of "init" */
+int ENGINE_init(ENGINE *e)
+        {
+        int ret;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_INIT,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_unlocked_init(e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* The API (locked) version of "finish" */
+int ENGINE_finish(ENGINE *e)
+        {
+        int to_return = 1;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        to_return = engine_unlocked_finish(e, 1);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if(!to_return)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FINISH,ENGINE_R_FINISH_FAILED);
+                return 0;
+                }
+        return to_return;
+        }
+
diff --git a/src/lib/libcrypto/engine/eng_int.h b/src/lib/libcrypto/engine/eng_int.h
new file mode 100644
index 0000000000..38335f99cd
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_int.h
@@ -0,0 +1,185 @@
+/* crypto/engine/eng_int.h */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ENGINE_INT_H
+#define HEADER_ENGINE_INT_H
+
+/* Take public definitions from engine.h */
+#include <openssl/engine.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* If we compile with this symbol defined, then both reference counts in the
+ * ENGINE structure will be monitored with a line of output on stderr for each
+ * change. This prints the engine's pointer address (truncated to unsigned int),
+ * "struct" or "funct" to indicate the reference type, the before and after
+ * reference count, and the file:line-number pair. The "engine_ref_debug"
+ * statements must come *after* the change. */
+#ifdef ENGINE_REF_COUNT_DEBUG
+
+#define engine_ref_debug(e, isfunct, diff) \
+        fprintf(stderr, "engine: %08x %s from %d to %d (%s:%d)\n", \
+                (unsigned int)(e), (isfunct ? "funct" : "struct"), \
+                ((isfunct) ? ((e)->funct_ref - (diff)) : ((e)->struct_ref - (diff))), \
+                ((isfunct) ? (e)->funct_ref : (e)->struct_ref), \
+                (__FILE__), (__LINE__));
+
+#else
+
+#define engine_ref_debug(e, isfunct, diff)
+
+#endif
+
+/* Any code that will need cleanup operations should use these functions to
+ * register callbacks. ENGINE_cleanup() will call all registered callbacks in
+ * order. NB: both the "add" functions assume CRYPTO_LOCK_ENGINE to already be
+ * held (in "write" mode). */
+typedef void (ENGINE_CLEANUP_CB)(void);
+typedef struct st_engine_cleanup_item
+        {
+        ENGINE_CLEANUP_CB *cb;
+        } ENGINE_CLEANUP_ITEM;
+DECLARE_STACK_OF(ENGINE_CLEANUP_ITEM)
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb);
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb);
+
+/* We need stacks of ENGINEs for use in eng_table.c */
+DECLARE_STACK_OF(ENGINE)
+
+/* If this symbol is defined then engine_table_select(), the function that is
+ * used by RSA, DSA (etc) code to select registered ENGINEs, cache defaults and
+ * functional references (etc), will display debugging summaries to stderr. */
+/* #define ENGINE_TABLE_DEBUG */
+
+/* This represents an implementation table. Dependent code should instantiate it
+ * as a (ENGINE_TABLE *) pointer value set initially to NULL. */
+typedef struct st_engine_table ENGINE_TABLE;
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault);
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e);
+void engine_table_cleanup(ENGINE_TABLE **table);
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid);
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l);
+#define engine_table_select(t,n) engine_table_select_tmp(t,n,__FILE__,__LINE__)
+#endif
+
+/* Internal versions of API functions that have control over locking. These are
+ * used between C files when functionality needs to be shared but the caller may
+ * already be controlling of the CRYPTO_LOCK_ENGINE lock. */
+int engine_unlocked_init(ENGINE *e);
+int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers);
+int engine_free_util(ENGINE *e, int locked);
+
+/* This function will reset all "set"able values in an ENGINE to NULL. This
+ * won't touch reference counts or ex_data, but is equivalent to calling all the
+ * ENGINE_set_***() functions with a NULL value. */
+void engine_set_all_null(ENGINE *e);
+
+/* NB: Bitwise OR-able values for the "flags" variable in ENGINE are now exposed
+ * in engine.h. */
+
+/* This is a structure for storing implementations of various crypto
+ * algorithms and functions. */
+struct engine_st
+        {
+        const char *id;
+        const char *name;
+        const RSA_METHOD *rsa_meth;
+        const DSA_METHOD *dsa_meth;
+        const DH_METHOD *dh_meth;
+        const RAND_METHOD *rand_meth;
+        /* Cipher handling is via this callback */
+        ENGINE_CIPHERS_PTR ciphers;
+        /* Digest handling is via this callback */
+        ENGINE_DIGESTS_PTR digests;
+
+
+        ENGINE_GEN_INT_FUNC_PTR destroy;
+
+        ENGINE_GEN_INT_FUNC_PTR init;
+        ENGINE_GEN_INT_FUNC_PTR finish;
+        ENGINE_CTRL_FUNC_PTR ctrl;
+        ENGINE_LOAD_KEY_PTR load_privkey;
+        ENGINE_LOAD_KEY_PTR load_pubkey;
+
+        const ENGINE_CMD_DEFN *cmd_defns;
+        int flags;
+        /* reference count on the structure itself */
+        int struct_ref;
+        /* reference count on usability of the engine type. NB: This
+         * controls the loading and initialisation of any functionlity
+         * required by this engine, whereas the previous count is
+         * simply to cope with (de)allocation of this structure. Hence,
+         * running_ref <= struct_ref at all times. */
+        int funct_ref;
+        /* A place to store per-ENGINE data */
+        CRYPTO_EX_DATA ex_data;
+        /* Used to maintain the linked-list of engines. */
+        struct engine_st *prev;
+        struct engine_st *next;
+        };
+
+#ifdef  __cplusplus
+}
+#endif
+
+#endif /* HEADER_ENGINE_INT_H */
diff --git a/src/lib/libcrypto/engine/eng_lib.c b/src/lib/libcrypto/engine/eng_lib.c
new file mode 100644
index 0000000000..a66d0f08af
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_lib.c
@@ -0,0 +1,321 @@
+/* crypto/engine/eng_lib.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/rand.h> /* FIXME: This shouldn't be needed */
+#include <openssl/engine.h>
+
+/* The "new"/"free" stuff first */
+
+ENGINE *ENGINE_new(void)
+        {
+        ENGINE *ret;
+
+        ret = (ENGINE *)OPENSSL_malloc(sizeof(ENGINE));
+        if(ret == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        memset(ret, 0, sizeof(ENGINE));
+        ret->struct_ref = 1;
+        engine_ref_debug(ret, 0, 1)
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ENGINE, ret, &ret->ex_data);
+        return ret;
+        }
+
+/* Placed here (close proximity to ENGINE_new) so that modifications to the
+ * elements of the ENGINE structure are more likely to be caught and changed
+ * here. */
+void engine_set_all_null(ENGINE *e)
+        {
+        e->id = NULL;
+        e->name = NULL;
+        e->rsa_meth = NULL;
+        e->dsa_meth = NULL;
+        e->dh_meth = NULL;
+        e->rand_meth = NULL;
+        e->ciphers = NULL;
+        e->digests = NULL;
+        e->destroy = NULL;
+        e->init = NULL;
+        e->finish = NULL;
+        e->ctrl = NULL;
+        e->load_privkey = NULL;
+        e->load_pubkey = NULL;
+        e->cmd_defns = NULL;
+        e->flags = 0;
+        }
+
+int engine_free_util(ENGINE *e, int locked)
+        {
+        int i;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_FREE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if(locked)
+                i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+        else
+                i = --e->struct_ref;
+        engine_ref_debug(e, 0, -1)
+        if (i > 0) return 1;
+#ifdef REF_CHECK
+        if (i < 0)
+                {
+                fprintf(stderr,"ENGINE_free, bad structural reference count\n");
+                abort();
+                }
+#endif
+        /* Give the ENGINE a chance to do any structural cleanup corresponding
+         * to allocation it did in its constructor (eg. unload error strings) */
+        if(e->destroy)
+                e->destroy(e);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
+        OPENSSL_free(e);
+        return 1;
+        }
+
+int ENGINE_free(ENGINE *e)
+        {
+        return engine_free_util(e, 1);
+        }
+
+/* Cleanup stuff */
+
+/* ENGINE_cleanup() is coded such that anything that does work that will need
+ * cleanup can register a "cleanup" callback here. That way we don't get linker
+ * bloat by referring to all *possible* cleanups, but any linker bloat into code
+ * "X" will cause X's cleanup function to end up here. */
+static STACK_OF(ENGINE_CLEANUP_ITEM) *cleanup_stack = NULL;
+static int int_cleanup_check(int create)
+        {
+        if(cleanup_stack) return 1;
+        if(!create) return 0;
+        cleanup_stack = sk_ENGINE_CLEANUP_ITEM_new_null();
+        return (cleanup_stack ? 1 : 0);
+        }
+static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item = OPENSSL_malloc(sizeof(
+                                        ENGINE_CLEANUP_ITEM));
+        if(!item) return NULL;
+        item->cb = cb;
+        return item;
+        }
+void engine_cleanup_add_first(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_insert(cleanup_stack, item, 0);
+        }
+void engine_cleanup_add_last(ENGINE_CLEANUP_CB *cb)
+        {
+        ENGINE_CLEANUP_ITEM *item;
+        if(!int_cleanup_check(1)) return;
+        item = int_cleanup_item(cb);
+        if(item)
+                sk_ENGINE_CLEANUP_ITEM_push(cleanup_stack, item);
+        }
+/* The API function that performs all cleanup */
+static void engine_cleanup_cb_free(ENGINE_CLEANUP_ITEM *item)
+        {
+        (*(item->cb))();
+        OPENSSL_free(item);
+        }
+void ENGINE_cleanup(void)
+        {
+        if(int_cleanup_check(0))
+                {
+                sk_ENGINE_CLEANUP_ITEM_pop_free(cleanup_stack,
+                        engine_cleanup_cb_free);
+                cleanup_stack = NULL;
+                }
+        /* FIXME: This should be handled (somehow) through RAND, eg. by it
+         * registering a cleanup callback. */
+        RAND_set_rand_method(NULL);
+        }
+
+/* Now the "ex_data" support */
+
+int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ENGINE, argl, argp,
+                        new_func, dup_func, free_func);
+        }
+
+int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&e->ex_data, idx, arg));
+        }
+
+void *ENGINE_get_ex_data(const ENGINE *e, int idx)
+        {
+        return(CRYPTO_get_ex_data(&e->ex_data, idx));
+        }
+
+/* Functions to get/set an ENGINE's elements - mainly to avoid exposing the
+ * ENGINE structure itself. */
+
+int ENGINE_set_id(ENGINE *e, const char *id)
+        {
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->id = id;
+        return 1;
+        }
+
+int ENGINE_set_name(ENGINE *e, const char *name)
+        {
+        if(name == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_SET_NAME,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        e->name = name;
+        return 1;
+        }
+
+int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f)
+        {
+        e->destroy = destroy_f;
+        return 1;
+        }
+
+int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f)
+        {
+        e->init = init_f;
+        return 1;
+        }
+
+int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f)
+        {
+        e->finish = finish_f;
+        return 1;
+        }
+
+int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f)
+        {
+        e->ctrl = ctrl_f;
+        return 1;
+        }
+
+int ENGINE_set_flags(ENGINE *e, int flags)
+        {
+        e->flags = flags;
+        return 1;
+        }
+
+int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns)
+        {
+        e->cmd_defns = defns;
+        return 1;
+        }
+
+const char *ENGINE_get_id(const ENGINE *e)
+        {
+        return e->id;
+        }
+
+const char *ENGINE_get_name(const ENGINE *e)
+        {
+        return e->name;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e)
+        {
+        return e->destroy;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e)
+        {
+        return e->init;
+        }
+
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e)
+        {
+        return e->finish;
+        }
+
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e)
+        {
+        return e->ctrl;
+        }
+
+int ENGINE_get_flags(const ENGINE *e)
+        {
+        return e->flags;
+        }
+
+const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e)
+        {
+        return e->cmd_defns;
+        }
diff --git a/src/lib/libcrypto/engine/eng_list.c b/src/lib/libcrypto/engine/eng_list.c
new file mode 100644
index 0000000000..ce48d2255a
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_list.c
@@ -0,0 +1,383 @@
+/* crypto/engine/eng_list.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* The linked-list of pointers to engine types. engine_list_head
+ * incorporates an implicit structural reference but engine_list_tail
+ * does not - the latter is a computational niceity and only points
+ * to something that is already pointed to by its predecessor in the
+ * list (or engine_list_head itself). In the same way, the use of the
+ * "prev" pointer in each ENGINE is to save excessive list iteration,
+ * it doesn't correspond to an extra structural reference. Hence,
+ * engine_list_head, and each non-null "next" pointer account for
+ * the list itself assuming exactly 1 structural reference on each
+ * list member. */
+static ENGINE *engine_list_head = NULL;
+static ENGINE *engine_list_tail = NULL;
+
+/* This cleanup function is only needed internally. If it should be called, we
+ * register it with the "ENGINE_cleanup()" stack to be called during cleanup. */
+
+static void engine_list_cleanup(void)
+        {
+        ENGINE *iterator = engine_list_head;
+
+        while(iterator != NULL)
+                {
+                ENGINE_remove(iterator);
+                iterator = engine_list_head;
+                }
+        return;
+        }
+
+/* These static functions starting with a lower case "engine_" always
+ * take place when CRYPTO_LOCK_ENGINE has been locked up. */
+static int engine_list_add(ENGINE *e)
+        {
+        int conflict = 0;
+        ENGINE *iterator = NULL;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        iterator = engine_list_head;
+        while(iterator && !conflict)
+                {
+                conflict = (strcmp(iterator->id, e->id) == 0);
+                iterator = iterator->next;
+                }
+        if(conflict)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                        ENGINE_R_CONFLICTING_ENGINE_ID);
+                return 0;
+                }
+        if(engine_list_head == NULL)
+                {
+                /* We are adding to an empty list. */
+                if(engine_list_tail)
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_head = e;
+                e->prev = NULL;
+                /* The first time the list allocates, we should register the
+                 * cleanup. */
+                engine_cleanup_add_last(engine_list_cleanup);
+                }
+        else
+                {
+                /* We are adding to the tail of an existing list. */
+                if((engine_list_tail == NULL) ||
+                                (engine_list_tail->next != NULL))
+                        {
+                        ENGINEerr(ENGINE_F_ENGINE_LIST_ADD,
+                                ENGINE_R_INTERNAL_LIST_ERROR);
+                        return 0;
+                        }
+                engine_list_tail->next = e;
+                e->prev = engine_list_tail;
+                }
+        /* Having the engine in the list assumes a structural
+         * reference. */
+        e->struct_ref++;
+        engine_ref_debug(e, 0, 1)
+        /* However it came to be, e is the last item in the list. */
+        engine_list_tail = e;
+        e->next = NULL;
+        return 1;
+        }
+
+static int engine_list_remove(ENGINE *e)
+        {
+        ENGINE *iterator;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        /* We need to check that e is in our linked list! */
+        iterator = engine_list_head;
+        while(iterator && (iterator != e))
+                iterator = iterator->next;
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LIST_REMOVE,
+                        ENGINE_R_ENGINE_IS_NOT_IN_LIST);
+                return 0;
+                }
+        /* un-link e from the chain. */
+        if(e->next)
+                e->next->prev = e->prev;
+        if(e->prev)
+                e->prev->next = e->next;
+        /* Correct our head/tail if necessary. */
+        if(engine_list_head == e)
+                engine_list_head = e->next;
+        if(engine_list_tail == e)
+                engine_list_tail = e->prev;
+        engine_free_util(e, 0);
+        return 1;
+        }
+
+/* Get the first/last "ENGINE" type available. */
+ENGINE *ENGINE_get_first(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = engine_list_head;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_last(void)
+        {
+        ENGINE *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+                ret = engine_list_tail;
+        if(ret)
+                {
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+
+/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
+ENGINE *ENGINE_get_next(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_NEXT,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->next;
+        if(ret)
+                {
+                /* Return a valid structural refernce to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+ENGINE *ENGINE_get_prev(ENGINE *e)
+        {
+        ENGINE *ret = NULL;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_PREV,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        ret = e->prev;
+        if(ret)
+                {
+                /* Return a valid structural reference to the next ENGINE */
+                ret->struct_ref++;
+                engine_ref_debug(ret, 0, 1)
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        /* Release the structural reference to the previous ENGINE */
+        ENGINE_free(e);
+        return ret;
+        }
+
+/* Add another "ENGINE" type into the list. */
+int ENGINE_add(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        if((e->id == NULL) || (e->name == NULL))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_ID_OR_NAME_MISSING);
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_add(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_ADD,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+/* Remove an existing "ENGINE" type from the array. */
+int ENGINE_remove(ENGINE *e)
+        {
+        int to_return = 1;
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!engine_list_remove(e))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_REMOVE,
+                        ENGINE_R_INTERNAL_LIST_ERROR);
+                to_return = 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return to_return;
+        }
+
+static void engine_cpy(ENGINE *dest, const ENGINE *src)
+        {
+        dest->id = src->id;
+        dest->name = src->name;
+#ifndef OPENSSL_NO_RSA
+        dest->rsa_meth = src->rsa_meth;
+#endif
+#ifndef OPENSSL_NO_DSA
+        dest->dsa_meth = src->dsa_meth;
+#endif
+#ifndef OPENSSL_NO_DH
+        dest->dh_meth = src->dh_meth;
+#endif
+        dest->rand_meth = src->rand_meth;
+        dest->ciphers = src->ciphers;
+        dest->digests = src->digests;
+        dest->destroy = src->destroy;
+        dest->init = src->init;
+        dest->finish = src->finish;
+        dest->ctrl = src->ctrl;
+        dest->load_privkey = src->load_privkey;
+        dest->load_pubkey = src->load_pubkey;
+        dest->cmd_defns = src->cmd_defns;
+        dest->flags = src->flags;
+        }
+
+ENGINE *ENGINE_by_id(const char *id)
+        {
+        ENGINE *iterator;
+        if(id == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+                }
+        CRYPTO_r_lock(CRYPTO_LOCK_ENGINE);
+        iterator = engine_list_head;
+        while(iterator && (strcmp(id, iterator->id) != 0)) 
+                iterator = iterator->next;
+        if(iterator)
+                {
+                /* We need to return a structural reference. If this is an
+                 * ENGINE type that returns copies, make a duplicate - otherwise
+                 * increment the existing ENGINE's reference count. */
+                if(iterator->flags & ENGINE_FLAGS_BY_ID_COPY)
+                        {
+                        ENGINE *cp = ENGINE_new();
+                        if(!cp)
+                                iterator = NULL;
+                        else
+                                {
+                                engine_cpy(cp, iterator);
+                                iterator = cp;
+                                }
+                        }
+                else
+                        {
+                        iterator->struct_ref++;
+                        engine_ref_debug(iterator, 0, 1)
+                        }
+                }
+        CRYPTO_r_unlock(CRYPTO_LOCK_ENGINE);
+        if(iterator == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_BY_ID,
+                        ENGINE_R_NO_SUCH_ENGINE);
+                ERR_add_error_data(2, "id=", id);
+                }
+        return iterator;
+        }
diff --git a/src/lib/libcrypto/engine/eng_openssl.c b/src/lib/libcrypto/engine/eng_openssl.c
new file mode 100644
index 0000000000..e9d976f46b
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_openssl.c
@@ -0,0 +1,347 @@
+/* crypto/engine/eng_openssl.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/engine.h>
+#include <openssl/dso.h>
+#include <openssl/pem.h>
+
+/* This testing gunk is implemented (and explained) lower down. It also assumes
+ * the application explicitly calls "ENGINE_load_openssl()" because this is no
+ * longer automatic in ENGINE_load_builtin_engines(). */
+#define TEST_ENG_OPENSSL_RC4
+#define TEST_ENG_OPENSSL_PKEY
+/* #define TEST_ENG_OPENSSL_RC4_OTHERS */
+#define TEST_ENG_OPENSSL_RC4_P_INIT
+/* #define TEST_ENG_OPENSSL_RC4_P_CIPHER */
+#define TEST_ENG_OPENSSL_SHA
+/* #define TEST_ENG_OPENSSL_SHA_OTHERS */
+/* #define TEST_ENG_OPENSSL_SHA_P_INIT */
+/* #define TEST_ENG_OPENSSL_SHA_P_UPDATE */
+/* #define TEST_ENG_OPENSSL_SHA_P_FINAL */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                                const int **nids, int nid);
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                                const int **nids, int nid);
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+#endif
+
+/* The constants used when creating the ENGINE */
+static const char *engine_openssl_id = "openssl";
+static const char *engine_openssl_name = "Software engine support";
+
+/* This internal function is used by ENGINE_openssl() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+        if(!ENGINE_set_id(e, engine_openssl_id)
+                        || !ENGINE_set_name(e, engine_openssl_name)
+#ifndef TEST_ENG_OPENSSL_NO_ALGORITHMS
+#ifndef OPENSSL_NO_RSA
+                        || !ENGINE_set_RSA(e, RSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DSA
+                        || !ENGINE_set_DSA(e, DSA_get_default_method())
+#endif
+#ifndef OPENSSL_NO_DH
+                        || !ENGINE_set_DH(e, DH_get_default_method())
+#endif
+                        || !ENGINE_set_RAND(e, RAND_SSLeay())
+#ifdef TEST_ENG_OPENSSL_RC4
+                        || !ENGINE_set_ciphers(e, openssl_ciphers)
+#endif
+#ifdef TEST_ENG_OPENSSL_SHA
+                        || !ENGINE_set_digests(e, openssl_digests)
+#endif
+#endif
+#ifdef TEST_ENG_OPENSSL_PKEY
+                        || !ENGINE_set_load_privkey_function(e, openssl_load_privkey)
+#endif
+                        )
+                return 0;
+        /* If we add errors to this ENGINE, ensure the error handling is setup here */
+        /* openssl_load_error_strings(); */
+        return 1;
+        }
+
+static ENGINE *engine_openssl(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_openssl(void)
+        {
+        ENGINE *toadd = engine_openssl();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        /* If the "add" worked, it gets a structural reference. So either way,
+         * we release our just-created reference. */
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_openssl_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#ifdef TEST_ENG_OPENSSL_RC4
+/* This section of code compiles an "alternative implementation" of two modes of
+ * RC4 into this ENGINE. The result is that EVP_CIPHER operation for "rc4"
+ * should under normal circumstances go via this support rather than the default
+ * EVP support. There are other symbols to tweak the testing;
+ *    TEST_ENC_OPENSSL_RC4_OTHERS - print a one line message to stderr each time
+ *        we're asked for a cipher we don't support (should not happen).
+ *    TEST_ENG_OPENSSL_RC4_P_INIT - print a one line message to stderr each time
+ *        the "init_key" handler is called.
+ *    TEST_ENG_OPENSSL_RC4_P_CIPHER - ditto for the "cipher" handler.
+ */
+#include <openssl/evp.h>
+#include <openssl/rc4.h>
+#define TEST_RC4_KEY_SIZE               16
+static int test_cipher_nids[] = {NID_rc4,NID_rc4_40};
+static int test_cipher_nids_number = 2;
+typedef struct {
+        unsigned char key[TEST_RC4_KEY_SIZE];
+        RC4_KEY ks;
+        } TEST_RC4_KEY;
+#define test(ctx) ((TEST_RC4_KEY *)(ctx)->cipher_data)
+static int test_rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                        const unsigned char *iv, int enc)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_init_key() called\n");
+#endif
+        memcpy(&test(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
+        RC4_set_key(&test(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                test(ctx)->key);
+        return 1;
+        }
+static int test_rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                      const unsigned char *in, unsigned int inl)
+        {
+#ifdef TEST_ENG_OPENSSL_RC4_P_CIPHER
+        fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) test_cipher() called\n");
+#endif
+        RC4(&test(ctx)->ks,inl,in,out);
+        return 1;
+        }
+static const EVP_CIPHER test_r4_cipher=
+        {
+        NID_rc4,
+        1,TEST_RC4_KEY_SIZE,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL,
+        NULL,
+        NULL
+        };
+static const EVP_CIPHER test_r4_40_cipher=
+        {
+        NID_rc4_40,
+        1,5 /* 40 bit */,0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        test_rc4_init_key,
+        test_rc4_cipher,
+        NULL,
+        sizeof(TEST_RC4_KEY),
+        NULL, 
+        NULL,
+        NULL
+        };
+static int openssl_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                        const int **nids, int nid)
+        {
+        if(!cipher)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_cipher_nids;
+                return test_cipher_nids_number;
+                }
+        /* We are being asked for a specific cipher */
+        if(nid == NID_rc4)
+                *cipher = &test_r4_cipher;
+        else if(nid == NID_rc4_40)
+                *cipher = &test_r4_40_cipher;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_RC4_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_RC4) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *cipher = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_SHA
+/* Much the same sort of comment as for TEST_ENG_OPENSSL_RC4 */
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+static int test_digest_nids[] = {NID_sha1};
+static int test_digest_nids_number = 1;
+static int test_sha1_init(EVP_MD_CTX *ctx)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_INIT
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_init() called\n");
+#endif
+        return SHA1_Init(ctx->md_data);
+        }
+static int test_sha1_update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_UPDATE
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_update() called\n");
+#endif
+        return SHA1_Update(ctx->md_data,data,count);
+        }
+static int test_sha1_final(EVP_MD_CTX *ctx,unsigned char *md)
+        {
+#ifdef TEST_ENG_OPENSSL_SHA_P_FINAL
+        fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) test_sha1_final() called\n");
+#endif
+        return SHA1_Final(md,ctx->md_data);
+        }
+static const EVP_MD test_sha_md=
+        {
+        NID_sha1,
+        NID_sha1WithRSAEncryption,
+        SHA_DIGEST_LENGTH,
+        0,
+        test_sha1_init,
+        test_sha1_update,
+        test_sha1_final,
+        NULL,
+        NULL,
+        EVP_PKEY_RSA_method,
+        SHA_CBLOCK,
+        sizeof(EVP_MD *)+sizeof(SHA_CTX),
+        };
+static int openssl_digests(ENGINE *e, const EVP_MD **digest,
+                        const int **nids, int nid)
+        {
+        if(!digest)
+                {
+                /* We are returning a list of supported nids */
+                *nids = test_digest_nids;
+                return test_digest_nids_number;
+                }
+        /* We are being asked for a specific digest */
+        if(nid == NID_sha1)
+                *digest = &test_sha_md;
+        else
+                {
+#ifdef TEST_ENG_OPENSSL_SHA_OTHERS
+                fprintf(stderr, "(TEST_ENG_OPENSSL_SHA) returning NULL for "
+                                "nid %d\n", nid);
+#endif
+                *digest = NULL;
+                return 0;
+                }
+        return 1;
+        }
+#endif
+
+#ifdef TEST_ENG_OPENSSL_PKEY
+static EVP_PKEY *openssl_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        BIO *in;
+        EVP_PKEY *key;
+        fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
+        in = BIO_new_file(key_id, "r");
+        if (!in)
+                return NULL;
+        key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
+        BIO_free(in);
+        return key;
+        }
+#endif
diff --git a/src/lib/libcrypto/engine/eng_pkey.c b/src/lib/libcrypto/engine/eng_pkey.c
new file mode 100644
index 0000000000..8c69171511
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_pkey.c
@@ -0,0 +1,157 @@
+/* crypto/engine/eng_pkey.c */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include "eng_int.h"
+#include <openssl/engine.h>
+
+/* Basic get/set stuff */
+
+int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f)
+        {
+        e->load_privkey = loadpriv_f;
+        return 1;
+        }
+
+int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
+        {
+        e->load_pubkey = loadpub_f;
+        return 1;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
+        {
+        return e->load_privkey;
+        }
+
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
+        {
+        return e->load_pubkey;
+        }
+
+/* API functions to load public/private keys */
+
+EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_privkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_privkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY,
+                        ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+                return 0;
+                }
+        return pkey;
+        }
+
+EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
+        {
+        EVP_PKEY *pkey;
+
+        if(e == NULL)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(e->funct_ref == 0)
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NOT_INITIALISED);
+                return 0;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        if (!e->load_pubkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_NO_LOAD_FUNCTION);
+                return 0;
+                }
+        pkey = e->load_pubkey(e, key_id, ui_method, callback_data);
+        if (!pkey)
+                {
+                ENGINEerr(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY,
+                        ENGINE_R_FAILED_LOADING_PUBLIC_KEY);
+                return 0;
+                }
+        return pkey;
+        }
diff --git a/src/lib/libcrypto/engine/eng_table.c b/src/lib/libcrypto/engine/eng_table.c
new file mode 100644
index 0000000000..c69a84a8bf
--- /dev/null
+++ b/src/lib/libcrypto/engine/eng_table.c
@@ -0,0 +1,361 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* This is the type of item in the 'implementation' table. Each 'nid' hashes to
+ * a (potentially NULL) ENGINE_PILE structure which contains a stack of ENGINE*
+ * pointers. These pointers aren't references, because they're inserted and
+ * removed during ENGINE creation and ENGINE destruction. They point to ENGINEs
+ * that *exist* (ie. have a structural reference count greater than zero) rather
+ * than ENGINEs that are *functional*. Each pointer in those stacks are to
+ * ENGINEs that implements the algorithm corresponding to each 'nid'. */
+
+/* The type of the items in the table */
+typedef struct st_engine_pile
+        {
+        /* The 'nid' of the algorithm/mode this ENGINE_PILE structure represents
+         * */
+        int nid;
+        /* A stack of ENGINE pointers for ENGINEs that support this
+         * algorithm/mode. In the event that 'funct' is NULL, the first entry in
+         * this stack that initialises will be set as 'funct' and assumed as the
+         * default for operations of this type. */
+        STACK_OF(ENGINE) *sk;
+        /* The default ENGINE to perform this algorithm/mode. */
+        ENGINE *funct;
+        /* This value optimises engine_table_select(). If it is called it sets
+         * this value to 1. Any changes to this ENGINE_PILE resets it to zero.
+         * As such, no ENGINE_init() thrashing is done unless ENGINEs
+         * continually register (and/or unregister). */
+        int uptodate;
+        } ENGINE_PILE;
+
+/* The type of the hash table of ENGINE_PILE structures such that each are
+ * unique and keyed by the 'nid' value. */
+struct st_engine_table
+        {
+        LHASH piles;
+        }; /* ENGINE_TABLE */
+
+/* This value stores global options controlling behaviour of (mostly) the
+ * engine_table_select() function. It's a bitmask of flag values of the form
+ * ENGINE_TABLE_FLAG_*** (as defined in engine.h) and is controlled by the
+ * ENGINE_[get|set]_table_flags() function. */
+static unsigned int table_flags = 0;
+
+/* API function manipulating 'table_flags' */
+unsigned int ENGINE_get_table_flags(void)
+        {
+        return table_flags;
+        }
+void ENGINE_set_table_flags(unsigned int flags)
+        {
+        table_flags = flags;
+        }
+
+/* Internal functions for the "piles" hash table */
+static unsigned long engine_pile_hash(const ENGINE_PILE *c)
+        {
+        return c->nid;
+        }
+static int engine_pile_cmp(const ENGINE_PILE *a, const ENGINE_PILE *b)
+        {
+        return a->nid - b->nid;
+        }
+static IMPLEMENT_LHASH_HASH_FN(engine_pile_hash, const ENGINE_PILE *)
+static IMPLEMENT_LHASH_COMP_FN(engine_pile_cmp, const ENGINE_PILE *)
+static int int_table_check(ENGINE_TABLE **t, int create)
+        {
+        LHASH *lh;
+        if(*t)
+                return 1;
+        if(!create)
+                return 0;
+        if((lh = lh_new(LHASH_HASH_FN(engine_pile_hash),
+                        LHASH_COMP_FN(engine_pile_cmp))) == NULL)
+                return 0;
+        *t = (ENGINE_TABLE *)lh;
+        return 1;
+        }
+
+/* Privately exposed (via eng_int.h) functions for adding and/or removing
+ * ENGINEs from the implementation table */
+int engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup,
+                ENGINE *e, const int *nids, int num_nids, int setdefault)
+        {
+        int ret = 0, added = 0;
+        ENGINE_PILE tmplate, *fnd;
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(!(*table))
+                added = 1;
+        if(!int_table_check(table, 1))
+                goto end;
+        if(added)
+                /* The cleanup callback needs to be added */
+                engine_cleanup_add_first(cleanup);
+        while(num_nids--)
+                {
+                tmplate.nid = *nids;
+                fnd = lh_retrieve(&(*table)->piles, &tmplate);
+                if(!fnd)
+                        {
+                        fnd = OPENSSL_malloc(sizeof(ENGINE_PILE));
+                        if(!fnd)
+                                goto end;
+                        fnd->uptodate = 1;
+                        fnd->nid = *nids;
+                        fnd->sk = sk_ENGINE_new_null();
+                        if(!fnd->sk)
+                                {
+                                OPENSSL_free(fnd);
+                                goto end;
+                                }
+                        fnd->funct= NULL;
+                        lh_insert(&(*table)->piles, fnd);
+                        }
+                /* A registration shouldn't add duplciate entries */
+                sk_ENGINE_delete_ptr(fnd->sk, e);
+                /* if 'setdefault', this ENGINE goes to the head of the list */
+                if(!sk_ENGINE_push(fnd->sk, e))
+                        goto end;
+                /* "touch" this ENGINE_PILE */
+                fnd->uptodate = 0;
+                if(setdefault)
+                        {
+                        if(!engine_unlocked_init(e))
+                                {
+                                ENGINEerr(ENGINE_F_ENGINE_TABLE_REGISTER,
+                                                ENGINE_R_INIT_FAILED);
+                                goto end;
+                                }
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        fnd->funct = e;
+                        }
+                nids++;
+                }
+        ret = 1;
+end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return ret;
+        }
+static void int_unregister_cb(ENGINE_PILE *pile, ENGINE *e)
+        {
+        int n;
+        /* Iterate the 'c->sk' stack removing any occurance of 'e' */
+        while((n = sk_ENGINE_find(pile->sk, e)) >= 0)
+                {
+                sk_ENGINE_delete(pile->sk, n);
+                /* "touch" this ENGINE_CIPHER */
+                pile->uptodate = 0;
+                }
+        if(pile->funct == e)
+                {
+                engine_unlocked_finish(e, 0);
+                pile->funct = NULL;
+                }
+        }
+static IMPLEMENT_LHASH_DOALL_ARG_FN(int_unregister_cb,ENGINE_PILE *,ENGINE *)
+void engine_table_unregister(ENGINE_TABLE **table, ENGINE *e)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(int_table_check(table, 0))
+                lh_doall_arg(&(*table)->piles,
+                        LHASH_DOALL_ARG_FN(int_unregister_cb), e);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+static void int_cleanup_cb(ENGINE_PILE *p)
+        {
+        sk_ENGINE_free(p->sk);
+        if(p->funct)
+                engine_unlocked_finish(p->funct, 0);
+        OPENSSL_free(p);
+        }
+static IMPLEMENT_LHASH_DOALL_FN(int_cleanup_cb,ENGINE_PILE *)
+void engine_table_cleanup(ENGINE_TABLE **table)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        if(*table)
+                {
+                lh_doall(&(*table)->piles, LHASH_DOALL_FN(int_cleanup_cb));
+                lh_free(&(*table)->piles);
+                *table = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+#ifndef ENGINE_TABLE_DEBUG
+ENGINE *engine_table_select(ENGINE_TABLE **table, int nid)
+#else
+ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, int l)
+#endif
+        {
+        ENGINE *ret = NULL;
+        ENGINE_PILE tmplate, *fnd=NULL;
+        int initres, loop = 0;
+
+        /* If 'engine_ciphers' is NULL, then it's absolutely *sure* that no
+         * ENGINEs have registered any implementations! */
+        if(!(*table))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                        "registered for anything!\n", f, l, nid);
+#endif
+                return NULL;
+                }
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        /* Check again inside the lock otherwise we could race against cleanup
+         * operations. But don't worry about a fprintf(stderr). */
+        if(!int_table_check(table, 0))
+                goto end;
+        tmplate.nid = nid;
+        fnd = lh_retrieve(&(*table)->piles, &tmplate);
+        if(!fnd)
+                goto end;
+        if(fnd->funct && engine_unlocked_init(fnd->funct))
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                        "ENGINE '%s' cached\n", f, l, nid, fnd->funct->id);
+#endif
+                ret = fnd->funct;
+                goto end;
+                }
+        if(fnd->uptodate)
+                {
+                ret = fnd->funct;
+                goto end;
+                }
+trynext:
+        ret = sk_ENGINE_value(fnd->sk, loop++);
+        if(!ret)
+                {
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, no "
+                                "registered implementations would initialise\n",
+                                f, l, nid);
+#endif
+                goto end;
+                }
+#if 0
+        /* Don't need to get a reference if we hold the lock. If the locking has
+         * to change in future, that would be different ... */
+        ret->struct_ref++; engine_ref_debug(ret, 0, 1)
+#endif
+        /* Try and initialise the ENGINE if it's already functional *or* if the
+         * ENGINE_TABLE_FLAG_NOINIT flag is not set. */
+        if((ret->funct_ref > 0) || !(table_flags & ENGINE_TABLE_FLAG_NOINIT))
+                initres = engine_unlocked_init(ret);
+        else
+                initres = 0;
+#if 0
+        /* Release the structural reference */
+        ret->struct_ref--; engine_ref_debug(ret, 0, -1);
+#endif
+        if(initres)
+                {
+                /* If we didn't have a default (functional reference) for this
+                 * 'nid' (or we had one but for whatever reason we're now
+                 * initialising a different one), use this opportunity to set
+                 * 'funct'. */
+                if((fnd->funct != ret) && engine_unlocked_init(ret))
+                        {
+                        /* If there was a previous default we release it. */
+                        if(fnd->funct)
+                                engine_unlocked_finish(fnd->funct, 0);
+                        /* We got an extra functional reference for the
+                         * per-'nid' default */
+                        fnd->funct = ret;
+#ifdef ENGINE_TABLE_DEBUG
+                        fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, "
+                                "setting default to '%s'\n", f, l, nid, ret->id);
+#endif
+                        }
+#ifdef ENGINE_TABLE_DEBUG
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, using "
+                                "newly initialised '%s'\n", f, l, nid, ret->id);
+#endif
+                goto end;
+                }
+        goto trynext;
+end:
+        /* Whatever happened - we should "untouch" our uptodate file seeing as
+         * we have tried our best to find a functional reference for 'nid'. If
+         * it failed, it is unlikely to succeed again until some future
+         * registrations (or unregistrations) have taken place that affect that
+         * 'nid'. */
+        if(fnd)
+                fnd->uptodate = 1;
+#ifdef ENGINE_TABLE_DEBUG
+        if(ret)
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "ENGINE '%s'\n", f, l, nid, ret->id);
+        else
+                fprintf(stderr, "engine_table_dbg: %s:%d, nid=%d, caching "
+                                "'no matching ENGINE'\n", f, l, nid);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        /* Whatever happened, any failed init()s are not failures in this
+         * context, so clear our error state. */
+        ERR_clear_error();
+        return ret;
+        }
diff --git a/src/lib/libcrypto/engine/engine.h b/src/lib/libcrypto/engine/engine.h
index 2983f47034..97f5de9e12 100644
--- a/src/lib/libcrypto/engine/engine.h
+++ b/src/lib/libcrypto/engine/engine.h
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -59,36 +59,171 @@
 #ifndef HEADER_ENGINE_H
 #define HEADER_ENGINE_H
 
+#include <openssl/ossl_typ.h>
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
+#endif
 #include <openssl/rand.h>
-#include <openssl/evp.h>
+#include <openssl/ui.h>
 #include <openssl/symhacks.h>
+#include <openssl/err.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
+/* Fixups for missing algorithms */
+#ifdef OPENSSL_NO_RSA
+typedef void RSA_METHOD;
+#endif
+#ifdef OPENSSL_NO_DSA
+typedef void DSA_METHOD;
+#endif
+#ifdef OPENSSL_NO_DH
+typedef void DH_METHOD;
+#endif
+
 /* These flags are used to control combinations of algorithm (methods)
  * by bitwise "OR"ing. */
 #define ENGINE_METHOD_RSA               (unsigned int)0x0001
 #define ENGINE_METHOD_DSA               (unsigned int)0x0002
 #define ENGINE_METHOD_DH                (unsigned int)0x0004
 #define ENGINE_METHOD_RAND              (unsigned int)0x0008
-#define ENGINE_METHOD_BN_MOD_EXP        (unsigned int)0x0010
-#define ENGINE_METHOD_BN_MOD_EXP_CRT    (unsigned int)0x0020
+#define ENGINE_METHOD_CIPHERS           (unsigned int)0x0040
+#define ENGINE_METHOD_DIGESTS           (unsigned int)0x0080
 /* Obvious all-or-nothing cases. */
 #define ENGINE_METHOD_ALL               (unsigned int)0xFFFF
 #define ENGINE_METHOD_NONE              (unsigned int)0x0000
 
+/* This(ese) flag(s) controls behaviour of the ENGINE_TABLE mechanism used
+ * internally to control registration of ENGINE implementations, and can be set
+ * by ENGINE_set_table_flags(). The "NOINIT" flag prevents attempts to
+ * initialise registered ENGINEs if they are not already initialised. */
+#define ENGINE_TABLE_FLAG_NOINIT        (unsigned int)0x0001
+
+/* ENGINE flags that can be set by ENGINE_set_flags(). */
+/* #define ENGINE_FLAGS_MALLOCED        0x0001 */ /* Not used */
+
+/* This flag is for ENGINEs that wish to handle the various 'CMD'-related
+ * control commands on their own. Without this flag, ENGINE_ctrl() handles these
+ * control commands on behalf of the ENGINE using their "cmd_defns" data. */
+#define ENGINE_FLAGS_MANUAL_CMD_CTRL    (int)0x0002
+
+/* This flag is for ENGINEs who return new duplicate structures when found via
+ * "ENGINE_by_id()". When an ENGINE must store state (eg. if ENGINE_ctrl()
+ * commands are called in sequence as part of some stateful process like
+ * key-generation setup and execution), it can set this flag - then each attempt
+ * to obtain the ENGINE will result in it being copied into a new structure.
+ * Normally, ENGINEs don't declare this flag so ENGINE_by_id() just increments
+ * the existing ENGINE's structural reference count. */
+#define ENGINE_FLAGS_BY_ID_COPY         (int)0x0004
+
+/* ENGINEs can support their own command types, and these flags are used in
+ * ENGINE_CTRL_GET_CMD_FLAGS to indicate to the caller what kind of input each
+ * command expects. Currently only numeric and string input is supported. If a
+ * control command supports none of the _NUMERIC, _STRING, or _NO_INPUT options,
+ * then it is regarded as an "internal" control command - and not for use in
+ * config setting situations. As such, they're not available to the
+ * ENGINE_ctrl_cmd_string() function, only raw ENGINE_ctrl() access. Changes to
+ * this list of 'command types' should be reflected carefully in
+ * ENGINE_cmd_is_executable() and ENGINE_ctrl_cmd_string(). */
+
+/* accepts a 'long' input value (3rd parameter to ENGINE_ctrl) */
+#define ENGINE_CMD_FLAG_NUMERIC         (unsigned int)0x0001
+/* accepts string input (cast from 'void*' to 'const char *', 4th parameter to
+ * ENGINE_ctrl) */
+#define ENGINE_CMD_FLAG_STRING          (unsigned int)0x0002
+/* Indicates that the control command takes *no* input. Ie. the control command
+ * is unparameterised. */
+#define ENGINE_CMD_FLAG_NO_INPUT        (unsigned int)0x0004
+/* Indicates that the control command is internal. This control command won't
+ * be shown in any output, and is only usable through the ENGINE_ctrl_cmd()
+ * function. */
+#define ENGINE_CMD_FLAG_INTERNAL        (unsigned int)0x0008
+
+/* NB: These 3 control commands are deprecated and should not be used. ENGINEs
+ * relying on these commands should compile conditional support for
+ * compatibility (eg. if these symbols are defined) but should also migrate the
+ * same functionality to their own ENGINE-specific control functions that can be
+ * "discovered" by calling applications. The fact these control commands
+ * wouldn't be "executable" (ie. usable by text-based config) doesn't change the
+ * fact that application code can find and use them without requiring per-ENGINE
+ * hacking. */
+
 /* These flags are used to tell the ctrl function what should be done.
  * All command numbers are shared between all engines, even if some don't
  * make sense to some engines.  In such a case, they do nothing but return
  * the error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED. */
 #define ENGINE_CTRL_SET_LOGSTREAM               1
 #define ENGINE_CTRL_SET_PASSWORD_CALLBACK       2
+#define ENGINE_CTRL_HUP                         3 /* Close and reinitialise any
+                                                     handles/connections etc. */
+#define ENGINE_CTRL_SET_USER_INTERFACE          4 /* Alternative to callback */
+#define ENGINE_CTRL_SET_CALLBACK_DATA           5 /* User-specific data, used
+                                                     when calling the password
+                                                     callback and the user
+                                                     interface */
+
+/* These control commands allow an application to deal with an arbitrary engine
+ * in a dynamic way. Warn: Negative return values indicate errors FOR THESE
+ * COMMANDS because zero is used to indicate 'end-of-list'. Other commands,
+ * including ENGINE-specific command types, return zero for an error.
+ *
+ * An ENGINE can choose to implement these ctrl functions, and can internally
+ * manage things however it chooses - it does so by setting the
+ * ENGINE_FLAGS_MANUAL_CMD_CTRL flag (using ENGINE_set_flags()). Otherwise the
+ * ENGINE_ctrl() code handles this on the ENGINE's behalf using the cmd_defns
+ * data (set using ENGINE_set_cmd_defns()). This means an ENGINE's ctrl()
+ * handler need only implement its own commands - the above "meta" commands will
+ * be taken care of. */
+
+/* Returns non-zero if the supplied ENGINE has a ctrl() handler. If "not", then
+ * all the remaining control commands will return failure, so it is worth
+ * checking this first if the caller is trying to "discover" the engine's
+ * capabilities and doesn't want errors generated unnecessarily. */
+#define ENGINE_CTRL_HAS_CTRL_FUNCTION           10
+/* Returns a positive command number for the first command supported by the
+ * engine. Returns zero if no ctrl commands are supported. */
+#define ENGINE_CTRL_GET_FIRST_CMD_TYPE          11
+/* The 'long' argument specifies a command implemented by the engine, and the
+ * return value is the next command supported, or zero if there are no more. */
+#define ENGINE_CTRL_GET_NEXT_CMD_TYPE           12
+/* The 'void*' argument is a command name (cast from 'const char *'), and the
+ * return value is the command that corresponds to it. */
+#define ENGINE_CTRL_GET_CMD_FROM_NAME           13
+/* The next two allow a command to be converted into its corresponding string
+ * form. In each case, the 'long' argument supplies the command. In the NAME_LEN
+ * case, the return value is the length of the command name (not counting a
+ * trailing EOL). In the NAME case, the 'void*' argument must be a string buffer
+ * large enough, and it will be populated with the name of the command (WITH a
+ * trailing EOL). */
+#define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD       14
+#define ENGINE_CTRL_GET_NAME_FROM_CMD           15
+/* The next two are similar but give a "short description" of a command. */
+#define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD       16
+#define ENGINE_CTRL_GET_DESC_FROM_CMD           17
+/* With this command, the return value is the OR'd combination of
+ * ENGINE_CMD_FLAG_*** values that indicate what kind of input a given
+ * engine-specific ctrl command expects. */
+#define ENGINE_CTRL_GET_CMD_FLAGS               18
+
+/* ENGINE implementations should start the numbering of their own control
+ * commands from this value. (ie. ENGINE_CMD_BASE, ENGINE_CMD_BASE + 1, etc). */
+#define ENGINE_CMD_BASE         200
+
+/* NB: These 2 nCipher "chil" control commands are deprecated, and their
+ * functionality is now available through ENGINE-specific control commands
+ * (exposed through the above-mentioned 'CMD'-handling). Code using these 2
+ * commands should be migrated to the more general command handling before these
+ * are removed. */
+
 /* Flags specific to the nCipher "chil" engine */
 #define ENGINE_CTRL_CHIL_SET_FORKCHECK          100
         /* Depending on the value of the (long)i argument, this sets or
@@ -99,45 +234,55 @@ extern "C" {
         /* This prevents the initialisation function from providing mutex
          * callbacks to the nCipher library. */
 
-/* As we're missing a BIGNUM_METHOD, we need a couple of locally
- * defined function types that engines can implement. */
-
-#ifndef HEADER_ENGINE_INT_H
-/* mod_exp operation, calculates; r = a ^ p mod m
- * NB: ctx can be NULL, but if supplied, the implementation may use
- * it if it wishes. */
-typedef int (*BN_MOD_EXP)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                const BIGNUM *m, BN_CTX *ctx);
-
-/* private key operation for RSA, provided seperately in case other
- * RSA implementations wish to use it. */
-typedef int (*BN_MOD_EXP_CRT)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
-                const BIGNUM *iqmp, BN_CTX *ctx);
+/* If an ENGINE supports its own specific control commands and wishes the
+ * framework to handle the above 'ENGINE_CMD_***'-manipulation commands on its
+ * behalf, it should supply a null-terminated array of ENGINE_CMD_DEFN entries
+ * to ENGINE_set_cmd_defns(). It should also implement a ctrl() handler that
+ * supports the stated commands (ie. the "cmd_num" entries as described by the
+ * array). NB: The array must be ordered in increasing order of cmd_num.
+ * "null-terminated" means that the last ENGINE_CMD_DEFN element has cmd_num set
+ * to zero and/or cmd_name set to NULL. */
+typedef struct ENGINE_CMD_DEFN_st
+        {
+        unsigned int cmd_num; /* The command number */
+        const char *cmd_name; /* The command name itself */
+        const char *cmd_desc; /* A short description of the command */
+        unsigned int cmd_flags; /* The input the command expects */
+        } ENGINE_CMD_DEFN;
 
 /* Generic function pointer */
-typedef void (*ENGINE_GEN_FUNC_PTR)();
+typedef int (*ENGINE_GEN_FUNC_PTR)();
 /* Generic function pointer taking no arguments */
-typedef void (*ENGINE_GEN_INT_FUNC_PTR)(void);
+typedef int (*ENGINE_GEN_INT_FUNC_PTR)(ENGINE *);
 /* Specific control function pointer */
-typedef int (*ENGINE_CTRL_FUNC_PTR)(int cmd, long i, void *p, void (*f)());
-
-/* The list of "engine" types is a static array of (const ENGINE*)
- * pointers (not dynamic because static is fine for now and we otherwise
- * have to hook an appropriate load/unload function in to initialise and
- * cleanup). */
-typedef struct engine_st ENGINE;
-#endif
+typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)());
+/* Generic load_key function pointer */
+typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
+        UI_METHOD *ui_method, void *callback_data);
+/* These callback types are for an ENGINE's handler for cipher and digest logic.
+ * These handlers have these prototypes;
+ *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
+ *   int foo(ENGINE *e, const EVP_MD **digest, const int **nids, int nid);
+ * Looking at how to implement these handlers in the case of cipher support, if
+ * the framework wants the EVP_CIPHER for 'nid', it will call;
+ *   foo(e, &p_evp_cipher, NULL, nid);    (return zero for failure)
+ * If the framework wants a list of supported 'nid's, it will call;
+ *   foo(e, NULL, &p_nids, 0); (returns number of 'nids' or -1 for error)
+ */
+/* Returns to a pointer to the array of supported cipher 'nid's. If the second
+ * parameter is non-NULL it is set to the size of the returned array. */
+typedef int (*ENGINE_CIPHERS_PTR)(ENGINE *, const EVP_CIPHER **, const int **, int);
+typedef int (*ENGINE_DIGESTS_PTR)(ENGINE *, const EVP_MD **, const int **, int);
 
-/* STRUCTURE functions ... all of these functions deal with pointers to
- * ENGINE structures where the pointers have a "structural reference".
- * This means that their reference is to allow access to the structure
- * but it does not imply that the structure is functional. To simply
- * increment or decrement the structural reference count, use ENGINE_new
- * and ENGINE_free. NB: This is not required when iterating using
- * ENGINE_get_next as it will automatically decrement the structural
- * reference count of the "current" ENGINE and increment the structural
- * reference count of the ENGINE it returns (unless it is NULL). */
+/* STRUCTURE functions ... all of these functions deal with pointers to ENGINE
+ * structures where the pointers have a "structural reference". This means that
+ * their reference is to allowed access to the structure but it does not imply
+ * that the structure is functional. To simply increment or decrement the
+ * structural reference count, use ENGINE_by_id and ENGINE_free. NB: This is not
+ * required when iterating using ENGINE_get_next as it will automatically
+ * decrement the structural reference count of the "current" ENGINE and
+ * increment the structural reference count of the ENGINE it returns (unless it
+ * is NULL). */
 
 /* Get the first/last "ENGINE" type available. */
 ENGINE *ENGINE_get_first(void);
@@ -151,67 +296,170 @@ int ENGINE_add(ENGINE *e);
 int ENGINE_remove(ENGINE *e);
 /* Retrieve an engine from the list by its unique "id" value. */
 ENGINE *ENGINE_by_id(const char *id);
+/* Add all the built-in engines. */
+void ENGINE_load_openssl(void);
+void ENGINE_load_dynamic(void);
+void ENGINE_load_cswift(void);
+void ENGINE_load_chil(void);
+void ENGINE_load_atalla(void);
+void ENGINE_load_nuron(void);
+void ENGINE_load_ubsec(void);
+void ENGINE_load_aep(void);
+void ENGINE_load_sureware(void);
+void ENGINE_load_4758cca(void);
+void ENGINE_load_openbsd_dev_crypto(void);
+void ENGINE_load_builtin_engines(void);
+#ifdef __OpenBSD__
+void ENGINE_load_cryptodev(void);
+#endif  
+        
+/* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
+ * "registry" handling. */
+unsigned int ENGINE_get_table_flags(void);
+void ENGINE_set_table_flags(unsigned int flags);
 
-/* These functions are useful for manufacturing new ENGINE
- * structures. They don't address reference counting at all -
- * one uses them to populate an ENGINE structure with personalised
- * implementations of things prior to using it directly or adding
- * it to the builtin ENGINE list in OpenSSL. These are also here
- * so that the ENGINE structure doesn't have to be exposed and
- * break binary compatibility!
- *
- * NB: I'm changing ENGINE_new to force the ENGINE structure to
- * be allocated from within OpenSSL. See the comment for
- * ENGINE_get_struct_size().
- */
-#if 0
-ENGINE *ENGINE_new(ENGINE *e);
-#else
+/* Manage registration of ENGINEs per "table". For each type, there are 3
+ * functions;
+ *   ENGINE_register_***(e) - registers the implementation from 'e' (if it has one)
+ *   ENGINE_unregister_***(e) - unregister the implementation from 'e'
+ *   ENGINE_register_all_***() - call ENGINE_register_***() for each 'e' in the list
+ * Cleanup is automatically registered from each table when required, so
+ * ENGINE_cleanup() will reverse any "register" operations. */
+
+int ENGINE_register_RSA(ENGINE *e);
+void ENGINE_unregister_RSA(ENGINE *e);
+void ENGINE_register_all_RSA(void);
+
+int ENGINE_register_DSA(ENGINE *e);
+void ENGINE_unregister_DSA(ENGINE *e);
+void ENGINE_register_all_DSA(void);
+
+int ENGINE_register_DH(ENGINE *e);
+void ENGINE_unregister_DH(ENGINE *e);
+void ENGINE_register_all_DH(void);
+
+int ENGINE_register_RAND(ENGINE *e);
+void ENGINE_unregister_RAND(ENGINE *e);
+void ENGINE_register_all_RAND(void);
+
+int ENGINE_register_ciphers(ENGINE *e);
+void ENGINE_unregister_ciphers(ENGINE *e);
+void ENGINE_register_all_ciphers(void);
+
+int ENGINE_register_digests(ENGINE *e);
+void ENGINE_unregister_digests(ENGINE *e);
+void ENGINE_register_all_digests(void);
+
+/* These functions register all support from the above categories. Note, use of
+ * these functions can result in static linkage of code your application may not
+ * need. If you only need a subset of functionality, consider using more
+ * selective initialisation. */
+int ENGINE_register_complete(ENGINE *e);
+int ENGINE_register_all_complete(void);
+
+/* Send parametrised control commands to the engine. The possibilities to send
+ * down an integer, a pointer to data or a function pointer are provided. Any of
+ * the parameters may or may not be NULL, depending on the command number. In
+ * actuality, this function only requires a structural (rather than functional)
+ * reference to an engine, but many control commands may require the engine be
+ * functional. The caller should be aware of trying commands that require an
+ * operational ENGINE, and only use functional references in such situations. */
+int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* This function tests if an ENGINE-specific command is usable as a "setting".
+ * Eg. in an application's config file that gets processed through
+ * ENGINE_ctrl_cmd_string(). If this returns zero, it is not available to
+ * ENGINE_ctrl_cmd_string(), only ENGINE_ctrl(). */
+int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
+
+/* This function works like ENGINE_ctrl() with the exception of taking a
+ * command name instead of a command number, and can handle optional commands.
+ * See the comment on ENGINE_ctrl_cmd_string() for an explanation on how to
+ * use the cmd_name and cmd_optional. */
+int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
+        long i, void *p, void (*f)(), int cmd_optional);
+
+/* This function passes a command-name and argument to an ENGINE. The cmd_name
+ * is converted to a command number and the control command is called using
+ * 'arg' as an argument (unless the ENGINE doesn't support such a command, in
+ * which case no control command is called). The command is checked for input
+ * flags, and if necessary the argument will be converted to a numeric value. If
+ * cmd_optional is non-zero, then if the ENGINE doesn't support the given
+ * cmd_name the return value will be success anyway. This function is intended
+ * for applications to use so that users (or config files) can supply
+ * engine-specific config data to the ENGINE at run-time to control behaviour of
+ * specific engines. As such, it shouldn't be used for calling ENGINE_ctrl()
+ * functions that return data, deal with binary data, or that are otherwise
+ * supposed to be used directly through ENGINE_ctrl() in application code. Any
+ * "return" data from an ENGINE_ctrl() operation in this function will be lost -
+ * the return value is interpreted as failure if the return value is zero,
+ * success otherwise, and this function returns a boolean value as a result. In
+ * other words, vendors of 'ENGINE'-enabled devices should write ENGINE
+ * implementations with parameterisations that work in this scheme, so that
+ * compliant ENGINE-based applications can work consistently with the same
+ * configuration for the same ENGINE-enabled devices, across applications. */
+int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
+                                int cmd_optional);
+
+/* These functions are useful for manufacturing new ENGINE structures. They
+ * don't address reference counting at all - one uses them to populate an ENGINE
+ * structure with personalised implementations of things prior to using it
+ * directly or adding it to the builtin ENGINE list in OpenSSL. These are also
+ * here so that the ENGINE structure doesn't have to be exposed and break binary
+ * compatibility! */
 ENGINE *ENGINE_new(void);
-#endif
 int ENGINE_free(ENGINE *e);
 int ENGINE_set_id(ENGINE *e, const char *id);
 int ENGINE_set_name(ENGINE *e, const char *name);
-int ENGINE_set_RSA(ENGINE *e, RSA_METHOD *rsa_meth);
-int ENGINE_set_DSA(ENGINE *e, DSA_METHOD *dsa_meth);
-int ENGINE_set_DH(ENGINE *e, DH_METHOD *dh_meth);
-int ENGINE_set_RAND(ENGINE *e, RAND_METHOD *rand_meth);
-int ENGINE_set_BN_mod_exp(ENGINE *e, BN_MOD_EXP bn_mod_exp);
-int ENGINE_set_BN_mod_exp_crt(ENGINE *e, BN_MOD_EXP_CRT bn_mod_exp_crt);
+int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
+int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
+int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
+int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
+int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
 int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
 int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
 int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
+int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
+int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
+int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
+int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
+int ENGINE_set_flags(ENGINE *e, int flags);
+int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
+/* These functions (and the "get" function lower down) allow control over any
+ * per-structure ENGINE data. */
+int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
 
-/* These return values from within the ENGINE structure. These can
- * be useful with functional references as well as structural
- * references - it depends which you obtained. Using the result
- * for functional purposes if you only obtained a structural
- * reference may be problematic! */
-const char *ENGINE_get_id(ENGINE *e);
-const char *ENGINE_get_name(ENGINE *e);
-RSA_METHOD *ENGINE_get_RSA(ENGINE *e);
-DSA_METHOD *ENGINE_get_DSA(ENGINE *e);
-DH_METHOD *ENGINE_get_DH(ENGINE *e);
-RAND_METHOD *ENGINE_get_RAND(ENGINE *e);
-BN_MOD_EXP ENGINE_get_BN_mod_exp(ENGINE *e);
-BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(ENGINE *e);
-ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(ENGINE *e);
-ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(ENGINE *e);
-ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(ENGINE *e);
-
-/* ENGINE_new is normally passed a NULL in the first parameter because
- * the calling code doesn't have access to the definition of the ENGINE
- * structure (for good reason). However, if the caller wishes to use
- * its own memory allocation or use a static array, the following call
- * should be used to check the amount of memory the ENGINE structure
- * will occupy. This will make the code more future-proof.
- *
- * NB: I'm "#if 0"-ing this out because it's better to force the use of
- * internally allocated memory. See similar change in ENGINE_new().
- */
-#if 0
-int ENGINE_get_struct_size(void);
-#endif
+/* This function cleans up anything that needs it. Eg. the ENGINE_add() function
+ * automatically ensures the list cleanup function is registered to be called
+ * from ENGINE_cleanup(). Similarly, all ENGINE_register_*** functions ensure
+ * ENGINE_cleanup() will clean up after them. */
+void ENGINE_cleanup(void);
+
+/* These return values from within the ENGINE structure. These can be useful
+ * with functional references as well as structural references - it depends
+ * which you obtained. Using the result for functional purposes if you only
+ * obtained a structural reference may be problematic! */
+const char *ENGINE_get_id(const ENGINE *e);
+const char *ENGINE_get_name(const ENGINE *e);
+const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
+const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
+const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
+const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
+ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
+ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
+ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
+ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
+ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
+const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
+const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid);
+const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e);
+int ENGINE_get_flags(const ENGINE *e);
+void *ENGINE_get_ex_data(const ENGINE *e, int idx);
 
 /* FUNCTIONAL functions. These functions deal with ENGINE structures
  * that have (or will) be initialised for use. Broadly speaking, the
@@ -233,20 +481,14 @@ int ENGINE_init(ENGINE *e);
  * a corresponding call to ENGINE_free as it also releases a structural
  * reference. */
 int ENGINE_finish(ENGINE *e);
-/* Send control parametrised commands to the engine.  The possibilities
- * to send down an integer, a pointer to data or a function pointer are
- * provided.  Any of the parameters may or may not be NULL, depending
- * on the command number */
-/* WARNING: This is currently experimental and may change radically! */
-int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
 
 /* The following functions handle keys that are stored in some secondary
  * location, handled by the engine.  The storage may be on a card or
  * whatever. */
 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
-        const char *passphrase);
+        UI_METHOD *ui_method, void *callback_data);
 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
-        const char *passphrase);
+        UI_METHOD *ui_method, void *callback_data);
 
 /* This returns a pointer for the current ENGINE structure that
  * is (by default) performing any RSA operations. The value returned
@@ -257,117 +499,192 @@ ENGINE *ENGINE_get_default_RSA(void);
 ENGINE *ENGINE_get_default_DSA(void);
 ENGINE *ENGINE_get_default_DH(void);
 ENGINE *ENGINE_get_default_RAND(void);
-ENGINE *ENGINE_get_default_BN_mod_exp(void);
-ENGINE *ENGINE_get_default_BN_mod_exp_crt(void);
+/* These functions can be used to get a functional reference to perform
+ * ciphering or digesting corresponding to "nid". */
+ENGINE *ENGINE_get_cipher_engine(int nid);
+ENGINE *ENGINE_get_digest_engine(int nid);
 
 /* This sets a new default ENGINE structure for performing RSA
  * operations. If the result is non-zero (success) then the ENGINE
  * structure will have had its reference count up'd so the caller
  * should still free their own reference 'e'. */
 int ENGINE_set_default_RSA(ENGINE *e);
+int ENGINE_set_default_string(ENGINE *e, const char *list);
 /* Same for the other "methods" */
 int ENGINE_set_default_DSA(ENGINE *e);
 int ENGINE_set_default_DH(ENGINE *e);
 int ENGINE_set_default_RAND(ENGINE *e);
-int ENGINE_set_default_BN_mod_exp(ENGINE *e);
-int ENGINE_set_default_BN_mod_exp_crt(ENGINE *e);
+int ENGINE_set_default_ciphers(ENGINE *e);
+int ENGINE_set_default_digests(ENGINE *e);
 
 /* The combination "set" - the flags are bitwise "OR"d from the
- * ENGINE_METHOD_*** defines above. */
+ * ENGINE_METHOD_*** defines above. As with the "ENGINE_register_complete()"
+ * function, this function can result in unnecessary static linkage. If your
+ * application requires only specific functionality, consider using more
+ * selective functions. */
 int ENGINE_set_default(ENGINE *e, unsigned int flags);
 
-/* Obligatory error function. */
-void ERR_load_ENGINE_strings(void);
+void ENGINE_add_conf_module(void);
 
-/*
- * Error codes for all engine functions. NB: We use "generic"
- * function names instead of per-implementation ones because this
- * levels the playing field for externally implemented bootstrapped
- * support code. As the filename and line number is included, it's
- * more important to indicate the type of function, so that
- * bootstrapped code (that can't easily add its own errors in) can
- * use the same error codes too.
- */
+/* Deprecated functions ... */
+/* int ENGINE_clear_defaults(void); */
+
+/**************************/
+/* DYNAMIC ENGINE SUPPORT */
+/**************************/
+
+/* Binary/behaviour compatibility levels */
+#define OSSL_DYNAMIC_VERSION            (unsigned long)0x00010100
+/* Binary versions older than this are too old for us (whether we're a loader or
+ * a loadee) */
+#define OSSL_DYNAMIC_OLDEST             (unsigned long)0x00010100
+
+/* When compiling an ENGINE entirely as an external shared library, loadable by
+ * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
+ * type provides the calling application's (or library's) error functionality
+ * and memory management function pointers to the loaded library. These should
+ * be used/set in the loaded library code so that the loading application's
+ * 'state' will be used/changed in all operations. */
+typedef void *(*dyn_MEM_malloc_cb)(size_t);
+typedef void *(*dyn_MEM_realloc_cb)(void *, size_t);
+typedef void (*dyn_MEM_free_cb)(void *);
+typedef struct st_dynamic_MEM_fns {
+        dyn_MEM_malloc_cb                       malloc_cb;
+        dyn_MEM_realloc_cb                      realloc_cb;
+        dyn_MEM_free_cb                         free_cb;
+        } dynamic_MEM_fns;
+/* FIXME: Perhaps the memory and locking code (crypto.h) should declare and use
+ * these types so we (and any other dependant code) can simplify a bit?? */
+typedef void (*dyn_lock_locking_cb)(int,int,const char *,int);
+typedef int (*dyn_lock_add_lock_cb)(int*,int,int,const char *,int);
+typedef struct CRYPTO_dynlock_value *(*dyn_dynlock_create_cb)(
+                                                const char *,int);
+typedef void (*dyn_dynlock_lock_cb)(int,struct CRYPTO_dynlock_value *,
+                                                const char *,int);
+typedef void (*dyn_dynlock_destroy_cb)(struct CRYPTO_dynlock_value *,
+                                                const char *,int);
+typedef struct st_dynamic_LOCK_fns {
+        dyn_lock_locking_cb                     lock_locking_cb;
+        dyn_lock_add_lock_cb                    lock_add_lock_cb;
+        dyn_dynlock_create_cb                   dynlock_create_cb;
+        dyn_dynlock_lock_cb                     dynlock_lock_cb;
+        dyn_dynlock_destroy_cb                  dynlock_destroy_cb;
+        } dynamic_LOCK_fns;
+/* The top-level structure */
+typedef struct st_dynamic_fns {
+        const ERR_FNS                           *err_fns;
+        const CRYPTO_EX_DATA_IMPL               *ex_data_fns;
+        dynamic_MEM_fns                         mem_fns;
+        dynamic_LOCK_fns                        lock_fns;
+        } dynamic_fns;
+
+/* The version checking function should be of this prototype. NB: The
+ * ossl_version value passed in is the OSSL_DYNAMIC_VERSION of the loading code.
+ * If this function returns zero, it indicates a (potential) version
+ * incompatibility and the loaded library doesn't believe it can proceed.
+ * Otherwise, the returned value is the (latest) version supported by the
+ * loading library. The loader may still decide that the loaded code's version
+ * is unsatisfactory and could veto the load. The function is expected to
+ * be implemented with the symbol name "v_check", and a default implementation
+ * can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */
+typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
+#define IMPLEMENT_DYNAMIC_CHECK_FN() \
+        unsigned long v_check(unsigned long v) { \
+                if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
+                return 0; }
+
+/* This function is passed the ENGINE structure to initialise with its own
+ * function and command settings. It should not adjust the structural or
+ * functional reference counts. If this function returns zero, (a) the load will
+ * be aborted, (b) the previous ENGINE state will be memcpy'd back onto the
+ * structure, and (c) the shared library will be unloaded. So implementations
+ * should do their own internal cleanup in failure circumstances otherwise they
+ * could leak. The 'id' parameter, if non-NULL, represents the ENGINE id that
+ * the loader is looking for. If this is NULL, the shared library can choose to
+ * return failure or to initialise a 'default' ENGINE. If non-NULL, the shared
+ * library must initialise only an ENGINE matching the passed 'id'. The function
+ * is expected to be implemented with the symbol name "bind_engine". A standard
+ * implementation can be instantiated with IMPLEMENT_DYNAMIC_BIND_FN(fn) where
+ * the parameter 'fn' is a callback function that populates the ENGINE structure
+ * and returns an int value (zero for failure). 'fn' should have prototype;
+ *    [static] int fn(ENGINE *e, const char *id); */
+typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
+                                const dynamic_fns *fns);
+#define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
+        int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
+                if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \
+                        fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \
+                        return 0; \
+                CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \
+                CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \
+                CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \
+                CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \
+                CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \
+                if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \
+                        return 0; \
+                if(!ERR_set_implementation(fns->err_fns)) return 0; \
+                if(!fn(e,id)) return 0; \
+                return 1; }
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_ENGINE_strings(void);
 
 /* Error codes for the ENGINE functions. */
 
 /* Function codes. */
-#define ENGINE_F_ATALLA_FINISH                           135
-#define ENGINE_F_ATALLA_INIT                             136
-#define ENGINE_F_ATALLA_MOD_EXP                          137
-#define ENGINE_F_ATALLA_RSA_MOD_EXP                      138
-#define ENGINE_F_CSWIFT_DSA_SIGN                         133
-#define ENGINE_F_CSWIFT_DSA_VERIFY                       134
-#define ENGINE_F_CSWIFT_FINISH                           100
-#define ENGINE_F_CSWIFT_INIT                             101
-#define ENGINE_F_CSWIFT_MOD_EXP                          102
-#define ENGINE_F_CSWIFT_MOD_EXP_CRT                      103
-#define ENGINE_F_CSWIFT_RSA_MOD_EXP                      104
+#define ENGINE_F_DYNAMIC_CTRL                            180
+#define ENGINE_F_DYNAMIC_GET_DATA_CTX                    181
+#define ENGINE_F_DYNAMIC_LOAD                            182
 #define ENGINE_F_ENGINE_ADD                              105
 #define ENGINE_F_ENGINE_BY_ID                            106
+#define ENGINE_F_ENGINE_CMD_IS_EXECUTABLE                170
 #define ENGINE_F_ENGINE_CTRL                             142
+#define ENGINE_F_ENGINE_CTRL_CMD                         178
+#define ENGINE_F_ENGINE_CTRL_CMD_STRING                  171
 #define ENGINE_F_ENGINE_FINISH                           107
 #define ENGINE_F_ENGINE_FREE                             108
-#define ENGINE_F_ENGINE_GET_BN_MOD_EXP                   109
-#define ENGINE_F_ENGINE_GET_BN_MOD_EXP_CRT               110
-#define ENGINE_F_ENGINE_GET_CTRL_FUNCTION                144
-#define ENGINE_F_ENGINE_GET_DH                           111
-#define ENGINE_F_ENGINE_GET_DSA                          112
-#define ENGINE_F_ENGINE_GET_FINISH_FUNCTION              145
-#define ENGINE_F_ENGINE_GET_ID                           113
-#define ENGINE_F_ENGINE_GET_INIT_FUNCTION                146
-#define ENGINE_F_ENGINE_GET_NAME                         114
+#define ENGINE_F_ENGINE_GET_CIPHER                       185
+#define ENGINE_F_ENGINE_GET_DEFAULT_TYPE                 177
+#define ENGINE_F_ENGINE_GET_DIGEST                       186
 #define ENGINE_F_ENGINE_GET_NEXT                         115
 #define ENGINE_F_ENGINE_GET_PREV                         116
-#define ENGINE_F_ENGINE_GET_RAND                         117
-#define ENGINE_F_ENGINE_GET_RSA                          118
 #define ENGINE_F_ENGINE_INIT                             119
 #define ENGINE_F_ENGINE_LIST_ADD                         120
 #define ENGINE_F_ENGINE_LIST_REMOVE                      121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                 150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                  151
+#define ENGINE_F_ENGINE_MODULE_INIT                      187
 #define ENGINE_F_ENGINE_NEW                              122
 #define ENGINE_F_ENGINE_REMOVE                           123
-#define ENGINE_F_ENGINE_SET_BN_MOD_EXP                   124
-#define ENGINE_F_ENGINE_SET_BN_MOD_EXP_CRT               125
-#define ENGINE_F_ENGINE_SET_CTRL_FUNCTION                147
+#define ENGINE_F_ENGINE_SET_DEFAULT_STRING               189
 #define ENGINE_F_ENGINE_SET_DEFAULT_TYPE                 126
-#define ENGINE_F_ENGINE_SET_DH                           127
-#define ENGINE_F_ENGINE_SET_DSA                          128
-#define ENGINE_F_ENGINE_SET_FINISH_FUNCTION              148
 #define ENGINE_F_ENGINE_SET_ID                           129
-#define ENGINE_F_ENGINE_SET_INIT_FUNCTION                149
 #define ENGINE_F_ENGINE_SET_NAME                         130
-#define ENGINE_F_ENGINE_SET_RAND                         131
-#define ENGINE_F_ENGINE_SET_RSA                          132
+#define ENGINE_F_ENGINE_TABLE_REGISTER                   184
 #define ENGINE_F_ENGINE_UNLOAD_KEY                       152
-#define ENGINE_F_HWCRHK_CTRL                             143
-#define ENGINE_F_HWCRHK_FINISH                           135
-#define ENGINE_F_HWCRHK_GET_PASS                         155
-#define ENGINE_F_HWCRHK_INIT                             136
-#define ENGINE_F_HWCRHK_LOAD_PRIVKEY                     153
-#define ENGINE_F_HWCRHK_LOAD_PUBKEY                      154
-#define ENGINE_F_HWCRHK_MOD_EXP                          137
-#define ENGINE_F_HWCRHK_MOD_EXP_CRT                      138
-#define ENGINE_F_HWCRHK_RAND_BYTES                       139
-#define ENGINE_F_HWCRHK_RSA_MOD_EXP                      140
+#define ENGINE_F_INT_CTRL_HELPER                         172
+#define ENGINE_F_INT_ENGINE_CONFIGURE                    188
 #define ENGINE_F_LOG_MESSAGE                             141
+#define ENGINE_F_SET_DATA_CTX                            183
 
 /* Reason codes. */
 #define ENGINE_R_ALREADY_LOADED                          100
-#define ENGINE_R_BIO_WAS_FREED                           121
-#define ENGINE_R_BN_CTX_FULL                             101
-#define ENGINE_R_BN_EXPAND_FAIL                          102
-#define ENGINE_R_CHIL_ERROR                              123
+#define ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER                133
+#define ENGINE_R_CMD_NOT_EXECUTABLE                      134
+#define ENGINE_R_COMMAND_TAKES_INPUT                     135
+#define ENGINE_R_COMMAND_TAKES_NO_INPUT                  136
 #define ENGINE_R_CONFLICTING_ENGINE_ID                   103
 #define ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED            119
+#define ENGINE_R_DH_NOT_IMPLEMENTED                      139
+#define ENGINE_R_DSA_NOT_IMPLEMENTED                     140
 #define ENGINE_R_DSO_FAILURE                             104
+#define ENGINE_R_DSO_NOT_FOUND                           132
+#define ENGINE_R_ENGINES_SECTION_ERROR                   148
 #define ENGINE_R_ENGINE_IS_NOT_IN_LIST                   105
+#define ENGINE_R_ENGINE_SECTION_ERROR                    149
 #define ENGINE_R_FAILED_LOADING_PRIVATE_KEY              128
 #define ENGINE_R_FAILED_LOADING_PUBLIC_KEY               129
 #define ENGINE_R_FINISH_FAILED                           106
@@ -375,24 +692,26 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_ID_OR_NAME_MISSING                      108
 #define ENGINE_R_INIT_FAILED                             109
 #define ENGINE_R_INTERNAL_LIST_ERROR                     110
-#define ENGINE_R_MISSING_KEY_COMPONENTS                  111
+#define ENGINE_R_INVALID_ARGUMENT                        143
+#define ENGINE_R_INVALID_CMD_NAME                        137
+#define ENGINE_R_INVALID_CMD_NUMBER                      138
+#define ENGINE_R_INVALID_INIT_VALUE                      151
+#define ENGINE_R_INVALID_STRING                          150
 #define ENGINE_R_NOT_INITIALISED                         117
 #define ENGINE_R_NOT_LOADED                              112
-#define ENGINE_R_NO_CALLBACK                             127
 #define ENGINE_R_NO_CONTROL_FUNCTION                     120
-#define ENGINE_R_NO_KEY                                  124
+#define ENGINE_R_NO_INDEX                                144
 #define ENGINE_R_NO_LOAD_FUNCTION                        125
 #define ENGINE_R_NO_REFERENCE                            130
 #define ENGINE_R_NO_SUCH_ENGINE                          116
 #define ENGINE_R_NO_UNLOAD_FUNCTION                      126
 #define ENGINE_R_PROVIDE_PARAMETERS                      113
-#define ENGINE_R_REQUEST_FAILED                          114
-#define ENGINE_R_REQUEST_FALLBACK                        118
-#define ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL             122
-#define ENGINE_R_UNIT_FAILURE                            115
+#define ENGINE_R_RSA_NOT_IMPLEMENTED                     141
+#define ENGINE_R_UNIMPLEMENTED_CIPHER                    146
+#define ENGINE_R_UNIMPLEMENTED_DIGEST                    147
+#define ENGINE_R_VERSION_INCOMPATIBILITY                 145
 
 #ifdef  __cplusplus
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/engine/enginetest.c b/src/lib/libcrypto/engine/enginetest.c
index a5a3c47fcb..87fa8c57b7 100644
--- a/src/lib/libcrypto/engine/enginetest.c
+++ b/src/lib/libcrypto/engine/enginetest.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -56,8 +56,11 @@
  *
  */
 
+#include <openssl/e_os2.h>
 #include <stdio.h>
 #include <string.h>
+#include <openssl/buffer.h>
+#include <openssl/crypto.h>
 #include <openssl/engine.h>
 #include <openssl/err.h>
 
@@ -76,6 +79,9 @@ static void display_engine_list()
                 h = ENGINE_get_next(h);
                 }
         printf("end of list\n");
+        /* ENGINE_get_first() increases the struct_ref counter, so we 
+           must call ENGINE_free() to decrease it again */
+        ENGINE_free(h);
         }
 
 int main(int argc, char *argv[])
@@ -91,6 +97,18 @@ int main(int argc, char *argv[])
         ENGINE *new_h3 = NULL;
         ENGINE *new_h4 = NULL;
 
+        /* enable memory leak checking unless explicitly disabled */
+        if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+                {
+                CRYPTO_malloc_debug_init();
+                CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+                }
+        else
+                {
+                /* OPENSSL_DEBUG_MEMORY=off */
+                CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+                }
+        CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
         ERR_load_crypto_strings();
 
         memset(block, 0, 512 * sizeof(ENGINE *));
@@ -124,6 +142,8 @@ int main(int argc, char *argv[])
                 printf("Remove failed!\n");
                 goto end;
                 }
+        if (ptr)
+                ENGINE_free(ptr);
         display_engine_list();
         if(!ENGINE_add(new_h3) || !ENGINE_add(new_h2))
                 {
@@ -158,12 +178,7 @@ int main(int argc, char *argv[])
                 }
         else
                 printf("Remove that should fail did.\n");
-        if(!ENGINE_remove(new_h1))
-                {
-                printf("Remove failed!\n");
-                goto end;
-                }
-        display_engine_list();
+        ERR_clear_error();
         if(!ENGINE_remove(new_h3))
                 {
                 printf("Remove failed!\n");
@@ -183,6 +198,8 @@ int main(int argc, char *argv[])
                 if(!ENGINE_remove(ptr))
                         printf("Remove failed!i - probably no hardware "
                                 "support present.\n");
+        if (ptr)
+                ENGINE_free(ptr);
         display_engine_list();
         if(!ENGINE_add(new_h1) || !ENGINE_remove(new_h1))
                 {
@@ -195,9 +212,9 @@ int main(int argc, char *argv[])
         for(loop = 0; loop < 512; loop++)
                 {
                 sprintf(buf, "id%i", loop);
-                id = strdup(buf);
+                id = BUF_strdup(buf);
                 sprintf(buf, "Fake engine type %i", loop);
-                name = strdup(buf);
+                name = BUF_strdup(buf);
                 if(((block[loop] = ENGINE_new()) == NULL) ||
                                 !ENGINE_set_id(block[loop], id) ||
                                 !ENGINE_set_name(block[loop], name))
@@ -228,12 +245,13 @@ cleanup_loop:
                         printf("\nRemove failed!\n");
                         goto end;
                         }
+                ENGINE_free(ptr);
                 printf("."); fflush(stdout);
                 }
         for(loop = 0; loop < 512; loop++)
                 {
-                free((char *)(ENGINE_get_id(block[loop])));
-                free((char *)(ENGINE_get_name(block[loop])));
+                OPENSSL_free((void *)ENGINE_get_id(block[loop]));
+                OPENSSL_free((void *)ENGINE_get_name(block[loop]));
                 }
         printf("\nTests completed happily\n");
         to_return = 0;
@@ -247,5 +265,10 @@ end:
         for(loop = 0; loop < 512; loop++)
                 if(block[loop])
                         ENGINE_free(block[loop]);
+        ENGINE_cleanup();
+        CRYPTO_cleanup_all_ex_data();
+        ERR_free_strings();
+        ERR_remove_state(0);
+        CRYPTO_mem_leaks_fp(stderr);
         return to_return;
         }
diff --git a/src/lib/libcrypto/engine/hw.ec b/src/lib/libcrypto/engine/hw.ec
new file mode 100644
index 0000000000..5481a43918
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw.ec
@@ -0,0 +1,8 @@
+L AEPHK         hw_aep_err.h                    hw_aep_err.c
+L ATALLA        hw_atalla_err.h                 hw_atalla_err.c
+L CSWIFT        hw_cswift_err.h                 hw_cswift_err.c
+L HWCRHK        hw_ncipher_err.h                hw_ncipher_err.c
+L NURON         hw_nuron_err.h                  hw_nuron_err.c
+L SUREWARE      hw_sureware_err.h               hw_sureware_err.c
+L UBSEC         hw_ubsec_err.h                  hw_ubsec_err.c
+L CCA4758       hw_4758_cca_err.h               hw_4758_cca_err.c
diff --git a/src/lib/libcrypto/engine/hw_4758_cca.c b/src/lib/libcrypto/engine/hw_4758_cca.c
new file mode 100644
index 0000000000..959d8f1a61
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_4758_cca.c
@@ -0,0 +1,950 @@
+/* Author: Maurice Gittens <maurice@gittens.nl>                       */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+/* #include <openssl/pem.h> */
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/objects.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_4758_CCA
+
+#ifdef FLAT_INC
+#include "hw_4758_cca.h"
+#else
+#include "vendor_defns/hw_4758_cca.h"
+#endif
+
+#include "hw_4758_cca_err.c"
+
+static int ibm_4758_cca_destroy(ENGINE *e);
+static int ibm_4758_cca_init(ENGINE *e);
+static int ibm_4758_cca_finish(ENGINE *e);
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+
+/* rsa functions */
+/*---------------*/
+#ifndef OPENSSL_NO_RSA
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+                unsigned char *to, RSA *rsa,int padding);
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+static int cca_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
+
+/* utility functions */
+/*-----------------------*/
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE*, const char*,
+                UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE*, const char*,
+                UI_METHOD *ui_method, void *callback_data);
+
+static int getModulusAndExponent(const unsigned char *token, long *exponentLength,
+                unsigned char *exponent, long *modulusLength,
+                long *modulusFieldLength, unsigned char *modulus);
+#endif
+
+/* RAND number functions */
+/*-----------------------*/
+static int cca_get_random_bytes(unsigned char*, int );
+static int cca_random_status(void);
+
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
+                int idx,long argl, void *argp);
+
+/* Function pointers for CCA verbs */
+/*---------------------------------*/
+#ifndef OPENSSL_NO_RSA
+static F_KEYRECORDREAD keyRecordRead;
+static F_DIGITALSIGNATUREGENERATE digitalSignatureGenerate;
+static F_DIGITALSIGNATUREVERIFY digitalSignatureVerify;
+static F_PUBLICKEYEXTRACT publicKeyExtract;
+static F_PKAENCRYPT pkaEncrypt;
+static F_PKADECRYPT pkaDecrypt;
+#endif
+static F_RANDOMNUMBERGENERATE randomNumberGenerate;
+
+/* static variables */
+/*------------------*/
+static const char def_CCA4758_LIB_NAME[] = CCA_LIB_NAME;
+static const char *CCA4758_LIB_NAME = def_CCA4758_LIB_NAME;
+#ifndef OPENSSL_NO_RSA
+static const char* n_keyRecordRead = CSNDKRR;
+static const char* n_digitalSignatureGenerate = CSNDDSG;
+static const char* n_digitalSignatureVerify = CSNDDSV;
+static const char* n_publicKeyExtract = CSNDPKX;
+static const char* n_pkaEncrypt = CSNDPKE;
+static const char* n_pkaDecrypt = CSNDPKD;
+#endif
+static const char* n_randomNumberGenerate = CSNBRNG;
+
+static int hndidx = -1;
+static DSO *dso = NULL;
+
+/* openssl engine initialization structures */
+/*------------------------------------------*/
+
+#define CCA4758_CMD_SO_PATH             ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN    cca4758_cmd_defns[] = {
+        {CCA4758_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the '4758cca' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD ibm_4758_cca_rsa =
+        {
+        "IBM 4758 CCA RSA method",
+        cca_rsa_pub_enc,
+        NULL,
+        NULL,
+        cca_rsa_priv_dec,
+        NULL, /*rsa_mod_exp,*/
+        NULL, /*mod_exp_mont,*/
+        NULL, /* init */
+        NULL, /* finish */
+        RSA_FLAG_SIGN_VER,        /* flags */
+        NULL, /* app_data */
+        cca_rsa_sign, /* rsa_sign */
+        cca_rsa_verify  /* rsa_verify */
+        };
+#endif
+
+static RAND_METHOD ibm_4758_cca_rand =
+        {
+        /* "IBM 4758 RAND method", */
+        NULL, /* seed */
+        cca_get_random_bytes, /* get random bytes from the card */
+        NULL, /* cleanup */
+        NULL, /* add */
+        cca_get_random_bytes, /* pseudo rand */
+        cca_random_status, /* status */
+        };
+
+static const char *engine_4758_cca_id = "4758cca";
+static const char *engine_4758_cca_name = "IBM 4758 CCA hardware engine support";
+
+/* engine implementation */
+/*-----------------------*/
+static int bind_helper(ENGINE *e)
+        {
+        if(!ENGINE_set_id(e, engine_4758_cca_id) ||
+                        !ENGINE_set_name(e, engine_4758_cca_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &ibm_4758_cca_rsa) ||
+#endif
+                        !ENGINE_set_RAND(e, &ibm_4758_cca_rand) ||
+                        !ENGINE_set_destroy_function(e, ibm_4758_cca_destroy) ||
+                        !ENGINE_set_init_function(e, ibm_4758_cca_init) ||
+                        !ENGINE_set_finish_function(e, ibm_4758_cca_finish) ||
+                        !ENGINE_set_ctrl_function(e, ibm_4758_cca_ctrl) ||
+                        !ENGINE_set_load_privkey_function(e, ibm_4758_load_privkey) ||
+                        !ENGINE_set_load_pubkey_function(e, ibm_4758_load_pubkey) ||
+                        !ENGINE_set_cmd_defns(e, cca4758_cmd_defns))
+                return 0;
+        /* Ensure the error handling is set up */
+        ERR_load_CCA4758_strings();
+        return 1;
+        }
+
+static ENGINE *engine_4758_cca(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_4758cca(void)
+        {
+        ENGINE *e_4758 = engine_4758_cca();
+        if (!e_4758) return;
+        ENGINE_add(e_4758);
+        ENGINE_free(e_4758);
+        ERR_clear_error();   
+        }
+
+static int ibm_4758_cca_destroy(ENGINE *e)
+        {
+        ERR_unload_CCA4758_strings();
+        return 1;
+        }
+
+static int ibm_4758_cca_init(ENGINE *e)
+        {
+        if(dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_ALREADY_LOADED);
+                goto err;
+                }
+
+        dso = DSO_load(NULL, CCA4758_LIB_NAME , NULL, 0);
+        if(!dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+
+#ifndef OPENSSL_NO_RSA
+        if(!(keyRecordRead = (F_KEYRECORDREAD)
+                                DSO_bind_func(dso, n_keyRecordRead)) ||
+                        !(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+                                DSO_bind_func(dso, n_randomNumberGenerate)) ||
+                        !(digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)
+                                DSO_bind_func(dso, n_digitalSignatureGenerate)) ||
+                        !(digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)
+                                DSO_bind_func(dso, n_digitalSignatureVerify)) ||
+                        !(publicKeyExtract = (F_PUBLICKEYEXTRACT)
+                                DSO_bind_func(dso, n_publicKeyExtract)) ||
+                        !(pkaEncrypt = (F_PKAENCRYPT)
+                                DSO_bind_func(dso, n_pkaEncrypt)) ||
+                        !(pkaDecrypt = (F_PKADECRYPT)
+                                DSO_bind_func(dso, n_pkaDecrypt)))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+#else
+        if(!(randomNumberGenerate = (F_RANDOMNUMBERGENERATE)
+                                DSO_bind_func(dso, n_randomNumberGenerate)))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_INIT,CCA4758_R_DSO_FAILURE);
+                goto err;
+                }
+#endif
+
+        hndidx = RSA_get_ex_new_index(0, "IBM 4758 CCA RSA key handle",
+                NULL, NULL, cca_ex_free);
+
+        return 1;
+err:
+        if(dso)
+                DSO_free(dso);
+        dso = NULL;
+
+        keyRecordRead = (F_KEYRECORDREAD)NULL;
+        randomNumberGenerate = (F_RANDOMNUMBERGENERATE)NULL;
+        digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)NULL;
+        digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)NULL;
+        publicKeyExtract = (F_PUBLICKEYEXTRACT)NULL;
+        pkaEncrypt = (F_PKAENCRYPT)NULL;
+        pkaDecrypt = (F_PKADECRYPT)NULL;
+        return 0;
+        }
+
+static int ibm_4758_cca_finish(ENGINE *e)
+        {
+        if(dso)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+                                CCA4758_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(dso))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_FINISH,
+                                CCA4758_R_UNIT_FAILURE);
+                return 0;
+                }
+        dso = NULL;
+        keyRecordRead = (F_KEYRECORDREAD)NULL;
+        randomNumberGenerate = (F_RANDOMNUMBERGENERATE)NULL;
+        digitalSignatureGenerate = (F_DIGITALSIGNATUREGENERATE)NULL;
+        digitalSignatureVerify = (F_DIGITALSIGNATUREVERIFY)NULL;
+        publicKeyExtract = (F_PUBLICKEYEXTRACT)NULL;
+        pkaEncrypt = (F_PKAENCRYPT)NULL;
+        pkaDecrypt = (F_PKADECRYPT)NULL;
+        return 1;
+        }
+
+static int ibm_4758_cca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case CCA4758_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                                        ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                                        CCA4758_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                CCA4758_LIB_NAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        CCA4758err(CCA4758_F_IBM_4758_CCA_CTRL,
+                        CCA4758_R_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+#ifndef OPENSSL_NO_RSA
+
+#define MAX_CCA_PKA_TOKEN_SIZE 2500
+
+static EVP_PKEY *ibm_4758_load_privkey(ENGINE* e, const char* key_id,
+                        UI_METHOD *ui_method, void *callback_data)
+        {
+        RSA *rtmp = NULL;
+        EVP_PKEY *res = NULL;
+        unsigned char* keyToken = NULL;
+        unsigned char pubKeyToken[MAX_CCA_PKA_TOKEN_SIZE];
+        long pubKeyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        long ruleArrayLength = 0;
+        unsigned char exitData[8];
+        unsigned char ruleArray[8];
+        unsigned char keyLabel[64];
+        long keyLabelLength = strlen(key_id);
+        unsigned char modulus[256];
+        long modulusFieldLength = sizeof(modulus);
+        long modulusLength = 0;
+        unsigned char exponent[256];
+        long exponentLength = sizeof(exponent);
+
+        if (keyLabelLength > sizeof(keyLabel))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return NULL;
+                }
+
+        memset(keyLabel,' ', sizeof(keyLabel));
+        memcpy(keyLabel, key_id, keyLabelLength);
+
+        keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+        if (!keyToken)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        keyRecordRead(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, keyLabel,
+                &keyTokenLength, keyToken+sizeof(long));
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        publicKeyExtract(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken+sizeof(long), &pubKeyTokenLength, pubKeyToken);
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        if (!getModulusAndExponent(pubKeyToken, &exponentLength,
+                        exponent, &modulusLength, &modulusFieldLength,
+                        modulus))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PRIVATE_KEY);
+                goto err;
+                }
+
+        (*(long*)keyToken) = keyTokenLength;
+        rtmp = RSA_new_method(e);
+        RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+
+        rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+        rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+        rtmp->flags |= RSA_FLAG_EXT_PKEY;
+
+        res = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(res, rtmp);
+
+        return res;
+err:
+        if (keyToken)
+                OPENSSL_free(keyToken);
+        if (res)
+                EVP_PKEY_free(res);
+        if (rtmp)
+                RSA_free(rtmp);
+        return NULL;
+        }
+
+static EVP_PKEY *ibm_4758_load_pubkey(ENGINE* e, const char* key_id,
+                        UI_METHOD *ui_method, void *callback_data)
+        {
+        RSA *rtmp = NULL;
+        EVP_PKEY *res = NULL;
+        unsigned char* keyToken = NULL;
+        long keyTokenLength = MAX_CCA_PKA_TOKEN_SIZE;
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        long ruleArrayLength = 0;
+        unsigned char exitData[8];
+        unsigned char ruleArray[8];
+        unsigned char keyLabel[64];
+        long keyLabelLength = strlen(key_id);
+        unsigned char modulus[512];
+        long modulusFieldLength = sizeof(modulus);
+        long modulusLength = 0;
+        unsigned char exponent[512];
+        long exponentLength = sizeof(exponent);
+
+        if (keyLabelLength > sizeof(keyLabel))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return NULL;
+                }
+
+        memset(keyLabel,' ', sizeof(keyLabel));
+        memcpy(keyLabel, key_id, keyLabelLength);
+
+        keyToken = OPENSSL_malloc(MAX_CCA_PKA_TOKEN_SIZE + sizeof(long));
+        if (!keyToken)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        keyRecordRead(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, keyLabel, &keyTokenLength,
+                keyToken+sizeof(long));
+
+        if (returnCode)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                                ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
+
+        if (!getModulusAndExponent(keyToken+sizeof(long), &exponentLength,
+                        exponent, &modulusLength, &modulusFieldLength, modulus))
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,
+                        CCA4758_R_FAILED_LOADING_PUBLIC_KEY);
+                goto err;
+                }
+
+        (*(long*)keyToken) = keyTokenLength;
+        rtmp = RSA_new_method(e);
+        RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
+        rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
+        rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
+        rtmp->flags |= RSA_FLAG_EXT_PKEY;
+        res = EVP_PKEY_new();
+        EVP_PKEY_assign_RSA(res, rtmp);
+
+        return res;
+err:
+        if (keyToken)
+                OPENSSL_free(keyToken);
+        if (res)
+                EVP_PKEY_free(res);
+        if (rtmp)
+                RSA_free(rtmp);
+        return NULL;
+        }
+
+static int cca_rsa_pub_enc(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa,int padding)
+        {
+        long returnCode;
+        long reasonCode;
+        long lflen = flen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.2";
+        long dataStructureLength = 0;
+        unsigned char dataStructure[8];
+        long outputLength = RSA_size(rsa);
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        pkaEncrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+                &dataStructureLength, dataStructure, &keyTokenLength,
+                keyToken, &outputLength, to);
+
+        if (returnCode || reasonCode)
+                return -(returnCode << 16 | reasonCode);
+        return outputLength;
+        }
+
+static int cca_rsa_priv_dec(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa,int padding)
+        {
+        long returnCode;
+        long reasonCode;
+        long lflen = flen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.2";
+        long dataStructureLength = 0;
+        unsigned char dataStructure[8];
+        long outputLength = RSA_size(rsa);
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        pkaDecrypt(&returnCode, &reasonCode, &exitDataLength, exitData,
+                &ruleArrayLength, ruleArray, &lflen, (unsigned char*)from,
+                &dataStructureLength, dataStructure, &keyTokenLength,
+                keyToken, &outputLength, to);
+
+        return (returnCode | reasonCode) ? 0 : 1;
+        }
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigbuf, unsigned int siglen, const RSA *rsa)
+        {
+        long returnCode;
+        long reasonCode;
+        long lsiglen = siglen;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.1";
+        long keyTokenLength;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+        long length = SSL_SIG_LEN;
+        long keyLength ;
+        unsigned char *hashBuffer = NULL;
+        X509_SIG sig;
+        ASN1_TYPE parameter;
+        X509_ALGOR algorithm;
+        ASN1_OCTET_STRING digest;
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        if (type == NID_md5 || type == NID_sha1)
+                {
+                sig.algor = &algorithm;
+                algorithm.algorithm = OBJ_nid2obj(type);
+
+                if (!algorithm.algorithm)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+                        return 0;
+                        }
+
+                if (!algorithm.algorithm->length)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+                        return 0;
+                        }
+
+                parameter.type = V_ASN1_NULL;
+                parameter.value.ptr = NULL;
+                algorithm.parameter = &parameter;
+
+                sig.digest = &digest;
+                sig.digest->data = (unsigned char*)m;
+                sig.digest->length = m_len;
+
+                length = i2d_X509_SIG(&sig, NULL);
+                }
+
+        keyLength = RSA_size(rsa);
+
+        if (length - RSA_PKCS1_PADDING > keyLength)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return 0;
+                }
+
+        switch (type)
+                {
+                case NID_md5_sha1 :
+                        if (m_len != SSL_SIG_LEN)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                                return 0;
+                                }
+
+                        hashBuffer = (unsigned char *)m;
+                        length = m_len;
+                        break;
+                case NID_md5 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                case NID_sha1 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                default:
+                        return 0;
+                }
+
+        digitalSignatureVerify(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken, &length, hashBuffer, &lsiglen, sigbuf);
+
+        if (type == NID_sha1 || type == NID_md5)
+                {
+                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_free(hashBuffer);
+                }
+
+        return ((returnCode || reasonCode) ? 0 : 1);
+        }
+
+#define SSL_SIG_LEN 36
+
+static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+                unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
+        {
+        long returnCode;
+        long reasonCode;
+        long exitDataLength = 0;
+        unsigned char exitData[8];
+        long ruleArrayLength = 1;
+        unsigned char ruleArray[8] = "PKCS-1.1";
+        long outputLength=256;
+        long outputBitLength;
+        long keyTokenLength;
+        unsigned char *hashBuffer = NULL;
+        unsigned char* keyToken = (unsigned char*)RSA_get_ex_data(rsa, hndidx);
+        long length = SSL_SIG_LEN;
+        long keyLength ;
+        X509_SIG sig;
+        ASN1_TYPE parameter;
+        X509_ALGOR algorithm;
+        ASN1_OCTET_STRING digest;
+
+        keyTokenLength = *(long*)keyToken;
+        keyToken+=sizeof(long);
+
+        if (type == NID_md5 || type == NID_sha1)
+                {
+                sig.algor = &algorithm;
+                algorithm.algorithm = OBJ_nid2obj(type);
+
+                if (!algorithm.algorithm)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_UNKNOWN_ALGORITHM_TYPE);
+                        return 0;
+                        }
+
+                if (!algorithm.algorithm->length)
+                        {
+                        CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD);
+                        return 0;
+                        }
+
+                parameter.type = V_ASN1_NULL;
+                parameter.value.ptr = NULL;
+                algorithm.parameter = &parameter;
+
+                sig.digest = &digest;
+                sig.digest->data = (unsigned char*)m;
+                sig.digest->length = m_len;
+
+                length = i2d_X509_SIG(&sig, NULL);
+                }
+
+        keyLength = RSA_size(rsa);
+
+        if (length - RSA_PKCS1_PADDING > keyLength)
+                {
+                CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                        CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return 0;
+                }
+
+        switch (type)
+                {
+                case NID_md5_sha1 :
+                        if (m_len != SSL_SIG_LEN)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_SIGN,
+                                CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                                return 0;
+                                }
+                        hashBuffer = (unsigned char*)m;
+                        length = m_len;
+                        break;
+                case NID_md5 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                case NID_sha1 :
+                        {
+                        unsigned char *ptr;
+                        ptr = hashBuffer = OPENSSL_malloc(
+                                        (unsigned int)keyLength+1);
+                        if (!hashBuffer)
+                                {
+                                CCA4758err(CCA4758_F_IBM_4758_CCA_VERIFY,
+                                                ERR_R_MALLOC_FAILURE);
+                                return 0;
+                                }
+                        i2d_X509_SIG(&sig, &ptr);
+                        }
+                        break;
+                default:
+                        return 0;
+                }
+
+        digitalSignatureGenerate(&returnCode, &reasonCode, &exitDataLength,
+                exitData, &ruleArrayLength, ruleArray, &keyTokenLength,
+                keyToken, &length, hashBuffer, &outputLength, &outputBitLength,
+                sigret);
+
+        if (type == NID_sha1 || type == NID_md5)
+                {
+                memset(hashBuffer, keyLength+1, 0);
+                OPENSSL_free(hashBuffer);
+                }
+
+        *siglen = outputLength;
+
+        return ((returnCode || reasonCode) ? 0 : 1);
+        }
+
+static int getModulusAndExponent(const unsigned char*token, long *exponentLength,
+                unsigned char *exponent, long *modulusLength, long *modulusFieldLength,
+                unsigned char *modulus)
+        {
+        unsigned long len;
+
+        if (*token++ != (char)0x1E) /* internal PKA token? */
+                return 0;
+
+        if (*token++) /* token version must be zero */
+                return 0;
+
+        len = *token++;
+        len = len << 8;
+        len |= (unsigned char)*token++;
+
+        token += 4; /* skip reserved bytes */
+
+        if (*token++ == (char)0x04)
+                {
+                if (*token++) /* token version must be zero */
+                        return 0;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                token+=2; /* skip reserved section */
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *exponentLength = len;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *modulusLength = len;
+
+                len = *token++;
+                len = len << 8;
+                len |= (unsigned char)*token++;
+
+                *modulusFieldLength = len;
+
+                memcpy(exponent, token, *exponentLength);
+                token+= *exponentLength;
+
+                memcpy(modulus, token, *modulusFieldLength);
+                return 1;
+                }
+        return 0;
+        }
+
+#endif /* OPENSSL_NO_RSA */
+
+static int cca_random_status(void)
+        {
+        return 1;
+        }
+
+static int cca_get_random_bytes(unsigned char* buf, int num)
+        {
+        long ret_code;
+        long reason_code;
+        long exit_data_length;
+        unsigned char exit_data[4];
+        unsigned char form[] = "RANDOM  ";
+        unsigned char rand_buf[8];
+
+        while(num >= sizeof(rand_buf))
+                {
+                randomNumberGenerate(&ret_code, &reason_code, &exit_data_length,
+                        exit_data, form, rand_buf);
+                if (ret_code)
+                        return 0;
+                num -= sizeof(rand_buf);
+                memcpy(buf, rand_buf, sizeof(rand_buf));
+                buf += sizeof(rand_buf);
+                }
+
+        if (num)
+                {
+                randomNumberGenerate(&ret_code, &reason_code, NULL, NULL,
+                        form, rand_buf);
+                if (ret_code)
+                        return 0;
+                memcpy(buf, rand_buf, num);
+                }
+
+        return 1;
+        }
+
+static void cca_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad, int idx,
+                long argl, void *argp)
+        {
+        if (item)
+                OPENSSL_free(item);
+        }
+
+/* Goo to handle building as a dynamic engine */
+#ifdef ENGINE_DYNAMIC_SUPPORT 
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_cswift_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_4758_CCA */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_4758_cca_err.c b/src/lib/libcrypto/engine/hw_4758_cca_err.c
new file mode 100644
index 0000000000..7ea5c63707
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_4758_cca_err.c
@@ -0,0 +1,149 @@
+/* hw_4758_cca_err.c */
+/* ====================================================================
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_4758_cca_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA CCA4758_str_functs[]=
+        {
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_CTRL,0),     "IBM_4758_CCA_CTRL"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_FINISH,0),   "IBM_4758_CCA_FINISH"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_INIT,0),     "IBM_4758_CCA_INIT"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY,0),     "IBM_4758_CCA_LOAD_PRIVKEY"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY,0),      "IBM_4758_CCA_LOAD_PUBKEY"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_SIGN,0),     "IBM_4758_CCA_SIGN"},
+{ERR_PACK(0,CCA4758_F_IBM_4758_CCA_VERIFY,0),   "IBM_4758_CCA_VERIFY"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA CCA4758_str_reasons[]=
+        {
+{CCA4758_R_ALREADY_LOADED                ,"already loaded"},
+{CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD       ,"asn1 oid unknown for md"},
+{CCA4758_R_COMMAND_NOT_IMPLEMENTED       ,"command not implemented"},
+{CCA4758_R_DSO_FAILURE                   ,"dso failure"},
+{CCA4758_R_FAILED_LOADING_PRIVATE_KEY    ,"failed loading private key"},
+{CCA4758_R_FAILED_LOADING_PUBLIC_KEY     ,"failed loading public key"},
+{CCA4758_R_NOT_LOADED                    ,"not loaded"},
+{CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL   ,"size too large or too small"},
+{CCA4758_R_UNIT_FAILURE                  ,"unit failure"},
+{CCA4758_R_UNKNOWN_ALGORITHM_TYPE        ,"unknown algorithm type"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef CCA4758_LIB_NAME
+static ERR_STRING_DATA CCA4758_lib_name[]=
+        {
+{0      ,CCA4758_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int CCA4758_lib_error_code=0;
+static int CCA4758_error_init=1;
+
+static void ERR_load_CCA4758_strings(void)
+        {
+        if (CCA4758_lib_error_code == 0)
+                CCA4758_lib_error_code=ERR_get_next_error_library();
+
+        if (CCA4758_error_init)
+                {
+                CCA4758_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+                ERR_load_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+                CCA4758_lib_name->error = ERR_PACK(CCA4758_lib_error_code,0,0);
+                ERR_load_strings(0,CCA4758_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_CCA4758_strings(void)
+        {
+        if (CCA4758_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_functs);
+                ERR_unload_strings(CCA4758_lib_error_code,CCA4758_str_reasons);
+#endif
+
+#ifdef CCA4758_LIB_NAME
+                ERR_unload_strings(0,CCA4758_lib_name);
+#endif
+                CCA4758_error_init=1;
+                }
+        }
+
+static void ERR_CCA4758_error(int function, int reason, char *file, int line)
+        {
+        if (CCA4758_lib_error_code == 0)
+                CCA4758_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(CCA4758_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_4758_cca_err.h b/src/lib/libcrypto/engine/hw_4758_cca_err.h
new file mode 100644
index 0000000000..2fc563ab11
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_4758_cca_err.h
@@ -0,0 +1,93 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CCA4758_ERR_H
+#define HEADER_CCA4758_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CCA4758_strings(void);
+static void ERR_unload_CCA4758_strings(void);
+static void ERR_CCA4758_error(int function, int reason, char *file, int line);
+#define CCA4758err(f,r) ERR_CCA4758_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CCA4758 functions. */
+
+/* Function codes. */
+#define CCA4758_F_IBM_4758_CCA_CTRL                      100
+#define CCA4758_F_IBM_4758_CCA_FINISH                    101
+#define CCA4758_F_IBM_4758_CCA_INIT                      102
+#define CCA4758_F_IBM_4758_CCA_LOAD_PRIVKEY              103
+#define CCA4758_F_IBM_4758_CCA_LOAD_PUBKEY               104
+#define CCA4758_F_IBM_4758_CCA_SIGN                      105
+#define CCA4758_F_IBM_4758_CCA_VERIFY                    106
+
+/* Reason codes. */
+#define CCA4758_R_ALREADY_LOADED                         100
+#define CCA4758_R_ASN1_OID_UNKNOWN_FOR_MD                101
+#define CCA4758_R_COMMAND_NOT_IMPLEMENTED                102
+#define CCA4758_R_DSO_FAILURE                            103
+#define CCA4758_R_FAILED_LOADING_PRIVATE_KEY             104
+#define CCA4758_R_FAILED_LOADING_PUBLIC_KEY              105
+#define CCA4758_R_NOT_LOADED                             106
+#define CCA4758_R_SIZE_TOO_LARGE_OR_TOO_SMALL            107
+#define CCA4758_R_UNIT_FAILURE                           108
+#define CCA4758_R_UNKNOWN_ALGORITHM_TYPE                 109
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_aep.c b/src/lib/libcrypto/engine/hw_aep.c
new file mode 100644
index 0000000000..cf4507cff1
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_aep.c
@@ -0,0 +1,1101 @@
+/* crypto/engine/hw_aep.c */
+/*
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/bn.h>
+#include <string.h>
+
+#include <openssl/e_os2.h>
+#ifndef OPENSSL_SYS_MSDOS
+#include <sys/types.h>
+#include <unistd.h>
+#else
+#include <process.h>
+typedef int pid_t;
+#endif
+
+#include <openssl/crypto.h>
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_AEP
+#ifdef FLAT_INC
+#include "aep.h"
+#else
+#include "vendor_defns/aep.h"
+#endif
+
+#define AEP_LIB_NAME "aep engine"
+#define FAIL_TO_SW 0x10101010
+
+#include "hw_aep_err.c"
+
+static int aep_init(ENGINE *e);
+static int aep_finish(ENGINE *e);
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int aep_destroy(ENGINE *e);
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR hConnection);
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection);
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use);
+
+/* BIGNUM stuff */
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx);
+
+static AEP_RV aep_mod_exp_crt(BIGNUM *r,const  BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *q, const BIGNUM *dmp1,const BIGNUM *dmq1,
+        const BIGNUM *iqmp, BN_CTX *ctx);
+
+/* RSA stuff */
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+
+/* DSA stuff */
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+        BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+        BN_CTX *ctx, BN_MONT_CTX *in_mont);
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx);
+#endif
+
+/* DH stuff */
+/* This function is aliased to mod_exp (with the DH and mont dropped). */
+#ifndef OPENSSL_NO_DH
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
+
+/* rand stuff   */
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf, int num);
+static int aep_rand_status(void);
+#endif
+
+/* Bignum conversion stuff */
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize);
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum);
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum);
+
+/* The definitions for control commands specific to this engine */
+#define AEP_CMD_SO_PATH         ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN aep_cmd_defns[] =
+        {
+        { AEP_CMD_SO_PATH,
+          "SO_PATH",
+          "Specifies the path to the 'aep' shared library",
+          ENGINE_CMD_FLAG_STRING
+        },
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD aep_rsa =
+        {
+        "Aep RSA method",
+        NULL,                /*rsa_pub_encrypt*/
+        NULL,                /*rsa_pub_decrypt*/
+        NULL,                /*rsa_priv_encrypt*/
+        NULL,                /*rsa_priv_encrypt*/
+        aep_rsa_mod_exp,     /*rsa_mod_exp*/
+        aep_mod_exp_mont,    /*bn_mod_exp*/
+        NULL,                /*init*/
+        NULL,                /*finish*/
+        0,                   /*flags*/
+        NULL,                /*app_data*/
+        NULL,                /*rsa_sign*/
+        NULL                 /*rsa_verify*/
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD aep_dsa =
+        {
+        "Aep DSA method",
+        NULL,                /* dsa_do_sign */
+        NULL,                /* dsa_sign_setup */
+        NULL,                /* dsa_do_verify */
+        aep_dsa_mod_exp,     /* dsa_mod_exp */
+        aep_mod_exp_dsa,     /* bn_mod_exp */
+        NULL,                /* init */
+        NULL,                /* finish */
+        0,                   /* flags */
+        NULL                 /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD aep_dh =
+        {
+        "Aep DH method",
+        NULL,
+        NULL,
+        aep_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+#ifdef AEPRAND
+/* our internal RAND_method that we provide pointers to  */
+static RAND_METHOD aep_random =
+        {
+        /*"AEP RAND method", */
+        NULL,
+        aep_rand,
+        NULL,
+        NULL,
+        aep_rand,
+        aep_rand_status,
+        };
+#endif
+
+/*Define an array of structures to hold connections*/
+static AEP_CONNECTION_ENTRY aep_app_conn_table[MAX_PROCESS_CONNECTIONS];
+
+/*Used to determine if this is a new process*/
+static pid_t    recorded_pid = 0;
+
+#ifdef AEPRAND
+static AEP_U8   rand_block[RAND_BLK_SIZE];
+static AEP_U32  rand_block_bytes = 0;
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_aep_id = "aep";
+static const char *engine_aep_name = "Aep hardware engine support";
+
+static int max_key_len = 2176;
+
+
+/* This internal function is used by ENGINE_aep() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_aep(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD  *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD  *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD   *meth3;
+#endif
+
+        if(!ENGINE_set_id(e, engine_aep_id) ||
+                !ENGINE_set_name(e, engine_aep_name) ||
+#ifndef OPENSSL_NO_RSA
+                !ENGINE_set_RSA(e, &aep_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                !ENGINE_set_DSA(e, &aep_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                !ENGINE_set_DH(e, &aep_dh) ||
+#endif
+#ifdef AEPRAND
+                !ENGINE_set_RAND(e, &aep_random) ||
+#endif
+                !ENGINE_set_init_function(e, aep_init) ||
+                !ENGINE_set_destroy_function(e, aep_destroy) ||
+                !ENGINE_set_finish_function(e, aep_finish) ||
+                !ENGINE_set_ctrl_function(e, aep_ctrl) ||
+                !ENGINE_set_cmd_defns(e, aep_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the aep-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */
+        meth1 = RSA_PKCS1_SSLeay();
+        aep_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        aep_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        aep_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        aep_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+
+#ifndef OPENSSL_NO_DSA
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2 = DSA_OpenSSL();
+        aep_dsa.dsa_do_sign    = meth2->dsa_do_sign;
+        aep_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
+        aep_dsa.dsa_do_verify  = meth2->dsa_do_verify;
+
+        aep_dsa = *DSA_get_default_method(); 
+        aep_dsa.dsa_mod_exp = aep_dsa_mod_exp; 
+        aep_dsa.bn_mod_exp = aep_mod_exp_dsa;
+#endif
+
+#ifndef OPENSSL_NO_DH
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        aep_dh.generate_key = meth3->generate_key;
+        aep_dh.compute_key  = meth3->compute_key;
+        aep_dh.bn_mod_exp   = meth3->bn_mod_exp;
+#endif
+
+        /* Ensure the aep error handling is set up */
+        ERR_load_AEPHK_strings();
+
+        return 1;
+}
+
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_helper(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_aep_id) != 0))
+                return 0;
+        if(!bind_aep(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
+#else
+static ENGINE *engine_aep(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_aep(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_aep(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_aep();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+#endif
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the Aep library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+static DSO *aep_dso = NULL;
+
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+*/
+static const char *AEP_LIBNAME = "aep";
+
+static const char *AEP_F1    = "AEP_ModExp";
+static const char *AEP_F2    = "AEP_ModExpCrt";
+#ifdef AEPRAND
+static const char *AEP_F3    = "AEP_GenRandom";
+#endif
+static const char *AEP_F4    = "AEP_Finalize";
+static const char *AEP_F5    = "AEP_Initialize";
+static const char *AEP_F6    = "AEP_OpenConnection";
+static const char *AEP_F7    = "AEP_SetBNCallBacks";
+static const char *AEP_F8    = "AEP_CloseConnection";
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+static t_AEP_OpenConnection    *p_AEP_OpenConnection  = NULL;
+static t_AEP_CloseConnection   *p_AEP_CloseConnection = NULL;
+static t_AEP_ModExp            *p_AEP_ModExp          = NULL;
+static t_AEP_ModExpCrt         *p_AEP_ModExpCrt       = NULL;
+#ifdef AEPRAND
+static t_AEP_GenRandom         *p_AEP_GenRandom       = NULL;
+#endif
+static t_AEP_Initialize        *p_AEP_Initialize      = NULL;
+static t_AEP_Finalize          *p_AEP_Finalize        = NULL;
+static t_AEP_SetBNCallBacks    *p_AEP_SetBNCallBacks  = NULL;
+
+/* (de)initialisation functions. */
+static int aep_init(ENGINE *e)
+        {
+        t_AEP_ModExp          *p1;
+        t_AEP_ModExpCrt       *p2;
+#ifdef AEPRAND
+        t_AEP_GenRandom       *p3;
+#endif
+        t_AEP_Finalize        *p4;
+        t_AEP_Initialize      *p5;
+        t_AEP_OpenConnection  *p6;
+        t_AEP_SetBNCallBacks  *p7;
+        t_AEP_CloseConnection *p8;
+
+        int to_return = 0;
+ 
+        if(aep_dso != NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* Attempt to load libaep.so. */
+
+        aep_dso = DSO_load(NULL, AEP_LIBNAME, NULL, 0);
+  
+        if(aep_dso == NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        if(     !(p1 = (t_AEP_ModExp *)     DSO_bind_func( aep_dso,AEP_F1))  ||
+                !(p2 = (t_AEP_ModExpCrt*)   DSO_bind_func( aep_dso,AEP_F2))  ||
+#ifdef AEPRAND
+                !(p3 = (t_AEP_GenRandom*)   DSO_bind_func( aep_dso,AEP_F3))  ||
+#endif
+                !(p4 = (t_AEP_Finalize*)    DSO_bind_func( aep_dso,AEP_F4))  ||
+                !(p5 = (t_AEP_Initialize*)  DSO_bind_func( aep_dso,AEP_F5))  ||
+                !(p6 = (t_AEP_OpenConnection*) DSO_bind_func( aep_dso,AEP_F6))  ||
+                !(p7 = (t_AEP_SetBNCallBacks*) DSO_bind_func( aep_dso,AEP_F7))  ||
+                !(p8 = (t_AEP_CloseConnection*) DSO_bind_func( aep_dso,AEP_F8)))
+                {
+                AEPHKerr(AEPHK_F_AEP_INIT,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        /* Copy the pointers */
+  
+        p_AEP_ModExp           = p1;
+        p_AEP_ModExpCrt        = p2;
+#ifdef AEPRAND
+        p_AEP_GenRandom        = p3;
+#endif
+        p_AEP_Finalize         = p4;
+        p_AEP_Initialize       = p5;
+        p_AEP_OpenConnection   = p6;
+        p_AEP_SetBNCallBacks   = p7;
+        p_AEP_CloseConnection  = p8;
+ 
+        to_return = 1;
+ 
+        return to_return;
+
+ err: 
+
+        if(aep_dso)
+                DSO_free(aep_dso);
+                
+        p_AEP_OpenConnection    = NULL;
+        p_AEP_ModExp            = NULL;
+        p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+        p_AEP_GenRandom         = NULL;
+#endif
+        p_AEP_Initialize        = NULL;
+        p_AEP_Finalize          = NULL;
+        p_AEP_SetBNCallBacks    = NULL;
+        p_AEP_CloseConnection   = NULL;
+
+        return to_return;
+        }
+
+/* Destructor (complements the "ENGINE_aep()" constructor) */
+static int aep_destroy(ENGINE *e)
+        {
+        ERR_unload_AEPHK_strings();
+        return 1;
+        }
+
+static int aep_finish(ENGINE *e)
+        {
+        int to_return = 0, in_use;
+        AEP_RV rv;
+
+        if(aep_dso == NULL)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        rv = aep_close_all_connections(0, &in_use);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CLOSE_HANDLES_FAILED);
+                goto err;
+                }
+        if (in_use)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_CONNECTIONS_IN_USE);
+                goto err;
+                }
+
+        rv = p_AEP_Finalize();
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_FINALIZE_FAILED);
+                goto err;
+                }
+
+        if(!DSO_free(aep_dso))
+                {
+                AEPHKerr(AEPHK_F_AEP_FINISH,AEPHK_R_UNIT_FAILURE);
+                goto err;
+                }
+
+        aep_dso = NULL;
+        p_AEP_CloseConnection   = NULL;
+        p_AEP_OpenConnection    = NULL;
+        p_AEP_ModExp            = NULL;
+        p_AEP_ModExpCrt         = NULL;
+#ifdef AEPRAND
+        p_AEP_GenRandom         = NULL;
+#endif
+        p_AEP_Initialize        = NULL;
+        p_AEP_Finalize          = NULL;
+        p_AEP_SetBNCallBacks    = NULL;
+
+        to_return = 1;
+ err:
+        return to_return;
+        }
+
+static int aep_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((aep_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case AEP_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_CTRL,
+                                ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_CTRL,
+                                AEPHK_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                AEP_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        AEPHKerr(AEPHK_F_AEP_CTRL,AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int aep_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx)
+        {
+        int to_return = 0;
+        int     r_len = 0;
+        AEP_CONNECTION_HNDL hConnection;
+        AEP_RV rv;
+        
+        r_len = BN_num_bits(m);
+
+        /* Perform in software if modulus is too large for hardware. */
+
+        if (r_len > max_key_len){
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP, AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return BN_mod_exp(r, a, p, m, ctx);
+        } 
+
+        /*Grab a connection from the pool*/
+        rv = aep_get_connection(&hConnection);
+        if (rv != AEP_R_OK)
+                {     
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_GET_HANDLE_FAILED);
+                return BN_mod_exp(r, a, p, m, ctx);
+                }
+
+        /*To the card with the mod exp*/
+        rv = p_AEP_ModExp(hConnection,(void*)a, (void*)p,(void*)m, (void*)r,NULL);
+
+        if (rv !=  AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP,AEPHK_R_MOD_EXP_FAILED);
+                rv = aep_close_connection(hConnection);
+                return BN_mod_exp(r, a, p, m, ctx);
+                }
+
+        /*Return the connection to the pool*/
+        rv = aep_return_connection(hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+                goto err;
+                }
+
+        to_return = 1;
+ err:
+        return to_return;
+        }
+        
+static AEP_RV aep_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *q, const BIGNUM *dmp1,
+        const BIGNUM *dmq1,const BIGNUM *iqmp, BN_CTX *ctx)
+        {
+        AEP_RV rv = AEP_R_OK;
+        AEP_CONNECTION_HNDL hConnection;
+
+        /*Grab a connection from the pool*/
+        rv = aep_get_connection(&hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_GET_HANDLE_FAILED);
+                return FAIL_TO_SW;
+                }
+
+        /*To the card with the mod exp*/
+        rv = p_AEP_ModExpCrt(hConnection,(void*)a, (void*)p, (void*)q, (void*)dmp1,(void*)dmq1,
+                (void*)iqmp,(void*)r,NULL);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_MOD_EXP_CRT,AEPHK_R_MOD_EXP_CRT_FAILED);
+                rv = aep_close_connection(hConnection);
+                return FAIL_TO_SW;
+                }
+
+        /*Return the connection to the pool*/
+        rv = aep_return_connection(hConnection);
+        if (rv != AEP_R_OK)
+                {
+                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+                goto err;
+                }
+ 
+ err:
+        return rv;
+        }
+        
+
+#ifdef AEPRAND
+static int aep_rand(unsigned char *buf,int len )
+        {
+        AEP_RV rv = AEP_R_OK;
+        AEP_CONNECTION_HNDL hConnection;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+        /*Can the request be serviced with what's already in the buffer?*/
+        if (len <= rand_block_bytes)
+                {
+                memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+                rand_block_bytes -= len;
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+                }
+        else
+                /*If not the get another block of random bytes*/
+                {
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+                rv = aep_get_connection(&hConnection);
+                if (rv !=  AEP_R_OK)
+                        { 
+                        AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_HANDLE_FAILED);             
+                        goto err_nounlock;
+                        }
+
+                if (len > RAND_BLK_SIZE)
+                        {
+                        rv = p_AEP_GenRandom(hConnection, len, 2, buf, NULL);
+                        if (rv !=  AEP_R_OK)
+                                {  
+                                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+                                goto err_nounlock;
+                                }
+                        }
+                else
+                        {
+                        CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+                        rv = p_AEP_GenRandom(hConnection, RAND_BLK_SIZE, 2, &rand_block[0], NULL);
+                        if (rv !=  AEP_R_OK)
+                                {       
+                                AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_GET_RANDOM_FAILED); 
+              
+                                goto err;
+                                }
+
+                        rand_block_bytes = RAND_BLK_SIZE;
+
+                        memcpy(buf, &rand_block[RAND_BLK_SIZE - rand_block_bytes], len);
+                        rand_block_bytes -= len;
+
+                        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+                        }
+
+                rv = aep_return_connection(hConnection);
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_RAND,AEPHK_R_RETURN_CONNECTION_FAILED); 
+          
+                        goto err_nounlock;
+                        }
+                }
+  
+        return 1;
+ err:
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ err_nounlock:
+        return 0;
+        }
+        
+static int aep_rand_status(void)
+{
+        return 1;
+}
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx = NULL;
+        int to_return = 0;
+        AEP_RV rv = AEP_R_OK;
+
+        if ((ctx = BN_CTX_new()) == NULL)
+                goto err;
+
+        if (!aep_dso)
+                {
+                AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_NOT_LOADED);
+                goto err;
+                }
+
+        /*See if we have all the necessary bits for a crt*/
+        if (rsa->q && rsa->dmp1 && rsa->dmq1 && rsa->iqmp)
+                {
+                rv =  aep_mod_exp_crt(r0,I,rsa->p,rsa->q, rsa->dmp1,rsa->dmq1,rsa->iqmp,ctx);
+
+                if (rv == FAIL_TO_SW){
+                        const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                        to_return = (*meth->rsa_mod_exp)(r0, I, rsa);
+                        goto err;
+                }
+                else if (rv != AEP_R_OK)
+                        goto err;
+                }
+        else
+                {
+                if (!rsa->d || !rsa->n)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_MISSING_KEY_COMPONENTS);
+                        goto err;
+                        }
+ 
+                rv = aep_mod_exp(r0,I,rsa->d,rsa->n,ctx);
+                if  (rv != AEP_R_OK)
+                        goto err;
+        
+                }
+
+        to_return = 1;
+
+ err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+}
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static int aep_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+        BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+        BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+        BN_init(&t);
+
+        /* let rr = a1 ^ p1 mod m */
+        if (!aep_mod_exp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!aep_mod_exp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+ end: 
+        BN_free(&t);
+        return to_return;
+        }
+
+static int aep_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx)
+        {  
+        return aep_mod_exp(r, a, p, m, ctx); 
+        }
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int aep_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return aep_mod_exp(r, a, p, m, ctx);
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int aep_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+        const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+        BN_MONT_CTX *m_ctx)
+        {
+        return aep_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+static AEP_RV aep_get_connection(AEP_CONNECTION_HNDL_PTR phConnection)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        /*Get the current process id*/
+        pid_t curr_pid;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        curr_pid = getpid();
+
+        /*Check if this is the first time this is being called from the current
+          process*/
+        if (recorded_pid != curr_pid)
+                {
+                /*Remember our pid so we can check if we're in a new process*/
+                recorded_pid = curr_pid;
+
+                /*Call Finalize to make sure we have not inherited some data
+                  from a parent process*/
+                p_AEP_Finalize();
+     
+                /*Initialise the AEP API*/
+                rv = p_AEP_Initialize(NULL);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_INIT_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+                /*Set the AEP big num call back functions*/
+                rv = p_AEP_SetBNCallBacks(&GetBigNumSize, &MakeAEPBigNum,
+                        &ConvertAEPBigNum);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_SETBNCALLBACK_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+#ifdef AEPRAND
+                /*Reset the rand byte count*/
+                rand_block_bytes = 0;
+#endif
+
+                /*Init the structures*/
+                for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                        {
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        }
+
+                /*Open a connection*/
+                rv = p_AEP_OpenConnection(phConnection);
+
+                if (rv != AEP_R_OK)
+                        {
+                        AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+                        recorded_pid = 0;
+                        goto end;
+                        }
+
+                aep_app_conn_table[0].conn_state = InUse;
+                aep_app_conn_table[0].conn_hndl = *phConnection;
+                goto end;
+                }
+        /*Check the existing connections to see if we can find a free one*/
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_state == Connected)
+                        {
+                        aep_app_conn_table[count].conn_state = InUse;
+                        *phConnection = aep_app_conn_table[count].conn_hndl;
+                        goto end;
+                        }
+                }
+        /*If no connections available, we're going to have to try
+          to open a new one*/
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_state == NotConnected)
+                        {
+                        /*Open a connection*/
+                        rv = p_AEP_OpenConnection(phConnection);
+
+                        if (rv != AEP_R_OK)
+                                {             
+                                AEPHKerr(AEPHK_F_AEP_GET_CONNECTION,AEPHK_R_UNIT_FAILURE);
+                                goto end;
+                                }
+
+                        aep_app_conn_table[count].conn_state = InUse;
+                        aep_app_conn_table[count].conn_hndl = *phConnection;
+                        goto end;
+                        }
+                }
+        rv = AEP_R_GENERAL_ERROR;
+ end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+
+static AEP_RV aep_return_connection(AEP_CONNECTION_HNDL hConnection)
+        {
+        int count;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        /*Find the connection item that matches this connection handle*/
+        for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_hndl == hConnection)
+                        {
+                        aep_app_conn_table[count].conn_state = Connected;
+                        break;
+                        }
+                }
+
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+
+        return AEP_R_OK;
+        }
+
+static AEP_RV aep_close_connection(AEP_CONNECTION_HNDL hConnection)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+
+        /*Find the connection item that matches this connection handle*/
+        for(count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                if (aep_app_conn_table[count].conn_hndl == hConnection)
+                        {
+                        rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+                        if (rv != AEP_R_OK)
+                                goto end;
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        break;
+                        }
+                }
+
+ end:
+        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+static AEP_RV aep_close_all_connections(int use_engine_lock, int *in_use)
+        {
+        int count;
+        AEP_RV rv = AEP_R_OK;
+
+        *in_use = 0;
+        if (use_engine_lock) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+        for (count = 0;count < MAX_PROCESS_CONNECTIONS;count ++)
+                {
+                switch (aep_app_conn_table[count].conn_state)
+                        {
+                case Connected:
+                        rv = p_AEP_CloseConnection(aep_app_conn_table[count].conn_hndl);
+                        if (rv != AEP_R_OK)
+                                goto end;
+                        aep_app_conn_table[count].conn_state = NotConnected;
+                        aep_app_conn_table[count].conn_hndl  = 0;
+                        break;
+                case InUse:
+                        (*in_use)++;
+                        break;
+                case NotConnected:
+                        break;
+                        }
+                }
+ end:
+        if (use_engine_lock) CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+        return rv;
+        }
+
+/*BigNum call back functions, used to convert OpenSSL bignums into AEP bignums.
+  Note only 32bit Openssl build support*/
+
+static AEP_RV GetBigNumSize(AEP_VOID_PTR ArbBigNum, AEP_U32* BigNumSize)
+        {
+        BIGNUM* bn;
+
+        /*Cast the ArbBigNum pointer to our BIGNUM struct*/
+        bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        *BigNumSize = bn->top << 3;
+#else
+        /*Size of the bignum in bytes is equal to the bn->top (no of 32 bit
+          words) multiplies by 4*/
+        *BigNumSize = bn->top << 2;
+#endif
+
+        return AEP_R_OK;
+        }
+
+static AEP_RV MakeAEPBigNum(AEP_VOID_PTR ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum)
+        {
+        BIGNUM* bn;
+
+#ifndef SIXTY_FOUR_BIT_LONG
+        unsigned char* buf;
+        int i;
+#endif
+
+        /*Cast the ArbBigNum pointer to our BIGNUM struct*/
+        bn = (BIGNUM*) ArbBigNum;
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        memcpy(AEP_BigNum, bn->d, BigNumSize);
+#else
+        /*Must copy data into a (monotone) least significant byte first format
+          performing endian conversion if necessary*/
+        for(i=0;i<bn->top;i++)
+                {
+                buf = (unsigned char*)&bn->d[i];
+
+                *((AEP_U32*)AEP_BigNum) = (AEP_U32)
+                        ((unsigned) buf[1] << 8 | buf[0]) |
+                        ((unsigned) buf[3] << 8 | buf[2])  << 16;
+
+                AEP_BigNum += 4;
+                }
+#endif
+
+        return AEP_R_OK;
+        }
+
+/*Turn an AEP Big Num back to a user big num*/
+static AEP_RV ConvertAEPBigNum(void* ArbBigNum, AEP_U32 BigNumSize,
+        unsigned char* AEP_BigNum)
+        {
+        BIGNUM* bn;
+#ifndef SIXTY_FOUR_BIT_LONG
+        int i;
+#endif
+
+        bn = (BIGNUM*)ArbBigNum;
+
+        /*Expand the result bn so that it can hold our big num.
+          Size is in bits*/
+        bn_expand(bn, (int)(BigNumSize << 3));
+
+#ifdef SIXTY_FOUR_BIT_LONG
+        bn->top = BigNumSize >> 3;
+        
+        if((BigNumSize & 7) != 0)
+                bn->top++;
+
+        memset(bn->d, 0, bn->top << 3); 
+
+        memcpy(bn->d, AEP_BigNum, BigNumSize);
+#else
+        bn->top = BigNumSize >> 2;
+ 
+        for(i=0;i<bn->top;i++)
+                {
+                bn->d[i] = (AEP_U32)
+                        ((unsigned) AEP_BigNum[3] << 8 | AEP_BigNum[2]) << 16 |
+                        ((unsigned) AEP_BigNum[1] << 8 | AEP_BigNum[0]);
+                AEP_BigNum += 4;
+                }
+#endif
+
+        return AEP_R_OK;
+}       
+        
+#endif /* !OPENSSL_NO_HW_AEP */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_aep_err.c b/src/lib/libcrypto/engine/hw_aep_err.c
new file mode 100644
index 0000000000..092f532946
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_aep_err.c
@@ -0,0 +1,157 @@
+/* hw_aep_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_aep_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA AEPHK_str_functs[]=
+        {
+{ERR_PACK(0,AEPHK_F_AEP_CTRL,0),        "AEP_CTRL"},
+{ERR_PACK(0,AEPHK_F_AEP_FINISH,0),      "AEP_FINISH"},
+{ERR_PACK(0,AEPHK_F_AEP_GET_CONNECTION,0),      "AEP_GET_CONNECTION"},
+{ERR_PACK(0,AEPHK_F_AEP_INIT,0),        "AEP_INIT"},
+{ERR_PACK(0,AEPHK_F_AEP_MOD_EXP,0),     "AEP_MOD_EXP"},
+{ERR_PACK(0,AEPHK_F_AEP_MOD_EXP_CRT,0), "AEP_MOD_EXP_CRT"},
+{ERR_PACK(0,AEPHK_F_AEP_RAND,0),        "AEP_RAND"},
+{ERR_PACK(0,AEPHK_F_AEP_RSA_MOD_EXP,0), "AEP_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA AEPHK_str_reasons[]=
+        {
+{AEPHK_R_ALREADY_LOADED                  ,"already loaded"},
+{AEPHK_R_CLOSE_HANDLES_FAILED            ,"close handles failed"},
+{AEPHK_R_CONNECTIONS_IN_USE              ,"connections in use"},
+{AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{AEPHK_R_FINALIZE_FAILED                 ,"finalize failed"},
+{AEPHK_R_GET_HANDLE_FAILED               ,"get handle failed"},
+{AEPHK_R_GET_RANDOM_FAILED               ,"get random failed"},
+{AEPHK_R_INIT_FAILURE                    ,"init failure"},
+{AEPHK_R_MISSING_KEY_COMPONENTS          ,"missing key components"},
+{AEPHK_R_MOD_EXP_CRT_FAILED              ,"mod exp crt failed"},
+{AEPHK_R_MOD_EXP_FAILED                  ,"mod exp failed"},
+{AEPHK_R_NOT_LOADED                      ,"not loaded"},
+{AEPHK_R_OK                              ,"ok"},
+{AEPHK_R_RETURN_CONNECTION_FAILED        ,"return connection failed"},
+{AEPHK_R_SETBNCALLBACK_FAILURE           ,"setbncallback failure"},
+{AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL     ,"size too large or too small"},
+{AEPHK_R_UNIT_FAILURE                    ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef AEPHK_LIB_NAME
+static ERR_STRING_DATA AEPHK_lib_name[]=
+        {
+{0      ,AEPHK_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int AEPHK_lib_error_code=0;
+static int AEPHK_error_init=1;
+
+static void ERR_load_AEPHK_strings(void)
+        {
+        if (AEPHK_lib_error_code == 0)
+                AEPHK_lib_error_code=ERR_get_next_error_library();
+
+        if (AEPHK_error_init)
+                {
+                AEPHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+                ERR_load_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+                AEPHK_lib_name->error = ERR_PACK(AEPHK_lib_error_code,0,0);
+                ERR_load_strings(0,AEPHK_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_AEPHK_strings(void)
+        {
+        if (AEPHK_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_functs);
+                ERR_unload_strings(AEPHK_lib_error_code,AEPHK_str_reasons);
+#endif
+
+#ifdef AEPHK_LIB_NAME
+                ERR_unload_strings(0,AEPHK_lib_name);
+#endif
+                AEPHK_error_init=1;
+                }
+        }
+
+static void ERR_AEPHK_error(int function, int reason, char *file, int line)
+        {
+        if (AEPHK_lib_error_code == 0)
+                AEPHK_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(AEPHK_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_aep_err.h b/src/lib/libcrypto/engine/hw_aep_err.h
new file mode 100644
index 0000000000..8fe4cf921f
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_aep_err.h
@@ -0,0 +1,101 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_AEPHK_ERR_H
+#define HEADER_AEPHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_AEPHK_strings(void);
+static void ERR_unload_AEPHK_strings(void);
+static void ERR_AEPHK_error(int function, int reason, char *file, int line);
+#define AEPHKerr(f,r) ERR_AEPHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the AEPHK functions. */
+
+/* Function codes. */
+#define AEPHK_F_AEP_CTRL                                 100
+#define AEPHK_F_AEP_FINISH                               101
+#define AEPHK_F_AEP_GET_CONNECTION                       102
+#define AEPHK_F_AEP_INIT                                 103
+#define AEPHK_F_AEP_MOD_EXP                              104
+#define AEPHK_F_AEP_MOD_EXP_CRT                          105
+#define AEPHK_F_AEP_RAND                                 106
+#define AEPHK_F_AEP_RSA_MOD_EXP                          107
+
+/* Reason codes. */
+#define AEPHK_R_ALREADY_LOADED                           100
+#define AEPHK_R_CLOSE_HANDLES_FAILED                     101
+#define AEPHK_R_CONNECTIONS_IN_USE                       102
+#define AEPHK_R_CTRL_COMMAND_NOT_IMPLEMENTED             103
+#define AEPHK_R_FINALIZE_FAILED                          104
+#define AEPHK_R_GET_HANDLE_FAILED                        105
+#define AEPHK_R_GET_RANDOM_FAILED                        106
+#define AEPHK_R_INIT_FAILURE                             107
+#define AEPHK_R_MISSING_KEY_COMPONENTS                   108
+#define AEPHK_R_MOD_EXP_CRT_FAILED                       109
+#define AEPHK_R_MOD_EXP_FAILED                           110
+#define AEPHK_R_NOT_LOADED                               111
+#define AEPHK_R_OK                                       112
+#define AEPHK_R_RETURN_CONNECTION_FAILED                 113
+#define AEPHK_R_SETBNCALLBACK_FAILURE                    114
+#define AEPHK_R_SIZE_TOO_LARGE_OR_TOO_SMALL              116
+#define AEPHK_R_UNIT_FAILURE                             115
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_atalla.c b/src/lib/libcrypto/engine/hw_atalla.c
index 3bb992a193..696cfcf156 100644
--- a/src/lib/libcrypto/engine/hw_atalla.c
+++ b/src/lib/libcrypto/engine/hw_atalla.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,11 +60,10 @@
 #include <openssl/crypto.h>
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#include "engine_int.h"
 #include <openssl/engine.h>
 
-#ifndef NO_HW
-#ifndef NO_HW_ATALLA
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_ATALLA
 
 #ifdef FLAT_INC
 #include "atalla.h"
@@ -72,19 +71,27 @@
 #include "vendor_defns/atalla.h"
 #endif
 
-static int atalla_init(void);
-static int atalla_finish(void);
+#define ATALLA_LIB_NAME "atalla engine"
+#include "hw_atalla_err.c"
+
+static int atalla_destroy(ENGINE *e);
+static int atalla_init(ENGINE *e);
+static int atalla_finish(ENGINE *e);
+static int atalla_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
 
 /* BIGNUM stuff */
-static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
-static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
+#ifndef OPENSSL_NO_DSA
 /* DSA stuff */
 static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
                 BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
@@ -92,13 +99,27 @@ static int atalla_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
 static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
                 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
                 BN_MONT_CTX *m_ctx);
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* DH stuff */
 /* This function is alised to mod_exp (with the DH and mont dropped). */
-static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 
+/* The definitions for control commands specific to this engine */
+#define ATALLA_CMD_SO_PATH              ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN atalla_cmd_defns[] = {
+        {ATALLA_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'atasi' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD atalla_rsa =
         {
@@ -116,7 +137,9 @@ static RSA_METHOD atalla_rsa =
         NULL,
         NULL
         };
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* Our internal DSA_METHOD that we provide pointers to */
 static DSA_METHOD atalla_dsa =
         {
@@ -131,7 +154,9 @@ static DSA_METHOD atalla_dsa =
         0, /* flags */
         NULL /* app_data */
         };
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD atalla_dh =
         {
@@ -144,36 +169,44 @@ static DH_METHOD atalla_dh =
         0,
         NULL
         };
+#endif
 
-/* Our ENGINE structure. */
-static ENGINE engine_atalla =
-        {
-        "atalla",
-        "Atalla hardware engine support",
-        &atalla_rsa,
-        &atalla_dsa,
-        &atalla_dh,
-        NULL,
-        atalla_mod_exp,
-        NULL,
-        atalla_init,
-        atalla_finish,
-        NULL, /* no ctrl() */
-        NULL, /* no load_privkey() */
-        NULL, /* no load_pubkey() */
-        0, /* no flags */
-        0, 0, /* no references */
-        NULL, NULL /* unlinked */
-        };
-
-/* As this is only ever called once, there's no need for locking
- * (indeed - the lock will already be held by our caller!!!) */
-ENGINE *ENGINE_atalla()
+/* Constants used when creating the ENGINE */
+static const char *engine_atalla_id = "atalla";
+static const char *engine_atalla_name = "Atalla hardware engine support";
+
+/* This internal function is used by ENGINE_atalla() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
         {
-        RSA_METHOD *meth1;
-        DSA_METHOD *meth2;
-        DH_METHOD *meth3;
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth3;
+#endif
+        if(!ENGINE_set_id(e, engine_atalla_id) ||
+                        !ENGINE_set_name(e, engine_atalla_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &atalla_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &atalla_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &atalla_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, atalla_destroy) ||
+                        !ENGINE_set_init_function(e, atalla_init) ||
+                        !ENGINE_set_finish_function(e, atalla_finish) ||
+                        !ENGINE_set_ctrl_function(e, atalla_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, atalla_cmd_defns))
+                return 0;
 
+#ifndef OPENSSL_NO_RSA
         /* We know that the "PKCS1_SSLeay()" functions hook properly
          * to the atalla-specific mod_exp and mod_exp_crt so we use
          * those functions. NB: We don't use ENGINE_openssl() or
@@ -186,19 +219,50 @@ ENGINE *ENGINE_atalla()
         atalla_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
         atalla_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
         atalla_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DSA
         /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
          * bits. */
         meth2 = DSA_OpenSSL();
         atalla_dsa.dsa_do_sign = meth2->dsa_do_sign;
         atalla_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
         atalla_dsa.dsa_do_verify = meth2->dsa_do_verify;
+#endif
 
+#ifndef OPENSSL_NO_DH
         /* Much the same for Diffie-Hellman */
         meth3 = DH_OpenSSL();
         atalla_dh.generate_key = meth3->generate_key;
         atalla_dh.compute_key = meth3->compute_key;
-        return &engine_atalla;
+#endif
+
+        /* Ensure the atalla error handling is set up */
+        ERR_load_ATALLA_strings();
+        return 1;
+        }
+
+static ENGINE *engine_atalla(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_atalla(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_atalla();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
         }
 
 /* This is a process-global DSO handle used for loading and unloading
@@ -214,8 +278,32 @@ static tfnASI_GetHardwareConfig *p_Atalla_GetHardwareConfig = NULL;
 static tfnASI_RSAPrivateKeyOpFn *p_Atalla_RSAPrivateKeyOpFn = NULL;
 static tfnASI_GetPerformanceStatistics *p_Atalla_GetPerformanceStatistics = NULL;
 
+/* These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. Regrettably, the DSO name on *nix appears to be
+ * "atasi.so" rather than something more consistent like "libatasi.so". At the
+ * time of writing, I'm not sure what the file name on win32 is but clearly
+ * native name translation is not possible (eg libatasi.so on *nix, and
+ * atasi.dll on win32). For the purposes of testing, I have created a symbollic
+ * link called "libatasi.so" so that we can use native name-translation - a
+ * better solution will be needed. */
+static const char def_ATALLA_LIBNAME[] = "atasi";
+static const char *ATALLA_LIBNAME = def_ATALLA_LIBNAME;
+static const char *ATALLA_F1 = "ASI_GetHardwareConfig";
+static const char *ATALLA_F2 = "ASI_RSAPrivateKeyOpFn";
+static const char *ATALLA_F3 = "ASI_GetPerformanceStatistics";
+
+/* Destructor (complements the "ENGINE_atalla()" constructor) */
+static int atalla_destroy(ENGINE *e)
+        {
+        /* Unload the atalla error strings so any error state including our
+         * functs or reasons won't lead to a segfault (they simply get displayed
+         * without corresponding string data because none will be found). */
+        ERR_unload_ATALLA_strings();
+        return 1;
+        }
+
 /* (de)initialisation functions. */
-static int atalla_init()
+static int atalla_init(ENGINE *e)
         {
         tfnASI_GetHardwareConfig *p1;
         tfnASI_RSAPrivateKeyOpFn *p2;
@@ -226,7 +314,7 @@ static int atalla_init()
 
         if(atalla_dso != NULL)
                 {
-                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_ALREADY_LOADED);
+                ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_ALREADY_LOADED);
                 goto err;
                 }
         /* Attempt to load libatasi.so/atasi.dll/whatever. Needs to be
@@ -236,11 +324,10 @@ static int atalla_init()
          * drivers really use - for now a symbollic link needs to be
          * created on the host system from libatasi.so to atasi.so on
          * unix variants. */
-        atalla_dso = DSO_load(NULL, ATALLA_LIBNAME, NULL,
-                DSO_FLAG_NAME_TRANSLATION);
+        atalla_dso = DSO_load(NULL, ATALLA_LIBNAME, NULL, 0);
         if(atalla_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+                ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_NOT_LOADED);
                 goto err;
                 }
         if(!(p1 = (tfnASI_GetHardwareConfig *)DSO_bind_func(
@@ -250,7 +337,7 @@ static int atalla_init()
                         !(p3 = (tfnASI_GetPerformanceStatistics *)DSO_bind_func(
                                 atalla_dso, ATALLA_F3)))
                 {
-                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_DSO_FAILURE);
+                ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_NOT_LOADED);
                 goto err;
                 }
         /* Copy the pointers */
@@ -261,7 +348,7 @@ static int atalla_init()
          * running. */
         if(p1(0L, config_buf) != 0)
                 {
-                ENGINEerr(ENGINE_F_ATALLA_INIT,ENGINE_R_UNIT_FAILURE);
+                ATALLAerr(ATALLA_F_ATALLA_INIT,ATALLA_R_UNIT_FAILURE);
                 goto err;
                 }
         /* Everything's fine. */
@@ -275,16 +362,16 @@ err:
         return 0;
         }
 
-static int atalla_finish()
+static int atalla_finish(ENGINE *e)
         {
         if(atalla_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_NOT_LOADED);
+                ATALLAerr(ATALLA_F_ATALLA_FINISH,ATALLA_R_NOT_LOADED);
                 return 0;
                 }
         if(!DSO_free(atalla_dso))
                 {
-                ENGINEerr(ENGINE_F_ATALLA_FINISH,ENGINE_R_DSO_FAILURE);
+                ATALLAerr(ATALLA_F_ATALLA_FINISH,ATALLA_R_UNIT_FAILURE);
                 return 0;
                 }
         atalla_dso = NULL;
@@ -294,7 +381,32 @@ static int atalla_finish()
         return 1;
         }
 
-static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((atalla_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case ATALLA_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        ATALLAerr(ATALLA_F_ATALLA_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        ATALLAerr(ATALLA_F_ATALLA_CTRL,ATALLA_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                ATALLA_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        ATALLAerr(ATALLA_F_ATALLA_CTRL,ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx)
         {
         /* I need somewhere to store temporary serialised values for
@@ -313,26 +425,27 @@ static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         to_return = 0; /* expect failure */
 
         if(!atalla_dso)
-        {
-                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_NOT_LOADED);
+                {
+                ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_NOT_LOADED);
                 goto err;
-        }
+                }
         /* Prepare the params */
+        BN_CTX_start(ctx);
         modulus = BN_CTX_get(ctx);
         exponent = BN_CTX_get(ctx);
         argument = BN_CTX_get(ctx);
         result = BN_CTX_get(ctx);
-        if(!modulus || !exponent || !argument || !result)
-        {
-                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+        if (!result)
+                {
+                ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_BN_CTX_FULL);
                 goto err;
-        }
+                }
         if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, m->top) ||
            !bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top))
-        {
-                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+                {
+                ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_BN_EXPAND_FAIL);
                 goto err;
-        }
+                }
         /* Prepare the key-data */
         memset(&keydata, 0,sizeof keydata);
         numbytes = BN_num_bytes(m);
@@ -352,36 +465,34 @@ static int atalla_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         if(p_Atalla_RSAPrivateKeyOpFn(&keydata, (unsigned char *)result->d,
                         (unsigned char *)argument->d,
                         keydata.modulus.len) != 0)
-        {
-                ENGINEerr(ENGINE_F_ATALLA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                {
+                ATALLAerr(ATALLA_F_ATALLA_MOD_EXP,ATALLA_R_REQUEST_FAILED);
                 goto err;
-        }
+                }
         /* Convert the response */
         BN_bin2bn((unsigned char *)result->d, numbytes, r);
         to_return = 1;
 err:
-        if(modulus) ctx->tos--;
-        if(exponent) ctx->tos--;
-        if(argument) ctx->tos--;
-        if(result) ctx->tos--;
+        BN_CTX_end(ctx);
         return to_return;
         }
 
-static int atalla_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+#ifndef OPENSSL_NO_RSA
+static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
         {
         BN_CTX *ctx = NULL;
         int to_return = 0;
 
         if(!atalla_dso)
-        {
-                ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_NOT_LOADED);
+                {
+                ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_NOT_LOADED);
                 goto err;
-        }
+                }
         if((ctx = BN_CTX_new()) == NULL)
                 goto err;
         if(!rsa->d || !rsa->n)
                 {
-                ENGINEerr(ENGINE_F_ATALLA_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+                ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_MISSING_KEY_COMPONENTS);
                 goto err;
                 }
         to_return = atalla_mod_exp(r0, I, rsa->d, rsa->n, ctx);
@@ -390,7 +501,9 @@ err:
                 BN_CTX_free(ctx);
         return to_return;
         }
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* This code was liberated and adapted from the commented-out code in
  * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
  * (it doesn't have a CRT form for RSA), this function means that an
@@ -418,27 +531,45 @@ end:
         return to_return;
         }
 
-
 static int atalla_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
                 const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
                 BN_MONT_CTX *m_ctx)
         {
         return atalla_mod_exp(r, a, p, m, ctx);
         }
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int atalla_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return atalla_mod_exp(r, a, p, m, ctx);
         }
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
-static int atalla_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int atalla_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return atalla_mod_exp(r, a, p, m, ctx);
         }
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_atalla_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
 
-#endif /* !NO_HW_ATALLA */
-#endif /* !NO_HW */
+#endif /* !OPENSSL_NO_HW_ATALLA */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_atalla_err.c b/src/lib/libcrypto/engine/hw_atalla_err.c
new file mode 100644
index 0000000000..1df9c4570c
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_atalla_err.c
@@ -0,0 +1,145 @@
+/* hw_atalla_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_atalla_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ATALLA_str_functs[]=
+        {
+{ERR_PACK(0,ATALLA_F_ATALLA_CTRL,0),    "ATALLA_CTRL"},
+{ERR_PACK(0,ATALLA_F_ATALLA_FINISH,0),  "ATALLA_FINISH"},
+{ERR_PACK(0,ATALLA_F_ATALLA_INIT,0),    "ATALLA_INIT"},
+{ERR_PACK(0,ATALLA_F_ATALLA_MOD_EXP,0), "ATALLA_MOD_EXP"},
+{ERR_PACK(0,ATALLA_F_ATALLA_RSA_MOD_EXP,0),     "ATALLA_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA ATALLA_str_reasons[]=
+        {
+{ATALLA_R_ALREADY_LOADED                 ,"already loaded"},
+{ATALLA_R_BN_CTX_FULL                    ,"bn ctx full"},
+{ATALLA_R_BN_EXPAND_FAIL                 ,"bn expand fail"},
+{ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{ATALLA_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{ATALLA_R_NOT_LOADED                     ,"not loaded"},
+{ATALLA_R_REQUEST_FAILED                 ,"request failed"},
+{ATALLA_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef ATALLA_LIB_NAME
+static ERR_STRING_DATA ATALLA_lib_name[]=
+        {
+{0      ,ATALLA_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int ATALLA_lib_error_code=0;
+static int ATALLA_error_init=1;
+
+static void ERR_load_ATALLA_strings(void)
+        {
+        if (ATALLA_lib_error_code == 0)
+                ATALLA_lib_error_code=ERR_get_next_error_library();
+
+        if (ATALLA_error_init)
+                {
+                ATALLA_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+                ERR_load_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+                ATALLA_lib_name->error = ERR_PACK(ATALLA_lib_error_code,0,0);
+                ERR_load_strings(0,ATALLA_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_ATALLA_strings(void)
+        {
+        if (ATALLA_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_functs);
+                ERR_unload_strings(ATALLA_lib_error_code,ATALLA_str_reasons);
+#endif
+
+#ifdef ATALLA_LIB_NAME
+                ERR_unload_strings(0,ATALLA_lib_name);
+#endif
+                ATALLA_error_init=1;
+                }
+        }
+
+static void ERR_ATALLA_error(int function, int reason, char *file, int line)
+        {
+        if (ATALLA_lib_error_code == 0)
+                ATALLA_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(ATALLA_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_atalla_err.h b/src/lib/libcrypto/engine/hw_atalla_err.h
new file mode 100644
index 0000000000..cdac052d8c
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_atalla_err.h
@@ -0,0 +1,89 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_ATALLA_ERR_H
+#define HEADER_ATALLA_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_ATALLA_strings(void);
+static void ERR_unload_ATALLA_strings(void);
+static void ERR_ATALLA_error(int function, int reason, char *file, int line);
+#define ATALLAerr(f,r) ERR_ATALLA_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the ATALLA functions. */
+
+/* Function codes. */
+#define ATALLA_F_ATALLA_CTRL                             100
+#define ATALLA_F_ATALLA_FINISH                           101
+#define ATALLA_F_ATALLA_INIT                             102
+#define ATALLA_F_ATALLA_MOD_EXP                          103
+#define ATALLA_F_ATALLA_RSA_MOD_EXP                      104
+
+/* Reason codes. */
+#define ATALLA_R_ALREADY_LOADED                          100
+#define ATALLA_R_BN_CTX_FULL                             101
+#define ATALLA_R_BN_EXPAND_FAIL                          102
+#define ATALLA_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
+#define ATALLA_R_MISSING_KEY_COMPONENTS                  104
+#define ATALLA_R_NOT_LOADED                              105
+#define ATALLA_R_REQUEST_FAILED                          106
+#define ATALLA_R_UNIT_FAILURE                            107
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_cryptodev.c b/src/lib/libcrypto/engine/hw_cryptodev.c
new file mode 100644
index 0000000000..7c3728f395
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_cryptodev.c
@@ -0,0 +1,926 @@
+/*
+ * Copyright (c) 2002 Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2002 Theo de Raadt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the author nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <crypto/cryptodev.h>
+#include <sys/ioctl.h>
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <syslog.h>
+#include <stdarg.h>
+#include <ssl/objects.h>
+#include <ssl/engine.h>
+#include <ssl/evp.h>
+
+static int cryptodev_fd = -1;
+static int cryptodev_sessions = 0;
+static u_int32_t cryptodev_symfeat = 0;
+
+static int bn2crparam(const BIGNUM *a, struct crparam *crp);
+static int crparam2bn(struct crparam *crp, BIGNUM *a);
+static void zapparams(struct crypt_kop *kop);
+
+static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst,
+    int dlen, DSA *dsa);
+static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len,
+    DSA_SIG *sig, DSA *dsa);
+static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx);
+static int cryptodev_dh_compute_key(unsigned char *key,
+    const BIGNUM *pub_key, DH *dh);
+
+static const ENGINE_CMD_DEFN cryptodev_defns[] = {
+        { 0, NULL, NULL, 0 }
+};
+
+static struct {
+        int     id;
+        int     nid;
+        int     ivmax;
+        int     keylen;
+} ciphers[] = {
+        { CRYPTO_DES_CBC,               NID_des_cbc,            8,       8, },
+        { CRYPTO_3DES_CBC,              NID_des_ede3_cbc,       8,      24, },
+        { CRYPTO_AES_CBC,               NID_undef,              8,      24, },
+        { CRYPTO_BLF_CBC,               NID_bf_cbc,             8,      16, },
+        { CRYPTO_CAST_CBC,              NID_cast5_cbc,          8,       8, },
+        { CRYPTO_SKIPJACK_CBC,          NID_undef,              0,       0, },
+        { CRYPTO_ARC4,                  NID_rc4,                8,      16, },
+        { 0,                            NID_undef,              0,       0, },
+};
+
+static struct {
+        int     id;
+        int     nid;
+} digests[] = {
+        { CRYPTO_SHA1_HMAC,             NID_hmacWithSHA1,       },
+        { CRYPTO_RIPEMD160_HMAC,        NID_ripemd160,          },
+        { CRYPTO_MD5_KPDK,              NID_undef,              },
+        { CRYPTO_SHA1_KPDK,             NID_undef,              },
+        { CRYPTO_MD5,                   NID_md5,                },
+        { CRYPTO_SHA1,                  NID_undef,              },
+        { 0,                            NID_undef,              },
+};
+
+/*
+ * Return 1 if /dev/crypto seems usable, 0 otherwise , also
+ * does most of the work of initting the device, if not already
+ * done.. This should leave is with global fd initialized with CRIOGET.
+ */
+static int
+check_dev_crypto()
+{
+        int fd;
+
+        if (cryptodev_fd == -1) {
+                if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1)
+                        return (0);
+                if (ioctl(fd, CRIOGET, &cryptodev_fd) == -1) {
+                        close(fd);
+                        return (0);
+                }
+                close(fd);
+                /* close on exec */
+                if (fcntl(cryptodev_fd, F_SETFD, 1) == -1) {
+                        close(cryptodev_fd);
+                        cryptodev_fd = -1;
+                        return (0);
+                }
+        }
+        ioctl(cryptodev_fd, CIOCSYMFEAT, &cryptodev_symfeat);
+
+        return (1);
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card.
+ */
+static int
+cryptodev_max_iv(int cipher)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].id == cipher)
+                        return (ciphers[i].ivmax);
+        return (0);
+}
+
+/*
+ * XXXX this needs to be set for each alg - and determined from
+ * a running card. For now, fake it out - but most of these
+ * for real devices should return 1 for the supported key
+ * sizes the device can handle.
+ */
+static int
+cryptodev_key_length_valid(int cipher, int len)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].id == cipher)
+                        return (ciphers[i].keylen == len);
+        return (0);
+}
+
+/* convert libcrypto nids to cryptodev */
+static int
+cipher_nid_to_cryptodev(int nid)
+{
+        int i;
+
+        for (i = 0; ciphers[i].id; i++)
+                if (ciphers[i].nid == nid)
+                        return (ciphers[i].id);
+        return (0);
+}
+
+/*
+ * Find out what ciphers /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_ciphers routine
+ */
+static int
+get_cryptodev_ciphers(const int **cnids)
+{
+        static int nids[CRYPTO_ALGORITHM_MAX];
+        struct session_op sess;
+        int i, count = 0;
+
+        memset(&sess, 0, sizeof(sess));
+        sess.key = (caddr_t)"123456781234567812345678";
+
+        for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+                if (ciphers[i].nid == NID_undef)
+                        continue;
+                sess.cipher = ciphers[i].id;
+                sess.keylen = ciphers[i].keylen;
+                sess.mac = 0;
+                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                        nids[count++] = ciphers[i].nid;
+        }
+        if (count > 0)
+                *cnids = nids;
+        else
+                *cnids = NULL;
+        return (count);
+}
+
+/*
+ * Find out what digests /dev/crypto will let us have a session for.
+ * XXX note, that some of these openssl doesn't deal with yet!
+ * returning them here is harmless, as long as we return NULL
+ * when asked for a handler in the cryptodev_engine_digests routine
+ */
+static int
+get_cryptodev_digests(const int **cnids)
+{
+        static int nids[CRYPTO_ALGORITHM_MAX];
+        struct session_op sess;
+        int i, count = 0;
+
+        memset(&sess, 0, sizeof(sess));
+        for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
+                if (digests[i].nid == NID_undef)
+                        continue;
+                sess.mac = digests[i].id;
+                sess.cipher = 0;
+                if (ioctl(cryptodev_fd, CIOCGSESSION, &sess) != -1 &&
+                    ioctl(cryptodev_fd, CIOCFSESSION, &sess.ses) != -1)
+                        nids[count++] = digests[i].nid;
+        }
+        if (count > 0)
+                *cnids = nids;
+        else
+                *cnids = NULL;
+        return (count);
+}
+
+/*
+ * Find the useable ciphers|digests from dev/crypto - this is the first
+ * thing called by the engine init crud which determines what it
+ * can use for ciphers from this engine. We want to return
+ * only what we can do, anythine else is handled by software.
+ *
+ * If we can't initialize the device to do anything useful for
+ * any reason, we want to return a NULL array, and 0 length,
+ * which forces everything to be done is software. By putting
+ * the initalization of the device in here, we ensure we can
+ * use this engine as the default, and if for whatever reason
+ * /dev/crypto won't do what we want it will just be done in
+ * software
+ *
+ * This can (should) be greatly expanded to perhaps take into
+ * account speed of the device, and what we want to do.
+ * (although the disabling of particular alg's could be controlled
+ * by the device driver with sysctl's.) - this is where we
+ * want most of the decisions made about what we actually want
+ * to use from /dev/crypto.
+ */
+int
+cryptodev_usable_ciphers(const int **nids)
+{
+        if (!check_dev_crypto()) {
+                *nids = NULL;
+                return (0);
+        }
+
+        /* find what the device can do. Unfortunately, we don't
+         * necessarily want all of these yet, because we aren't
+         * yet set up to do them
+         */
+        return (get_cryptodev_ciphers(nids));
+}
+
+int
+cryptodev_usable_digests(const int **nids)
+{
+#if 1
+        /*
+         * XXXX just disable all digests for now, because it sucks.
+         * we need a better way to decide this - i.e. I may not
+         * want digests on slow cards like hifn on fast machines,
+         * but might want them on slow or loaded machines, etc.
+         * will also want them when using crypto cards that don't
+         * suck moose gonads - would be nice to be able to decide something
+         * as reasonable default without having hackery that's card dependent.
+         * of course, the default should probably be just do everything,
+         * with perhaps a sysctl to turn algoritms off (or have them off
+         * by default) on cards that generally suck like the hifn.
+         */
+        *nids = NULL;
+        return (0);
+#endif
+
+        if (!check_dev_crypto()) {
+                *nids = NULL;
+                return (0);
+        }
+        return (get_cryptodev_digests(nids));
+}
+
+
+int
+cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, unsigned int inl)
+{
+        struct crypt_op cryp;
+        struct session_op *sess = ctx->cipher_data;
+        void *iiv;
+        unsigned char save_iv[EVP_MAX_IV_LENGTH];
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        if (cryptodev_fd == -1)
+                return (0);
+        if (sess == NULL)
+                return (0);
+        if (!inl)
+                return (1);
+        if ((inl % ctx->cipher->block_size) != 0)
+                return (0);
+
+        memset(&cryp, 0, sizeof(cryp));
+
+        cryp.ses = sess->ses;
+        cryp.flags = 0;
+        cryp.len = inl;
+        cryp.src = (caddr_t) in;
+        cryp.dst = (caddr_t) out;
+        cryp.mac = 0;
+
+        cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+
+        if (ctx->cipher->iv_len) {
+                cryp.iv = (caddr_t) ctx->iv;
+                if (!ctx->encrypt) {
+                        iiv = (void *) in + inl - ctx->cipher->iv_len;
+                        memcpy(save_iv, iiv, ctx->cipher->iv_len);
+                }
+        } else
+                cryp.iv = NULL;
+
+        if (ioctl(cryptodev_fd, CIOCCRYPT, &cryp) == -1) {
+                /* XXX need better errror handling
+                 * this can fail for a number of different reasons.
+                 */
+                syslog_r(LOG_ERR, &sd, "CIOCCRYPT failed (%m)");
+                return (0);
+        }
+
+        if (ctx->cipher->iv_len) {
+                if (ctx->encrypt)
+                        iiv = (void *) out + inl - ctx->cipher->iv_len;
+                else
+                        iiv = save_iv;
+                memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
+        }
+        return (1);
+}
+
+int
+cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int enc)
+{
+        struct session_op *sess = ctx->cipher_data;
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+        int cipher;
+
+        if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
+                return (0);
+
+        if (!check_dev_crypto())
+                return (0);
+
+        if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
+                return (0);
+
+        if (!cryptodev_key_length_valid(cipher, ctx->key_len))
+                return (0);
+
+        memset(sess, 0, sizeof(struct session_op));
+
+        sess->key = (unsigned char *)key;
+        sess->keylen = ctx->key_len;
+        sess->cipher = cipher;
+
+        if (ioctl(cryptodev_fd, CIOCGSESSION, sess) == -1) {
+                syslog_r(LOG_ERR, &sd, "CIOCGSESSION failed (%m)");
+                return (0);
+        }
+        cryptodev_sessions++;
+        return (1);
+}
+
+/*
+ * free anything we allocated earlier when initting a
+ * session, and close the session.
+ */
+int
+cryptodev_cleanup(EVP_CIPHER_CTX *ctx)
+{
+        int ret = 0;
+        struct session_op *sess = ctx->cipher_data;
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        if (sess == NULL)
+                return (0);
+
+        /* XXX if this ioctl fails, someting's wrong. the invoker
+         * may have called us with a bogus ctx, or we could
+         * have a device that for whatever reason just doesn't
+         * want to play ball - it's not clear what's right
+         * here - should this be an error? should it just
+         * increase a counter, hmm. For right now, we return
+         * 0 - I don't believe that to be "right". we could
+         * call the gorpy openssl lib error handlers that
+         * print messages to users of the library. hmm..
+         */
+
+        if (ioctl(cryptodev_fd, CIOCFSESSION, &sess->ses) == -1) {
+                syslog_r(LOG_ERR, &sd, "CIOCFSESSION failed (%m)");
+                ret = 0;
+        } else {
+                cryptodev_sessions--;
+                ret = 1;
+        }
+        if (cryptodev_sessions == 0 && cryptodev_fd != -1 ) {
+                close(cryptodev_fd); /* XXX should this be closed? */
+                cryptodev_fd = -1;
+        }
+        return (ret);
+}
+
+/*
+ * libcrypto EVP stuff - this is how we get wired to EVP so the engine
+ * gets called when libcrypto requests a cipher NID.
+ */
+
+/* ARC4 (16 byte key) */
+const EVP_CIPHER cryptodev_arc4_cipher = {
+        NID_rc4,
+        1, 16, 0,
+        EVP_CIPH_VARIABLE_LENGTH,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        NULL,
+        NULL,
+        NULL
+};
+
+/* DES CBC EVP */
+const EVP_CIPHER cryptodev_des_cbc = {
+        NID_des_cbc,
+        8, 8, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+/* 3DES CBC EVP */
+const EVP_CIPHER cryptodev_3des_cbc = {
+        NID_des_ede3_cbc,
+        8, 24, 8,
+        EVP_CIPH_CBC_MODE,
+        cryptodev_init_key,
+        cryptodev_cipher,
+        cryptodev_cleanup,
+        sizeof(struct session_op),
+        EVP_CIPHER_set_asn1_iv,
+        EVP_CIPHER_get_asn1_iv,
+        NULL
+};
+
+
+/*
+ * Registered by the ENGINE when used to find out how to deal with
+ * a particular NID in the ENGINE. this says what we'll do at the
+ * top level - note, that list is restricted by what we answer with
+ */
+int
+cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+    const int **nids, int nid)
+{
+        if (!cipher)
+                return (cryptodev_usable_ciphers(nids));
+
+        switch (nid) {
+        case NID_rc4:
+                *cipher = &cryptodev_arc4_cipher;
+                break;
+        case NID_des_ede3_cbc:
+                *cipher = &cryptodev_3des_cbc;
+                break;
+        case NID_des_cbc:
+                *cipher = &cryptodev_des_cbc;
+                break;
+        default:
+                *cipher = NULL;
+                break;
+        }
+        return (*cipher != NULL);
+}
+
+int
+cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
+    const int **nids, int nid)
+{
+        if (!digest)
+                return (cryptodev_usable_digests(nids));
+
+        switch (nid) {
+        case NID_md5:
+                *digest = NULL; /* need to make a clean md5 critter */
+                break;
+        default:
+                *digest = NULL;
+                break;
+        }
+        return (*digest != NULL);
+}
+
+
+/*
+ * Convert a BIGNUM to the representation that /dev/crypto needs.
+ * Upon completion of use, the caller is responsible for freeing
+ * crp->crp_p.
+ */
+static int
+bn2crparam(const BIGNUM *a, struct crparam *crp)
+{
+        int i, j, n;
+        ssize_t words, bytes, bits;
+        u_char *b;
+
+        crp->crp_p = NULL;
+        crp->crp_nbits = 0;
+
+        bits = BN_num_bits(a);
+        bytes = (bits + 7) / 8;
+
+        b = malloc(bytes);
+        if (b == NULL)
+                return (1);
+
+        crp->crp_p = b;
+        crp->crp_nbits = bits;
+
+        words = (bits + BN_BITS2 - 1) / BN_BITS2;
+
+        n = 0;
+        for (i = 0; i < words && n < bytes; i++) {
+                BN_ULONG word;
+
+                word = a->d[i];
+                for (j = 0 ; j < BN_BYTES && n < bytes; j++, n++) {
+                        *b++ = (word & 0xff);
+                        word >>= 8;
+                }
+        }
+        return (0);
+}
+
+/* Convert a /dev/crypto parameter to a BIGNUM */
+static int
+crparam2bn(struct crparam *crp, BIGNUM *a)
+{
+        int i, bytes;
+
+        bytes = (crp->crp_nbits + 7)/8;
+
+        BN_zero(a);
+        for (i = bytes - 1; i >= 0; i--) {
+                BN_lshift(a, a, 8);
+                BN_add_word(a, (u_char)crp->crp_p[i]);
+        }
+
+        return (0);
+}
+
+static void
+zapparams(struct crypt_kop *kop)
+{
+        int i;
+
+        for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
+                if (kop->crk_param[i].crp_p)
+                        free(kop->crk_param[i].crp_p);
+                kop->crk_param[i].crp_p = NULL;
+                kop->crk_param[i].crp_nbits = 0;
+        }
+}
+
+static int
+cryptodev_sym(struct crypt_kop *kop, BIGNUM *r, BIGNUM *s)
+{
+        int ret = -1;
+
+        if (r) {
+                kop->crk_param[kop->crk_iparams].crp_p = malloc(256);
+                kop->crk_param[kop->crk_iparams].crp_nbits = 256 * 8;
+                kop->crk_oparams++;
+        }
+        if (s) {
+                kop->crk_param[kop->crk_iparams+1].crp_p = malloc(256);
+                kop->crk_param[kop->crk_iparams+1].crp_nbits = 256 * 8;
+                kop->crk_oparams++;
+        }
+
+        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == 0) {
+                crparam2bn(&kop->crk_param[3], r);
+                ret = 0;
+        }
+        return (ret);
+}
+
+static int
+cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+{
+        struct crypt_kop kop;
+        int ret = 0;
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_MOD_EXP;
+
+        /* inputs: a m p */
+        if (bn2crparam(a, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(m, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(p, &kop.crk_param[2]))
+                goto err;
+        kop.crk_iparams = 3;
+
+        if (cryptodev_sym(&kop, r, NULL) == -1) {
+                ret = BN_mod_exp(r, a, p, m, ctx);
+        }
+err:
+        zapparams(&kop);
+        return (ret);
+}
+
+
+static int
+cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+{
+        struct crypt_kop kop;
+        int ret = 0;
+
+        if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
+                /* XXX 0 means failure?? */
+                goto err;
+        }
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_MOD_EXP_CRT;
+        /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */
+        if (bn2crparam(rsa->p, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(rsa->q, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(I, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(rsa->dmp1, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(rsa->dmq1, &kop.crk_param[4]))
+                goto err;
+        if (bn2crparam(rsa->iqmp, &kop.crk_param[5]))
+                goto err;
+        kop.crk_iparams = 6;
+
+        if (cryptodev_sym(&kop, r0, NULL) == -1) {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+
+                ret = (*meth->rsa_mod_exp)(r0, I, rsa);
+        }
+err:
+        zapparams(&kop);
+        return (ret);
+}
+
+static RSA_METHOD cryptodev_rsa = {
+        "cryptodev RSA method",
+        NULL,                           /* rsa_pub_enc */
+        NULL,                           /* rsa_pub_dec */
+        NULL,                           /* rsa_priv_enc */
+        NULL,                           /* rsa_priv_dec */
+        cryptodev_rsa_mod_exp,          /* rsa_mod_exp */
+        cryptodev_bn_mod_exp,           /* bn_mod_exp */
+        NULL,                           /* init */
+        NULL,                           /* finish */
+        0,                              /* flags */
+        NULL,                           /* app_data */
+        NULL,                           /* rsa_sign */
+        NULL                            /* rsa_verify */
+};
+
+static int
+cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+    const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+{
+        return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static DSA_SIG *
+cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+{
+        struct crypt_kop kop;
+        BIGNUM *r = NULL, *s = NULL;
+        DSA_SIG *dsaret = NULL;
+
+        if ((r = BN_new()) == NULL)
+                goto err;
+        if ((s = BN_new()) == NULL) {
+                BN_free(r);
+                goto err;
+        }
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DSA_SIGN;
+
+        /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
+        kop.crk_param[0].crp_p = (caddr_t)dgst;
+        kop.crk_param[0].crp_nbits = dlen * 8;
+        if (bn2crparam(dsa->p, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dsa->q, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(dsa->g, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(dsa->priv_key, &kop.crk_param[4]))
+                goto err;
+        kop.crk_iparams = 5;
+
+        if (cryptodev_sym(&kop, r, s) == 0) {
+                dsaret = DSA_SIG_new();
+                dsaret->r = r;
+                dsaret->s = s;
+        } else {
+                const DSA_METHOD *meth = DSA_OpenSSL();
+
+                BN_free(r);
+                BN_free(s);
+                dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa);
+        }
+err:
+        kop.crk_param[0].crp_p = NULL;
+        zapparams(&kop);
+        return (dsaret);
+}
+
+static int
+cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
+    DSA_SIG *sig, DSA *dsa)
+{
+        struct crypt_kop kop;
+        int dsaret = 0;
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DSA_VERIFY;
+
+        /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
+        kop.crk_param[0].crp_p = (caddr_t)dgst;
+        kop.crk_param[0].crp_nbits = dlen * 8;
+        if (bn2crparam(dsa->p, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dsa->q, &kop.crk_param[2]))
+                goto err;
+        if (bn2crparam(dsa->g, &kop.crk_param[3]))
+                goto err;
+        if (bn2crparam(dsa->pub_key, &kop.crk_param[4]))
+                goto err;
+        if (bn2crparam(sig->r, &kop.crk_param[5]))
+                goto err;
+        if (bn2crparam(sig->s, &kop.crk_param[6]))
+                goto err;
+        kop.crk_iparams = 7;
+
+        if (cryptodev_sym(&kop, NULL, NULL) == 0) {
+                dsaret = kop.crk_status;
+        } else {
+                const DSA_METHOD *meth = DSA_OpenSSL();
+
+                dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa);
+        }
+err:
+        kop.crk_param[0].crp_p = NULL;
+        zapparams(&kop);
+        return (dsaret);
+}
+
+static DSA_METHOD cryptodev_dsa = {
+        "cryptodev DSA method",
+        cryptodev_dsa_do_sign,
+        NULL,                           /* dsa_sign_setup */
+        cryptodev_dsa_verify,
+        NULL,                           /* dsa_mod_exp */
+        cryptodev_dsa_bn_mod_exp,       /* bn_mod_exp */
+        NULL,                           /* init */
+        NULL,                           /* finish */
+        0,      /* flags */
+        NULL    /* app_data */
+};
+
+static int
+cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+    const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+    BN_MONT_CTX *m_ctx)
+{
+        return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx));
+}
+
+static int
+cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+{
+        struct crypt_kop kop;
+        int dhret = 0;
+        int keylen;
+
+        keylen = BN_num_bits(dh->p);
+
+        memset(&kop, 0, sizeof kop);
+        kop.crk_op = CRK_DH_COMPUTE_KEY;
+
+        /* inputs: dh->priv_key pub_key dh->p key */
+        if (bn2crparam(dh->priv_key, &kop.crk_param[0]))
+                goto err;
+        if (bn2crparam(pub_key, &kop.crk_param[1]))
+                goto err;
+        if (bn2crparam(dh->p, &kop.crk_param[2]))
+                goto err;
+        kop.crk_iparams = 3;
+
+        kop.crk_param[3].crp_p = key;
+        kop.crk_param[3].crp_nbits = keylen * 8;
+        kop.crk_oparams = 1;
+
+        if (ioctl(cryptodev_fd, CIOCKEY, &kop) == -1) {
+                const DH_METHOD *meth = DH_OpenSSL();
+
+                dhret = (meth->compute_key)(key, pub_key, dh);
+        }
+err:
+        kop.crk_param[3].crp_p = NULL;
+        zapparams(&kop);
+        return (dhret);
+}
+
+static DH_METHOD cryptodev_dh = {
+        "cryptodev DH method",
+        NULL,                           /* cryptodev_dh_generate_key */
+        cryptodev_dh_compute_key,
+        cryptodev_mod_exp_dh,
+        NULL,
+        NULL,
+        0,      /* flags */
+        NULL    /* app_data */
+};
+
+/*
+ * ctrl right now is just a wrapper that doesn't do much
+ * but I expect we'll want some options soon.
+ */
+static int
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+{
+        struct syslog_data sd = SYSLOG_DATA_INIT;
+
+        switch (cmd) {
+        default:
+                syslog_r(LOG_ERR, &sd,
+                    "cryptodev_ctrl: unknown command %d", cmd);
+                break;
+        }
+        return (1);
+}
+
+void
+ENGINE_load_cryptodev(void)
+{
+        ENGINE *engine = ENGINE_new();
+        const RSA_METHOD *rsa_meth;
+        const DH_METHOD *dh_meth;
+
+        if (engine == NULL)
+                return;
+
+        if (!ENGINE_set_id(engine, "cryptodev") ||
+            !ENGINE_set_name(engine, "OpenBSD cryptodev engine") ||
+            !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
+            !ENGINE_set_digests(engine, cryptodev_engine_digests) ||
+            !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
+            !ENGINE_set_cmd_defns(engine, cryptodev_defns)) {
+                ENGINE_free(engine);
+                return;
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_RSA) &&
+            ENGINE_set_RSA(engine, &cryptodev_rsa)) {
+                rsa_meth = RSA_PKCS1_SSLeay();
+                cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc;
+                cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec;
+                cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_dec;
+                cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec;
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_DSA) &&
+            ENGINE_set_DSA(engine, &cryptodev_dsa)) {
+        }
+
+        if ((cryptodev_symfeat & CRSFEAT_DH) &&
+            ENGINE_set_DH(engine, &cryptodev_dh)) {
+                dh_meth = DH_OpenSSL();
+                cryptodev_dh.generate_key = dh_meth->generate_key;
+                cryptodev_dh.compute_key = dh_meth->compute_key;
+        }
+
+        ENGINE_add(engine);
+        ENGINE_free(engine);
+        ERR_clear_error();
+}
diff --git a/src/lib/libcrypto/engine/hw_cswift.c b/src/lib/libcrypto/engine/hw_cswift.c
index 77608b8983..d8b380550f 100644
--- a/src/lib/libcrypto/engine/hw_cswift.c
+++ b/src/lib/libcrypto/engine/hw_cswift.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -60,11 +60,10 @@
 #include <openssl/crypto.h>
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#include "engine_int.h"
 #include <openssl/engine.h>
 
-#ifndef NO_HW
-#ifndef NO_HW_CSWIFT
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_CSWIFT
 
 /* Attribution notice: Rainbow have generously allowed me to reproduce
  * the necessary definitions here from their API. This means the support
@@ -84,33 +83,55 @@
 #include "vendor_defns/cswift.h"
 #endif
 
-static int cswift_init(void);
-static int cswift_finish(void);
+#define CSWIFT_LIB_NAME "cswift engine"
+#include "hw_cswift_err.c"
+
+static int cswift_destroy(ENGINE *e);
+static int cswift_init(ENGINE *e);
+static int cswift_finish(ENGINE *e);
+static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
 
 /* BIGNUM stuff */
-static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx);
-static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,
                 const BIGNUM *iqmp, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
-static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa);
+static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
+#ifndef OPENSSL_NO_DSA
 /* DSA stuff */
 static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
                                 DSA_SIG *sig, DSA *dsa);
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* DH stuff */
 /* This function is alised to mod_exp (with the DH and mont dropped). */
-static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#endif
 
+/* The definitions for control commands specific to this engine */
+#define CSWIFT_CMD_SO_PATH              ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN cswift_cmd_defns[] = {
+        {CSWIFT_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'cswift' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD cswift_rsa =
         {
@@ -128,7 +149,9 @@ static RSA_METHOD cswift_rsa =
         NULL,
         NULL
         };
+#endif
 
+#ifndef OPENSSL_NO_DSA
 /* Our internal DSA_METHOD that we provide pointers to */
 static DSA_METHOD cswift_dsa =
         {
@@ -143,7 +166,9 @@ static DSA_METHOD cswift_dsa =
         0, /* flags */
         NULL /* app_data */
         };
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD cswift_dh =
         {
@@ -156,35 +181,41 @@ static DH_METHOD cswift_dh =
         0,
         NULL
         };
+#endif
 
-/* Our ENGINE structure. */
-static ENGINE engine_cswift =
-        {
-        "cswift",
-        "CryptoSwift hardware engine support",
-        &cswift_rsa,
-        &cswift_dsa,
-        &cswift_dh,
-        NULL,
-        cswift_mod_exp,
-        cswift_mod_exp_crt,
-        cswift_init,
-        cswift_finish,
-        NULL, /* no ctrl() */
-        NULL, /* no load_privkey() */
-        NULL, /* no load_pubkey() */
-        0, /* no flags */
-        0, 0, /* no references */
-        NULL, NULL /* unlinked */
-        };
-
-/* As this is only ever called once, there's no need for locking
- * (indeed - the lock will already be held by our caller!!!) */
-ENGINE *ENGINE_cswift()
+/* Constants used when creating the ENGINE */
+static const char *engine_cswift_id = "cswift";
+static const char *engine_cswift_name = "CryptoSwift hardware engine support";
+
+/* This internal function is used by ENGINE_cswift() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
         {
-        RSA_METHOD *meth1;
-        DH_METHOD *meth2;
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth2;
+#endif
+        if(!ENGINE_set_id(e, engine_cswift_id) ||
+                        !ENGINE_set_name(e, engine_cswift_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &cswift_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &cswift_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &cswift_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, cswift_destroy) ||
+                        !ENGINE_set_init_function(e, cswift_init) ||
+                        !ENGINE_set_finish_function(e, cswift_finish) ||
+                        !ENGINE_set_ctrl_function(e, cswift_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, cswift_cmd_defns))
+                return 0;
 
+#ifndef OPENSSL_NO_RSA
         /* We know that the "PKCS1_SSLeay()" functions hook properly
          * to the cswift-specific mod_exp and mod_exp_crt so we use
          * those functions. NB: We don't use ENGINE_openssl() or
@@ -197,12 +228,41 @@ ENGINE *ENGINE_cswift()
         cswift_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
         cswift_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
         cswift_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
         /* Much the same for Diffie-Hellman */
         meth2 = DH_OpenSSL();
         cswift_dh.generate_key = meth2->generate_key;
         cswift_dh.compute_key = meth2->compute_key;
-        return &engine_cswift;
+#endif
+
+        /* Ensure the cswift error handling is set up */
+        ERR_load_CSWIFT_strings();
+        return 1;
+        }
+
+static ENGINE *engine_cswift(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_cswift(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_cswift();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
         }
 
 /* This is a process-global DSO handle used for loading and unloading
@@ -220,7 +280,8 @@ t_swSimpleRequest *p_CSwift_SimpleRequest = NULL;
 t_swReleaseAccContext *p_CSwift_ReleaseAccContext = NULL;
 
 /* Used in the DSO operations. */
-static const char *CSWIFT_LIBNAME = "swift";
+static const char def_CSWIFT_LIBNAME[] = "swift";
+static const char *CSWIFT_LIBNAME = def_CSWIFT_LIBNAME;
 static const char *CSWIFT_F1 = "swAcquireAccContext";
 static const char *CSWIFT_F2 = "swAttachKeyParam";
 static const char *CSWIFT_F3 = "swSimpleRequest";
@@ -249,8 +310,15 @@ static void release_context(SW_CONTEXT_HANDLE hac)
         p_CSwift_ReleaseAccContext(hac);
         }
 
+/* Destructor (complements the "ENGINE_cswift()" constructor) */
+static int cswift_destroy(ENGINE *e)
+        {
+        ERR_unload_CSWIFT_strings();
+        return 1;
+        }
+
 /* (de)initialisation functions. */
-static int cswift_init()
+static int cswift_init(ENGINE *e)
         {
         SW_CONTEXT_HANDLE hac;
         t_swAcquireAccContext *p1;
@@ -260,15 +328,14 @@ static int cswift_init()
 
         if(cswift_dso != NULL)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_ALREADY_LOADED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_ALREADY_LOADED);
                 goto err;
                 }
         /* Attempt to load libswift.so/swift.dll/whatever. */
-        cswift_dso = DSO_load(NULL, CSWIFT_LIBNAME, NULL,
-                DSO_FLAG_NAME_TRANSLATION);
+        cswift_dso = DSO_load(NULL, CSWIFT_LIBNAME, NULL, 0);
         if(cswift_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+                CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_NOT_LOADED);
                 goto err;
                 }
         if(!(p1 = (t_swAcquireAccContext *)
@@ -280,7 +347,7 @@ static int cswift_init()
                         !(p4 = (t_swReleaseAccContext *)
                                 DSO_bind_func(cswift_dso, CSWIFT_F4)))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_DSO_FAILURE);
+                CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_NOT_LOADED);
                 goto err;
                 }
         /* Copy the pointers */
@@ -292,7 +359,7 @@ static int cswift_init()
          * accelerator! */
         if(!get_context(&hac))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_INIT,ENGINE_R_UNIT_FAILURE);
+                CSWIFTerr(CSWIFT_F_CSWIFT_INIT,CSWIFT_R_UNIT_FAILURE);
                 goto err;
                 }
         release_context(hac);
@@ -308,16 +375,16 @@ err:
         return 0;
         }
 
-static int cswift_finish()
+static int cswift_finish(ENGINE *e)
         {
         if(cswift_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_NOT_LOADED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_FINISH,CSWIFT_R_NOT_LOADED);
                 return 0;
                 }
         if(!DSO_free(cswift_dso))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_FINISH,ENGINE_R_DSO_FAILURE);
+                CSWIFTerr(CSWIFT_F_CSWIFT_FINISH,CSWIFT_R_UNIT_FAILURE);
                 return 0;
                 }
         cswift_dso = NULL;
@@ -328,8 +395,33 @@ static int cswift_finish()
         return 1;
         }
 
+static int cswift_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((cswift_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case CSWIFT_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,CSWIFT_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                CSWIFT_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        CSWIFTerr(CSWIFT_F_CSWIFT_CTRL,CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
 /* Un petit mod_exp */
-static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx)
         {
         /* I need somewhere to store temporary serialised values for
@@ -353,24 +445,25 @@ static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
  
         if(!get_context(&hac))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_GET_HANDLE_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_UNIT_FAILURE);
                 goto err;
                 }
         acquired = 1;
         /* Prepare the params */
+        BN_CTX_start(ctx);
         modulus = BN_CTX_get(ctx);
         exponent = BN_CTX_get(ctx);
         argument = BN_CTX_get(ctx);
         result = BN_CTX_get(ctx);
-        if(!modulus || !exponent || !argument || !result)
+        if(!result)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_CTX_FULL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BN_CTX_FULL);
                 goto err;
                 }
         if(!bn_wexpand(modulus, m->top) || !bn_wexpand(exponent, p->top) ||
                 !bn_wexpand(argument, a->top) || !bn_wexpand(result, m->top))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_BN_EXPAND_FAIL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BN_EXPAND_FAIL);
                 goto err;
                 }
         sw_param.type = SW_ALG_EXP;
@@ -387,13 +480,12 @@ static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         case SW_OK:
                 break;
         case SW_ERR_INPUT_SIZE:
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,
-                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_BAD_KEY_SIZE);
                 goto err;
         default:
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 }
@@ -410,7 +502,7 @@ static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
                 &res, 1)) != SW_OK)
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 goto err;
@@ -421,15 +513,12 @@ static int cswift_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 err:
         if(acquired)
                 release_context(hac);
-        if(modulus) ctx->tos--;
-        if(exponent) ctx->tos--;
-        if(argument) ctx->tos--;
-        if(result) ctx->tos--;
+        BN_CTX_end(ctx);
         return to_return;
         }
 
 /* Un petit mod_exp chinois */
-static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *q, const BIGNUM *dmp1,
                         const BIGNUM *dmq1, const BIGNUM *iqmp, BN_CTX *ctx)
         {
@@ -449,11 +538,12 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
  
         if(!get_context(&hac))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_GET_HANDLE_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_UNIT_FAILURE);
                 goto err;
                 }
         acquired = 1;
         /* Prepare the params */
+        BN_CTX_start(ctx);
         rsa_p = BN_CTX_get(ctx);
         rsa_q = BN_CTX_get(ctx);
         rsa_dmp1 = BN_CTX_get(ctx);
@@ -461,10 +551,9 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         rsa_iqmp = BN_CTX_get(ctx);
         argument = BN_CTX_get(ctx);
         result = BN_CTX_get(ctx);
-        if(!rsa_p || !rsa_q || !rsa_dmp1 || !rsa_dmq1 || !rsa_iqmp ||
-                        !argument || !result)
+        if(!result)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_CTX_FULL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_CTX_FULL);
                 goto err;
                 }
         if(!bn_wexpand(rsa_p, p->top) || !bn_wexpand(rsa_q, q->top) ||
@@ -474,7 +563,7 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
                         !bn_wexpand(argument, a->top) ||
                         !bn_wexpand(result, p->top + q->top))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_BN_EXPAND_FAIL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BN_EXPAND_FAIL);
                 goto err;
                 }
         sw_param.type = SW_ALG_CRT;
@@ -498,13 +587,12 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
         case SW_OK:
                 break;
         case SW_ERR_INPUT_SIZE:
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,
-                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_BAD_KEY_SIZE);
                 goto err;
         default:
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 }
@@ -521,7 +609,7 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
                 &res, 1)) != SW_OK)
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_MOD_EXP_CRT,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 goto err;
@@ -532,17 +620,12 @@ static int cswift_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 err:
         if(acquired)
                 release_context(hac);
-        if(rsa_p) ctx->tos--;
-        if(rsa_q) ctx->tos--;
-        if(rsa_dmp1) ctx->tos--;
-        if(rsa_dmq1) ctx->tos--;
-        if(rsa_iqmp) ctx->tos--;
-        if(argument) ctx->tos--;
-        if(result) ctx->tos--;
+        BN_CTX_end(ctx);
         return to_return;
         }
  
-static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+#ifndef OPENSSL_NO_RSA
+static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
         {
         BN_CTX *ctx;
         int to_return = 0;
@@ -551,7 +634,7 @@ static int cswift_rsa_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
                 goto err;
         if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_RSA_MOD_EXP,ENGINE_R_MISSING_KEY_COMPONENTS);
+                CSWIFTerr(CSWIFT_F_CSWIFT_RSA_MOD_EXP,CSWIFT_R_MISSING_KEY_COMPONENTS);
                 goto err;
                 }
         to_return = cswift_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
@@ -561,14 +644,16 @@ err:
                 BN_CTX_free(ctx);
         return to_return;
         }
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int cswift_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return cswift_mod_exp(r, a, p, m, ctx);
         }
 
+#ifndef OPENSSL_NO_DSA
 static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
         SW_CONTEXT_HANDLE hac;
@@ -589,19 +674,20 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                 goto err;
         if(!get_context(&hac))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_GET_HANDLE_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_UNIT_FAILURE);
                 goto err;
                 }
         acquired = 1;
         /* Prepare the params */
+        BN_CTX_start(ctx);
         dsa_p = BN_CTX_get(ctx);
         dsa_q = BN_CTX_get(ctx);
         dsa_g = BN_CTX_get(ctx);
         dsa_key = BN_CTX_get(ctx);
         result = BN_CTX_get(ctx);
-        if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !result)
+        if(!result)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_CTX_FULL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BN_CTX_FULL);
                 goto err;
                 }
         if(!bn_wexpand(dsa_p, dsa->p->top) ||
@@ -610,7 +696,7 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                         !bn_wexpand(dsa_key, dsa->priv_key->top) ||
                         !bn_wexpand(result, dsa->p->top))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_BN_EXPAND_FAIL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BN_EXPAND_FAIL);
                 goto err;
                 }
         sw_param.type = SW_ALG_DSA;
@@ -633,13 +719,12 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         case SW_OK:
                 break;
         case SW_ERR_INPUT_SIZE:
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,
-                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_BAD_KEY_SIZE);
                 goto err;
         default:
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 }
@@ -657,7 +742,7 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         if(sw_status != SW_OK)
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_SIGN,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 goto err;
@@ -672,13 +757,11 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 err:
         if(acquired)
                 release_context(hac);
-        if(dsa_p) ctx->tos--;
-        if(dsa_q) ctx->tos--;
-        if(dsa_g) ctx->tos--;
-        if(dsa_key) ctx->tos--;
-        if(result) ctx->tos--;
         if(ctx)
+                {
+                BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
+                }
         return to_return;
         }
 
@@ -703,19 +786,20 @@ static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
                 goto err;
         if(!get_context(&hac))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_GET_HANDLE_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_UNIT_FAILURE);
                 goto err;
                 }
         acquired = 1;
         /* Prepare the params */
+        BN_CTX_start(ctx);
         dsa_p = BN_CTX_get(ctx);
         dsa_q = BN_CTX_get(ctx);
         dsa_g = BN_CTX_get(ctx);
         dsa_key = BN_CTX_get(ctx);
         argument = BN_CTX_get(ctx);
-        if(!dsa_p || !dsa_q || !dsa_g || !dsa_key || !argument)
+        if(!argument)
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_CTX_FULL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BN_CTX_FULL);
                 goto err;
                 }
         if(!bn_wexpand(dsa_p, dsa->p->top) ||
@@ -724,7 +808,7 @@ static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
                         !bn_wexpand(dsa_key, dsa->pub_key->top) ||
                         !bn_wexpand(argument, 40))
                 {
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_BN_EXPAND_FAIL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BN_EXPAND_FAIL);
                 goto err;
                 }
         sw_param.type = SW_ALG_DSA;
@@ -747,13 +831,12 @@ static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
         case SW_OK:
                 break;
         case SW_ERR_INPUT_SIZE:
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,
-                        ENGINE_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_BAD_KEY_SIZE);
                 goto err;
         default:
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 }
@@ -775,7 +858,7 @@ static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
         if(sw_status != SW_OK)
                 {
                 char tmpbuf[20];
-                ENGINEerr(ENGINE_F_CSWIFT_DSA_VERIFY,ENGINE_R_REQUEST_FAILED);
+                CSWIFTerr(CSWIFT_F_CSWIFT_DSA_VERIFY,CSWIFT_R_REQUEST_FAILED);
                 sprintf(tmpbuf, "%ld", sw_status);
                 ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf);
                 goto err;
@@ -786,22 +869,39 @@ static int cswift_dsa_verify(const unsigned char *dgst, int dgst_len,
 err:
         if(acquired)
                 release_context(hac);
-        if(dsa_p) ctx->tos--;
-        if(dsa_q) ctx->tos--;
-        if(dsa_g) ctx->tos--;
-        if(dsa_key) ctx->tos--;
-        if(argument) ctx->tos--;
         if(ctx)
+                {
+                BN_CTX_end(ctx);
                 BN_CTX_free(ctx);
+                }
         return to_return;
         }
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
-static int cswift_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return cswift_mod_exp(r, a, p, m, ctx);
         }
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_cswift_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
 
-#endif /* !NO_HW_CSWIFT */
-#endif /* !NO_HW */
+#endif /* !OPENSSL_NO_HW_CSWIFT */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_cswift_err.c b/src/lib/libcrypto/engine/hw_cswift_err.c
new file mode 100644
index 0000000000..684f53bf27
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_cswift_err.c
@@ -0,0 +1,149 @@
+/* hw_cswift_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_cswift_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA CSWIFT_str_functs[]=
+        {
+{ERR_PACK(0,CSWIFT_F_CSWIFT_CTRL,0),    "CSWIFT_CTRL"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_DSA_SIGN,0),        "CSWIFT_DSA_SIGN"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_DSA_VERIFY,0),      "CSWIFT_DSA_VERIFY"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_FINISH,0),  "CSWIFT_FINISH"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_INIT,0),    "CSWIFT_INIT"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_MOD_EXP,0), "CSWIFT_MOD_EXP"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_MOD_EXP_CRT,0),     "CSWIFT_MOD_EXP_CRT"},
+{ERR_PACK(0,CSWIFT_F_CSWIFT_RSA_MOD_EXP,0),     "CSWIFT_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA CSWIFT_str_reasons[]=
+        {
+{CSWIFT_R_ALREADY_LOADED                 ,"already loaded"},
+{CSWIFT_R_BAD_KEY_SIZE                   ,"bad key size"},
+{CSWIFT_R_BN_CTX_FULL                    ,"bn ctx full"},
+{CSWIFT_R_BN_EXPAND_FAIL                 ,"bn expand fail"},
+{CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{CSWIFT_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{CSWIFT_R_NOT_LOADED                     ,"not loaded"},
+{CSWIFT_R_REQUEST_FAILED                 ,"request failed"},
+{CSWIFT_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+static ERR_STRING_DATA CSWIFT_lib_name[]=
+        {
+{0      ,CSWIFT_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int CSWIFT_lib_error_code=0;
+static int CSWIFT_error_init=1;
+
+static void ERR_load_CSWIFT_strings(void)
+        {
+        if (CSWIFT_lib_error_code == 0)
+                CSWIFT_lib_error_code=ERR_get_next_error_library();
+
+        if (CSWIFT_error_init)
+                {
+                CSWIFT_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+                ERR_load_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+                CSWIFT_lib_name->error = ERR_PACK(CSWIFT_lib_error_code,0,0);
+                ERR_load_strings(0,CSWIFT_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_CSWIFT_strings(void)
+        {
+        if (CSWIFT_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_functs);
+                ERR_unload_strings(CSWIFT_lib_error_code,CSWIFT_str_reasons);
+#endif
+
+#ifdef CSWIFT_LIB_NAME
+                ERR_unload_strings(0,CSWIFT_lib_name);
+#endif
+                CSWIFT_error_init=1;
+                }
+        }
+
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line)
+        {
+        if (CSWIFT_lib_error_code == 0)
+                CSWIFT_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(CSWIFT_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_cswift_err.h b/src/lib/libcrypto/engine/hw_cswift_err.h
new file mode 100644
index 0000000000..7120c3216f
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_cswift_err.h
@@ -0,0 +1,93 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_CSWIFT_ERR_H
+#define HEADER_CSWIFT_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_CSWIFT_strings(void);
+static void ERR_unload_CSWIFT_strings(void);
+static void ERR_CSWIFT_error(int function, int reason, char *file, int line);
+#define CSWIFTerr(f,r) ERR_CSWIFT_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the CSWIFT functions. */
+
+/* Function codes. */
+#define CSWIFT_F_CSWIFT_CTRL                             100
+#define CSWIFT_F_CSWIFT_DSA_SIGN                         101
+#define CSWIFT_F_CSWIFT_DSA_VERIFY                       102
+#define CSWIFT_F_CSWIFT_FINISH                           103
+#define CSWIFT_F_CSWIFT_INIT                             104
+#define CSWIFT_F_CSWIFT_MOD_EXP                          105
+#define CSWIFT_F_CSWIFT_MOD_EXP_CRT                      106
+#define CSWIFT_F_CSWIFT_RSA_MOD_EXP                      107
+
+/* Reason codes. */
+#define CSWIFT_R_ALREADY_LOADED                          100
+#define CSWIFT_R_BAD_KEY_SIZE                            101
+#define CSWIFT_R_BN_CTX_FULL                             102
+#define CSWIFT_R_BN_EXPAND_FAIL                          103
+#define CSWIFT_R_CTRL_COMMAND_NOT_IMPLEMENTED            104
+#define CSWIFT_R_MISSING_KEY_COMPONENTS                  105
+#define CSWIFT_R_NOT_LOADED                              106
+#define CSWIFT_R_REQUEST_FAILED                          107
+#define CSWIFT_R_UNIT_FAILURE                            108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_ncipher.c b/src/lib/libcrypto/engine/hw_ncipher.c
index 41f5900676..4762a54e3d 100644
--- a/src/lib/libcrypto/engine/hw_ncipher.c
+++ b/src/lib/libcrypto/engine/hw_ncipher.c
@@ -4,7 +4,7 @@
  * for the OpenSSL project 2000.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -58,15 +58,16 @@
  */
 
 #include <stdio.h>
+#include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include "cryptlib.h"
 #include <openssl/dso.h>
-#include "engine_int.h"
 #include <openssl/engine.h>
+#include <openssl/ui.h>
 
-#ifndef NO_HW
-#ifndef NO_HW_NCIPHER
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_NCIPHER
 
 /* Attribution notice: nCipher have said several times that it's OK for
  * us to implement a general interface to their boxes, and recently declared
@@ -82,9 +83,13 @@
 #include "vendor_defns/hwcryptohook.h"
 #endif
 
-static int hwcrhk_init(void);
-static int hwcrhk_finish(void);
-static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)()); 
+#define HWCRHK_LIB_NAME "hwcrhk engine"
+#include "hw_ncipher_err.c"
+
+static int hwcrhk_destroy(ENGINE *e);
+static int hwcrhk_init(ENGINE *e);
+static int hwcrhk_finish(ENGINE *e);
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()); 
 
 /* Functions to handle mutexes */
 static int hwcrhk_mutex_init(HWCryptoHook_Mutex*, HWCryptoHook_CallerContext*);
@@ -93,39 +98,77 @@ static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex*);
 static void hwcrhk_mutex_destroy(HWCryptoHook_Mutex*);
 
 /* BIGNUM stuff */
-static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx);
 
+#ifndef OPENSSL_NO_RSA
 /* RSA stuff */
-static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa);
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa);
+#endif
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int hwcrhk_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
 /* DH stuff */
 /* This function is alised to mod_exp (with the DH and mont dropped). */
-static int hwcrhk_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+static int hwcrhk_mod_exp_dh(const DH *dh, BIGNUM *r,
+        const BIGNUM *a, const BIGNUM *p,
+        const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 
 /* RAND stuff */
 static int hwcrhk_rand_bytes(unsigned char *buf, int num);
 static int hwcrhk_rand_status(void);
 
 /* KM stuff */
-static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
-        const char *passphrase);
-static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id,
-        const char *passphrase);
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data);
 static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-        int index,long argl, void *argp);
+        int ind,long argl, void *argp);
 
 /* Interaction stuff */
+static int hwcrhk_insert_card(const char *prompt_info,
+        const char *wrong_info,
+        HWCryptoHook_PassphraseContext *ppctx,
+        HWCryptoHook_CallerContext *cactx);
 static int hwcrhk_get_pass(const char *prompt_info,
         int *len_io, char *buf,
         HWCryptoHook_PassphraseContext *ppctx,
         HWCryptoHook_CallerContext *cactx);
-static void hwcrhk_log_message(void *logstream, const char *message);
+static void hwcrhk_log_message(void *logstr, const char *message);
+
+/* The definitions for control commands specific to this engine */
+#define HWCRHK_CMD_SO_PATH              ENGINE_CMD_BASE
+#define HWCRHK_CMD_FORK_CHECK           (ENGINE_CMD_BASE + 1)
+#define HWCRHK_CMD_THREAD_LOCKING       (ENGINE_CMD_BASE + 2)
+#define HWCRHK_CMD_SET_USER_INTERFACE   (ENGINE_CMD_BASE + 3)
+#define HWCRHK_CMD_SET_CALLBACK_DATA    (ENGINE_CMD_BASE + 4)
+static const ENGINE_CMD_DEFN hwcrhk_cmd_defns[] = {
+        {HWCRHK_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'hwcrhk' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {HWCRHK_CMD_FORK_CHECK,
+                "FORK_CHECK",
+                "Turns fork() checking on or off (boolean)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {HWCRHK_CMD_THREAD_LOCKING,
+                "THREAD_LOCKING",
+                "Turns thread-safe locking on or off (boolean)",
+                ENGINE_CMD_FLAG_NUMERIC},
+        {HWCRHK_CMD_SET_USER_INTERFACE,
+                "SET_USER_INTERFACE",
+                "Set the global user interface (internal)",
+                ENGINE_CMD_FLAG_INTERNAL},
+        {HWCRHK_CMD_SET_CALLBACK_DATA,
+                "SET_CALLBACK_DATA",
+                "Set the global user interface extra data (internal)",
+                ENGINE_CMD_FLAG_INTERNAL},
+        {0, NULL, NULL, 0}
+        };
 
+#ifndef OPENSSL_NO_RSA
 /* Our internal RSA_METHOD that we provide pointers to */
 static RSA_METHOD hwcrhk_rsa =
         {
@@ -143,7 +186,9 @@ static RSA_METHOD hwcrhk_rsa =
         NULL,
         NULL
         };
+#endif
 
+#ifndef OPENSSL_NO_DH
 /* Our internal DH_METHOD that we provide pointers to */
 static DH_METHOD hwcrhk_dh =
         {
@@ -156,6 +201,7 @@ static DH_METHOD hwcrhk_dh =
         0,
         NULL
         };
+#endif
 
 static RAND_METHOD hwcrhk_rand =
         {
@@ -168,26 +214,9 @@ static RAND_METHOD hwcrhk_rand =
         hwcrhk_rand_status,
         };
 
-/* Our ENGINE structure. */
-static ENGINE engine_hwcrhk =
-        {
-        "chil",
-        "nCipher hardware engine support",
-        &hwcrhk_rsa,
-        NULL,
-        &hwcrhk_dh,
-        &hwcrhk_rand,
-        hwcrhk_mod_exp,
-        NULL,
-        hwcrhk_init,
-        hwcrhk_finish,
-        hwcrhk_ctrl,
-        hwcrhk_load_privkey,
-        hwcrhk_load_pubkey,
-        0, /* no flags */
-        0, 0, /* no references */
-        NULL, NULL /* unlinked */
-        };
+/* Constants used when creating the ENGINE */
+static const char *engine_hwcrhk_id = "chil";
+static const char *engine_hwcrhk_name = "nCipher hardware engine support";
 
 /* Internal stuff for HWCryptoHook */
 
@@ -204,7 +233,8 @@ struct HWCryptoHook_MutexValue
    into HWCryptoHook_PassphraseContext */
 struct HWCryptoHook_PassphraseContextValue
         {
-        void *any;
+        UI_METHOD *ui_method;
+        void *callback_data;
         };
 
 /* hwcryptohook.h has some typedefs that turn
@@ -212,7 +242,10 @@ struct HWCryptoHook_PassphraseContextValue
    into HWCryptoHook_CallerContext */
 struct HWCryptoHook_CallerContextValue
         {
-        void *any;
+        pem_password_cb *password_callback; /* Deprecated!  Only present for
+                                               backward compatibility! */
+        UI_METHOD *ui_method;
+        void *callback_data;
         };
 
 /* The MPI structure in HWCryptoHook is pretty compatible with OpenSSL
@@ -222,31 +255,27 @@ struct HWCryptoHook_CallerContextValue
 #define MPI2BN(bn, mp) \
     {mp.size = bn->dmax * sizeof(BN_ULONG); mp.buf = (unsigned char *)bn->d;}
 
-#if 0 /* Card and password management is not yet supported */
-/* HWCryptoHook callbacks.  insert_card() and get_pass() are not yet
-   defined, because we haven't quite decided on the proper form yet.
-   log_message() just adds an entry in the error stack.  I don't know
-   if that's good or bad...  */
-static int insert_card(const char *prompt_info,
-        const char *wrong_info,
-        HWCryptoHook_PassphraseContext *ppctx,
-        HWCryptoHook_CallerContext *cactx);
-static int get_pass(const char *prompt_info,
-        int *len_io, char *buf,
-        HWCryptoHook_PassphraseContext *ppctx,
-        HWCryptoHook_CallerContext *cactx);
-#endif
-
 static BIO *logstream = NULL;
-static pem_password_cb *password_callback = NULL;
-#if 0
-static void *password_callback_userdata = NULL;
-#endif
 static int disable_mutex_callbacks = 0;
 
+/* One might wonder why these are needed, since one can pass down at least
+   a UI_METHOD and a pointer to callback data to the key-loading functions.
+   The thing is that the ModExp and RSAImmed functions can load keys as well,
+   if the data they get is in a special, nCipher-defined format (hint: if you
+   look at the private exponent of the RSA data as a string, you'll see this
+   string: "nCipher KM tool key id", followed by some bytes, followed a key
+   identity string, followed by more bytes.  This happens when you use "embed"
+   keys instead of "hwcrhk" keys).  Unfortunately, those functions do not take
+   any passphrase or caller context, and our functions can't really take any
+   callback data either.  Still, the "insert_card" and "get_passphrase"
+   callbacks may be called down the line, and will need to know what user
+   interface callbacks to call, and having callback data from the application
+   may be a nice thing as well, so we need to keep track of that globally. */
+static HWCryptoHook_CallerContext password_context = { NULL, NULL, NULL };
+
 /* Stuff to pass to the HWCryptoHook library */
 static HWCryptoHook_InitInfo hwcrhk_globals = {
-        0,                      /* Flags */
+        HWCryptoHook_InitFlags_SimpleForkCheck, /* Flags */
         &logstream,             /* logstream */
         sizeof(BN_ULONG),       /* limbsize */
         0,                      /* mslimb first: false for BNs */
@@ -280,20 +309,42 @@ static HWCryptoHook_InitInfo hwcrhk_globals = {
         0, /* hwcrhk_cv_destroy, */
 
         hwcrhk_get_pass,        /* pass phrase */
-        0, /* insert_card, */   /* insert a card */
+        hwcrhk_insert_card,     /* insert a card */
         hwcrhk_log_message      /* Log message */
 };
 
 
 /* Now, to our own code */
 
-/* As this is only ever called once, there's no need for locking
- * (indeed - the lock will already be held by our caller!!!) */
-ENGINE *ENGINE_ncipher()
+/* This internal function is used by ENGINE_ncipher() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
         {
-        RSA_METHOD *meth1;
-        DH_METHOD *meth2;
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth2;
+#endif
+        if(!ENGINE_set_id(e, engine_hwcrhk_id) ||
+                        !ENGINE_set_name(e, engine_hwcrhk_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &hwcrhk_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &hwcrhk_dh) ||
+#endif
+                        !ENGINE_set_RAND(e, &hwcrhk_rand) ||
+                        !ENGINE_set_destroy_function(e, hwcrhk_destroy) ||
+                        !ENGINE_set_init_function(e, hwcrhk_init) ||
+                        !ENGINE_set_finish_function(e, hwcrhk_finish) ||
+                        !ENGINE_set_ctrl_function(e, hwcrhk_ctrl) ||
+                        !ENGINE_set_load_privkey_function(e, hwcrhk_load_privkey) ||
+                        !ENGINE_set_load_pubkey_function(e, hwcrhk_load_pubkey) ||
+                        !ENGINE_set_cmd_defns(e, hwcrhk_cmd_defns))
+                return 0;
 
+#ifndef OPENSSL_NO_RSA
         /* We know that the "PKCS1_SSLeay()" functions hook properly
          * to the cswift-specific mod_exp and mod_exp_crt so we use
          * those functions. NB: We don't use ENGINE_openssl() or
@@ -306,12 +357,41 @@ ENGINE *ENGINE_ncipher()
         hwcrhk_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
         hwcrhk_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
         hwcrhk_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
 
+#ifndef OPENSSL_NO_DH
         /* Much the same for Diffie-Hellman */
         meth2 = DH_OpenSSL();
         hwcrhk_dh.generate_key = meth2->generate_key;
         hwcrhk_dh.compute_key = meth2->compute_key;
-        return &engine_hwcrhk;
+#endif
+
+        /* Ensure the hwcrhk error handling is set up */
+        ERR_load_HWCRHK_strings();
+        return 1;
+        }
+
+static ENGINE *engine_ncipher(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_chil(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_ncipher();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
         }
 
 /* This is a process-global DSO handle used for loading and unloading
@@ -321,30 +401,41 @@ ENGINE *ENGINE_ncipher()
  * implicitly. */
 static DSO *hwcrhk_dso = NULL;
 static HWCryptoHook_ContextHandle hwcrhk_context = 0;
-static int hndidx = -1; /* Index for KM handle.  Not really used yet. */
+#ifndef OPENSSL_NO_RSA
+static int hndidx_rsa = -1;    /* Index for KM handle.  Not really used yet. */
+#endif
 
 /* These are the function pointers that are (un)set when the library has
  * successfully (un)loaded. */
 static HWCryptoHook_Init_t *p_hwcrhk_Init = NULL;
 static HWCryptoHook_Finish_t *p_hwcrhk_Finish = NULL;
 static HWCryptoHook_ModExp_t *p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSA_t *p_hwcrhk_RSA = NULL;
+#endif
 static HWCryptoHook_RandomBytes_t *p_hwcrhk_RandomBytes = NULL;
+#ifndef OPENSSL_NO_RSA
 static HWCryptoHook_RSALoadKey_t *p_hwcrhk_RSALoadKey = NULL;
 static HWCryptoHook_RSAGetPublicKey_t *p_hwcrhk_RSAGetPublicKey = NULL;
 static HWCryptoHook_RSAUnloadKey_t *p_hwcrhk_RSAUnloadKey = NULL;
+#endif
 static HWCryptoHook_ModExpCRT_t *p_hwcrhk_ModExpCRT = NULL;
 
 /* Used in the DSO operations. */
-static const char *HWCRHK_LIBNAME = "nfhwcrhk";
+static const char def_HWCRHK_LIBNAME[] = "nfhwcrhk";
+static const char *HWCRHK_LIBNAME = def_HWCRHK_LIBNAME;
 static const char *n_hwcrhk_Init = "HWCryptoHook_Init";
 static const char *n_hwcrhk_Finish = "HWCryptoHook_Finish";
 static const char *n_hwcrhk_ModExp = "HWCryptoHook_ModExp";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSA = "HWCryptoHook_RSA";
+#endif
 static const char *n_hwcrhk_RandomBytes = "HWCryptoHook_RandomBytes";
+#ifndef OPENSSL_NO_RSA
 static const char *n_hwcrhk_RSALoadKey = "HWCryptoHook_RSALoadKey";
 static const char *n_hwcrhk_RSAGetPublicKey = "HWCryptoHook_RSAGetPublicKey";
 static const char *n_hwcrhk_RSAUnloadKey = "HWCryptoHook_RSAUnloadKey";
+#endif
 static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
 
 /* HWCryptoHook library functions and mechanics - these are used by the
@@ -353,16 +444,17 @@ static const char *n_hwcrhk_ModExpCRT = "HWCryptoHook_ModExpCRT";
  * called, the checking and error handling is probably down there. */
 
 /* utility function to obtain a context */
-static int get_context(HWCryptoHook_ContextHandle *hac)
+static int get_context(HWCryptoHook_ContextHandle *hac,
+        HWCryptoHook_CallerContext *cac)
         {
         char tempbuf[1024];
         HWCryptoHook_ErrMsgBuf rmsg;
 
         rmsg.buf = tempbuf;
-        rmsg.size = 1024;
+        rmsg.size = sizeof(tempbuf);
 
         *hac = p_hwcrhk_Init(&hwcrhk_globals, sizeof(hwcrhk_globals), &rmsg,
-                NULL);
+                cac);
         if (!*hac)
                 return 0;
         return 1;
@@ -374,30 +466,38 @@ static void release_context(HWCryptoHook_ContextHandle hac)
         p_hwcrhk_Finish(hac);
         }
 
+/* Destructor (complements the "ENGINE_ncipher()" constructor) */
+static int hwcrhk_destroy(ENGINE *e)
+        {
+        ERR_unload_HWCRHK_strings();
+        return 1;
+        }
+
 /* (de)initialisation functions. */
-static int hwcrhk_init()
+static int hwcrhk_init(ENGINE *e)
         {
         HWCryptoHook_Init_t *p1;
         HWCryptoHook_Finish_t *p2;
         HWCryptoHook_ModExp_t *p3;
+#ifndef OPENSSL_NO_RSA
         HWCryptoHook_RSA_t *p4;
         HWCryptoHook_RSALoadKey_t *p5;
         HWCryptoHook_RSAGetPublicKey_t *p6;
         HWCryptoHook_RSAUnloadKey_t *p7;
+#endif
         HWCryptoHook_RandomBytes_t *p8;
         HWCryptoHook_ModExpCRT_t *p9;
 
         if(hwcrhk_dso != NULL)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_ALREADY_LOADED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_ALREADY_LOADED);
                 goto err;
                 }
         /* Attempt to load libnfhwcrhk.so/nfhwcrhk.dll/whatever. */
-        hwcrhk_dso = DSO_load(NULL, HWCRHK_LIBNAME, NULL,
-                DSO_FLAG_NAME_TRANSLATION);
+        hwcrhk_dso = DSO_load(NULL, HWCRHK_LIBNAME, NULL, 0);
         if(hwcrhk_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+                HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
                 goto err;
                 }
         if(!(p1 = (HWCryptoHook_Init_t *)
@@ -406,6 +506,7 @@ static int hwcrhk_init()
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_Finish)) ||
                 !(p3 = (HWCryptoHook_ModExp_t *)
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExp)) ||
+#ifndef OPENSSL_NO_RSA
                 !(p4 = (HWCryptoHook_RSA_t *)
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSA)) ||
                 !(p5 = (HWCryptoHook_RSALoadKey_t *)
@@ -414,22 +515,25 @@ static int hwcrhk_init()
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAGetPublicKey)) ||
                 !(p7 = (HWCryptoHook_RSAUnloadKey_t *)
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_RSAUnloadKey)) ||
+#endif
                 !(p8 = (HWCryptoHook_RandomBytes_t *)
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_RandomBytes)) ||
                 !(p9 = (HWCryptoHook_ModExpCRT_t *)
                         DSO_bind_func(hwcrhk_dso, n_hwcrhk_ModExpCRT)))
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_DSO_FAILURE);
+                HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_DSO_FAILURE);
                 goto err;
                 }
         /* Copy the pointers */
         p_hwcrhk_Init = p1;
         p_hwcrhk_Finish = p2;
         p_hwcrhk_ModExp = p3;
+#ifndef OPENSSL_NO_RSA
         p_hwcrhk_RSA = p4;
         p_hwcrhk_RSALoadKey = p5;
         p_hwcrhk_RSAGetPublicKey = p6;
         p_hwcrhk_RSAUnloadKey = p7;
+#endif
         p_hwcrhk_RandomBytes = p8;
         p_hwcrhk_ModExpCRT = p9;
 
@@ -448,16 +552,18 @@ static int hwcrhk_init()
 
         /* Try and get a context - if not, we may have a DSO but no
          * accelerator! */
-        if(!get_context(&hwcrhk_context))
+        if(!get_context(&hwcrhk_context, &password_context))
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_INIT,ENGINE_R_UNIT_FAILURE);
+                HWCRHKerr(HWCRHK_F_HWCRHK_INIT,HWCRHK_R_UNIT_FAILURE);
                 goto err;
                 }
         /* Everything's fine. */
-        if (hndidx == -1)
-                hndidx = RSA_get_ex_new_index(0,
+#ifndef OPENSSL_NO_RSA
+        if (hndidx_rsa == -1)
+                hndidx_rsa = RSA_get_ex_new_index(0,
                         "nFast HWCryptoHook RSA key handle",
                         NULL, NULL, hwcrhk_ex_free);
+#endif
         return 1;
 err:
         if(hwcrhk_dso)
@@ -466,28 +572,30 @@ err:
         p_hwcrhk_Init = NULL;
         p_hwcrhk_Finish = NULL;
         p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
         p_hwcrhk_RSA = NULL;
         p_hwcrhk_RSALoadKey = NULL;
         p_hwcrhk_RSAGetPublicKey = NULL;
         p_hwcrhk_RSAUnloadKey = NULL;
+#endif
         p_hwcrhk_ModExpCRT = NULL;
         p_hwcrhk_RandomBytes = NULL;
         return 0;
         }
 
-static int hwcrhk_finish()
+static int hwcrhk_finish(ENGINE *e)
         {
         int to_return = 1;
         if(hwcrhk_dso == NULL)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_NOT_LOADED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_NOT_LOADED);
                 to_return = 0;
                 goto err;
                 }
         release_context(hwcrhk_context);
         if(!DSO_free(hwcrhk_dso))
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_FINISH,ENGINE_R_DSO_FAILURE);
+                HWCRHKerr(HWCRHK_F_HWCRHK_FINISH,HWCRHK_R_DSO_FAILURE);
                 to_return = 0;
                 goto err;
                 }
@@ -498,21 +606,36 @@ static int hwcrhk_finish()
         p_hwcrhk_Init = NULL;
         p_hwcrhk_Finish = NULL;
         p_hwcrhk_ModExp = NULL;
+#ifndef OPENSSL_NO_RSA
         p_hwcrhk_RSA = NULL;
         p_hwcrhk_RSALoadKey = NULL;
         p_hwcrhk_RSAGetPublicKey = NULL;
         p_hwcrhk_RSAUnloadKey = NULL;
+#endif
         p_hwcrhk_ModExpCRT = NULL;
         p_hwcrhk_RandomBytes = NULL;
         return to_return;
         }
 
-static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
+static int hwcrhk_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
         {
         int to_return = 1;
 
         switch(cmd)
                 {
+        case HWCRHK_CMD_SO_PATH:
+                if(hwcrhk_dso)
+                        {
+                        HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                if(p == NULL)
+                        {
+                        HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                HWCRHK_LIBNAME = (const char *)p;
+                return 1;
         case ENGINE_CTRL_SET_LOGSTREAM:
                 {
                 BIO *bio = (BIO *)p;
@@ -526,18 +649,31 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
                 if (CRYPTO_add(&bio->references,1,CRYPTO_LOCK_BIO) > 1)
                         logstream = bio;
                 else
-                        ENGINEerr(ENGINE_F_HWCRHK_CTRL,ENGINE_R_BIO_WAS_FREED);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,HWCRHK_R_BIO_WAS_FREED);
                 }
                 CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                 break;
         case ENGINE_CTRL_SET_PASSWORD_CALLBACK:
                 CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
-                password_callback = (pem_password_cb *)f;
+                password_context.password_callback = (pem_password_cb *)f;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        case ENGINE_CTRL_SET_USER_INTERFACE:
+        case HWCRHK_CMD_SET_USER_INTERFACE:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                password_context.ui_method = (UI_METHOD *)p;
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
+        case ENGINE_CTRL_SET_CALLBACK_DATA:
+        case HWCRHK_CMD_SET_CALLBACK_DATA:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                password_context.callback_data = p;
                 CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                 break;
         /* this enables or disables the "SimpleForkCheck" flag used in the
          * initialisation structure. */
         case ENGINE_CTRL_CHIL_SET_FORKCHECK:
+        case HWCRHK_CMD_FORK_CHECK:
                 CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
                 if(i)
                         hwcrhk_globals.flags |=
@@ -557,11 +693,16 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
                 disable_mutex_callbacks = 1;
                 CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
                 break;
+        case HWCRHK_CMD_THREAD_LOCKING:
+                CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+                disable_mutex_callbacks = ((i == 0) ? 0 : 1);
+                CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+                break;
 
         /* The command isn't understood by this engine */
         default:
-                ENGINEerr(ENGINE_F_HWCRHK_CTRL,
-                        ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_CTRL,
+                        HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
                 to_return = 0;
                 break;
                 }
@@ -569,44 +710,62 @@ static int hwcrhk_ctrl(int cmd, long i, void *p, void (*f)())
         return to_return;
         }
 
-static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
-        const char *passphrase)
+static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
         {
+#ifndef OPENSSL_NO_RSA
         RSA *rtmp = NULL;
+#endif
         EVP_PKEY *res = NULL;
+#ifndef OPENSSL_NO_RSA
         HWCryptoHook_MPI e, n;
         HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
+        char tempbuf[1024];
         HWCryptoHook_ErrMsgBuf rmsg;
+#endif
+        HWCryptoHook_PassphraseContext ppctx;
+
+#if !defined(OPENSSL_NO_RSA)
+        rmsg.buf = tempbuf;
+        rmsg.size = sizeof(tempbuf);
+#endif
 
         if(!hwcrhk_context)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                        ENGINE_R_NOT_INITIALISED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                        HWCRHK_R_NOT_INITIALISED);
                 goto err;
                 }
+#ifndef OPENSSL_NO_RSA
         hptr = OPENSSL_malloc(sizeof(HWCryptoHook_RSAKeyHandle));
         if (!hptr)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
                         ERR_R_MALLOC_FAILURE);
                 goto err;
                 }
+        ppctx.ui_method = ui_method;
+        ppctx.callback_data = callback_data;
         if (p_hwcrhk_RSALoadKey(hwcrhk_context, key_id, hptr,
-                &rmsg, NULL))
+                &rmsg, &ppctx))
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                        ENGINE_R_CHIL_ERROR);
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                        HWCRHK_R_CHIL_ERROR);
                 ERR_add_error_data(1,rmsg.buf);
                 goto err;
                 }
         if (!*hptr)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PRIVKEY,
-                        ENGINE_R_NO_KEY);
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY,
+                        HWCRHK_R_NO_KEY);
                 goto err;
                 }
-        rtmp = RSA_new_method(&engine_hwcrhk);
-        RSA_set_ex_data(rtmp, hndidx, (char *)hptr);
+#endif
+#ifndef OPENSSL_NO_RSA
+        rtmp = RSA_new_method(eng);
+        RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr);
         rtmp->e = BN_new();
         rtmp->n = BN_new();
         rtmp->flags |= RSA_FLAG_EXT_PKEY;
@@ -615,11 +774,11 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
         if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg)
                 != HWCRYPTOHOOK_ERROR_MPISIZE)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,ENGINE_R_CHIL_ERROR);
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,HWCRHK_R_CHIL_ERROR);
                 ERR_add_error_data(1,rmsg.buf);
                 goto err;
                 }
-                        
+
         bn_expand2(rtmp->e, e.size/sizeof(BN_ULONG));
         bn_expand2(rtmp->n, n.size/sizeof(BN_ULONG));
         MPI2BN(rtmp->e, e);
@@ -627,8 +786,8 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
 
         if (p_hwcrhk_RSAGetPublicKey(*hptr, &n, &e, &rmsg))
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
-                        ENGINE_R_CHIL_ERROR);
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                        HWCRHK_R_CHIL_ERROR);
                 ERR_add_error_data(1,rmsg.buf);
                 goto err;
                 }
@@ -639,23 +798,37 @@ static EVP_PKEY *hwcrhk_load_privkey(const char *key_id,
 
         res = EVP_PKEY_new();
         EVP_PKEY_assign_RSA(res, rtmp);
+#endif
+
+        if (!res)
+                HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                        HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED);
 
         return res;
  err:
         if (res)
                 EVP_PKEY_free(res);
+#ifndef OPENSSL_NO_RSA
         if (rtmp)
                 RSA_free(rtmp);
+#endif
         return NULL;
         }
 
-static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
+static EVP_PKEY *hwcrhk_load_pubkey(ENGINE *eng, const char *key_id,
+        UI_METHOD *ui_method, void *callback_data)
         {
-        EVP_PKEY *res = hwcrhk_load_privkey(key_id, passphrase);
+        EVP_PKEY *res = NULL;
+
+#ifndef OPENSSL_NO_RSA
+        res = hwcrhk_load_privkey(eng, key_id,
+                ui_method, callback_data);
+#endif
 
         if (res)
                 switch(res->type)
                         {
+#ifndef OPENSSL_NO_RSA
                 case EVP_PKEY_RSA:
                         {
                         RSA *rsa = NULL;
@@ -665,12 +838,16 @@ static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
                         res->pkey.rsa = RSA_new();
                         res->pkey.rsa->n = rsa->n;
                         res->pkey.rsa->e = rsa->e;
+                        rsa->n = NULL;
+                        rsa->e = NULL;
                         CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
                         RSA_free(rsa);
                         }
+                        break;
+#endif
                 default:
-                        ENGINEerr(ENGINE_F_HWCRHK_LOAD_PUBKEY,
-                                ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PUBKEY,
+                                HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED);
                         goto err;
                         }
 
@@ -682,7 +859,7 @@ static EVP_PKEY *hwcrhk_load_pubkey(const char *key_id, const char *passphrase)
         }
 
 /* A little mod_exp */
-static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                         const BIGNUM *m, BN_CTX *ctx)
         {
         char tempbuf[1024];
@@ -695,11 +872,11 @@ static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
  
         to_return = 0; /* expect failure */
         rmsg.buf = tempbuf;
-        rmsg.size = 1024;
+        rmsg.size = sizeof(tempbuf);
 
         if(!hwcrhk_context)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
                 goto err;
                 }
         /* Prepare the params */
@@ -723,11 +900,11 @@ static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
                    might be a good thing. */
                 if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FALLBACK);
                         }
                 else
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_REQUEST_FAILED);
                         }
                 ERR_add_error_data(1,rmsg.buf);
                 goto err;
@@ -737,38 +914,39 @@ static int hwcrhk_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 err:
         return to_return;
         }
- 
-static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
+
+#ifndef OPENSSL_NO_RSA 
+static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa)
         {
         char tempbuf[1024];
         HWCryptoHook_ErrMsgBuf rmsg;
         HWCryptoHook_RSAKeyHandle *hptr;
         int to_return = 0, ret;
 
+        rmsg.buf = tempbuf;
+        rmsg.size = sizeof(tempbuf);
+
         if(!hwcrhk_context)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_MOD_EXP,ENGINE_R_NOT_INITIALISED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP,HWCRHK_R_NOT_INITIALISED);
                 goto err;
                 }
 
         /* This provides support for nForce keys.  Since that's opaque data
            all we do is provide a handle to the proper key and let HWCryptoHook
            take care of the rest. */
-        if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx))
+        if ((hptr = (HWCryptoHook_RSAKeyHandle *) RSA_get_ex_data(rsa, hndidx_rsa))
                 != NULL)
                 {
                 HWCryptoHook_MPI m_a, m_r;
 
                 if(!rsa->n)
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
-                                ENGINE_R_MISSING_KEY_COMPONENTS);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                HWCRHK_R_MISSING_KEY_COMPONENTS);
                         goto err;
                         }
 
-                rmsg.buf = tempbuf;
-                rmsg.size = 1024;
-
                 /* Prepare the params */
                 bn_expand2(r, rsa->n->top); /* Check for error !! */
                 BN2MPI(m_a, I);
@@ -788,11 +966,13 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
                            might be a good thing. */
                         if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                                 {
-                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                                HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                        HWCRHK_R_REQUEST_FALLBACK);
                                 }
                         else
                                 {
-                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                                HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                        HWCRHK_R_REQUEST_FAILED);
                                 }
                         ERR_add_error_data(1,rmsg.buf);
                         goto err;
@@ -804,14 +984,11 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
 
                 if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,
-                                ENGINE_R_MISSING_KEY_COMPONENTS);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                HWCRHK_R_MISSING_KEY_COMPONENTS);
                         goto err;
                         }
 
-                rmsg.buf = tempbuf;
-                rmsg.size = 1024;
-
                 /* Prepare the params */
                 bn_expand2(r, rsa->n->top); /* Check for error !! */
                 BN2MPI(m_a, I);
@@ -837,11 +1014,13 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
                            might be a good thing. */
                         if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                                 {
-                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FALLBACK);
+                                HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                        HWCRHK_R_REQUEST_FALLBACK);
                                 }
                         else
                                 {
-                                ENGINEerr(ENGINE_F_HWCRHK_RSA_MOD_EXP,ENGINE_R_REQUEST_FAILED);
+                                HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP,
+                                        HWCRHK_R_REQUEST_FAILED);
                                 }
                         ERR_add_error_data(1,rmsg.buf);
                         goto err;
@@ -852,16 +1031,18 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, BIGNUM *I, RSA *rsa)
 err:
         return to_return;
         }
+#endif
 
 /* This function is aliased to mod_exp (with the mont stuff dropped). */
-static int hwcrhk_mod_exp_mont(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return hwcrhk_mod_exp(r, a, p, m, ctx);
         }
 
 /* This function is aliased to mod_exp (with the dh and mont dropped). */
-static int hwcrhk_mod_exp_dh(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+static int hwcrhk_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
                 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
         {
         return hwcrhk_mod_exp(r, a, p, m, ctx);
@@ -876,11 +1057,11 @@ static int hwcrhk_rand_bytes(unsigned char *buf, int num)
         int ret;
 
         rmsg.buf = tempbuf;
-        rmsg.size = 1024;
+        rmsg.size = sizeof(tempbuf);
 
         if(!hwcrhk_context)
                 {
-                ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_NOT_INITIALISED);
+                HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,HWCRHK_R_NOT_INITIALISED);
                 goto err;
                 }
 
@@ -892,11 +1073,13 @@ static int hwcrhk_rand_bytes(unsigned char *buf, int num)
                    might be a good thing. */
                 if(ret == HWCRYPTOHOOK_ERROR_FALLBACK)
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FALLBACK);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+                                HWCRHK_R_REQUEST_FALLBACK);
                         }
                 else
                         {
-                        ENGINEerr(ENGINE_F_HWCRHK_RAND_BYTES,ENGINE_R_REQUEST_FAILED);
+                        HWCRHKerr(HWCRHK_F_HWCRHK_RAND_BYTES,
+                                HWCRHK_R_REQUEST_FAILED);
                         }
                 ERR_add_error_data(1,rmsg.buf);
                 goto err;
@@ -914,20 +1097,28 @@ static int hwcrhk_rand_status(void)
 /* This cleans up an RSA KM key, called when ex_data is freed */
 
 static void hwcrhk_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
-        int index,long argl, void *argp)
+        int ind,long argl, void *argp)
 {
         char tempbuf[1024];
         HWCryptoHook_ErrMsgBuf rmsg;
+#ifndef OPENSSL_NO_RSA
         HWCryptoHook_RSAKeyHandle *hptr;
+#endif
+#if !defined(OPENSSL_NO_RSA)
         int ret;
+#endif
 
         rmsg.buf = tempbuf;
-        rmsg.size = 1024;
+        rmsg.size = sizeof(tempbuf);
 
+#ifndef OPENSSL_NO_RSA
         hptr = (HWCryptoHook_RSAKeyHandle *) item;
-        if(!hptr) return;
-        ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
-        OPENSSL_free(hptr);
+        if(hptr)
+                {
+                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                OPENSSL_free(hptr);
+                }
+#endif
 }
 
 /* Mutex calls: since the HWCryptoHook model closely follows the POSIX model
@@ -939,17 +1130,17 @@ static int hwcrhk_mutex_init(HWCryptoHook_Mutex* mt,
         {
         mt->lockid = CRYPTO_get_new_dynlockid();
         if (mt->lockid == 0)
-                return 0;
-        return 1;
+                return 1; /* failure */
+        return 0; /* success */
         }
 
 static int hwcrhk_mutex_lock(HWCryptoHook_Mutex *mt)
         {
         CRYPTO_w_lock(mt->lockid);
-        return 1;
+        return 0;
         }
 
-void hwcrhk_mutex_unlock(HWCryptoHook_Mutex * mt)
+static void hwcrhk_mutex_unlock(HWCryptoHook_Mutex * mt)
         {
         CRYPTO_w_unlock(mt->lockid);
         }
@@ -964,50 +1155,146 @@ static int hwcrhk_get_pass(const char *prompt_info,
         HWCryptoHook_PassphraseContext *ppctx,
         HWCryptoHook_CallerContext *cactx)
         {
-        int l = 0;
-        char prompt[1024];
-
-        if (password_callback == NULL)
-                {
-                ENGINEerr(ENGINE_F_HWCRHK_GET_PASS,ENGINE_R_NO_CALLBACK);
-                return -1;
-                }
-        if (prompt_info)
+        pem_password_cb *callback = NULL;
+        void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+                if (cactx->password_callback)
+                        callback = cactx->password_callback;
+                if (cactx->callback_data)
+                        callback_data = cactx->callback_data;
+                }
+        if (ppctx)
                 {
-                strncpy(prompt, "Card: \"", sizeof(prompt));
-                l += 5;
-                strncpy(prompt + l, prompt_info, sizeof(prompt) - l);
-                l += strlen(prompt_info);
-                if (l + 2 < sizeof(prompt))
-                        {
-                        strncpy(prompt + l, "\"\n", sizeof(prompt) - l);
-                        l += 2;
-                        }
+                if (ppctx->ui_method)
+                        {
+                        ui_method = ppctx->ui_method;
+                        callback = NULL;
+                        }
+                if (ppctx->callback_data)
+                        callback_data = ppctx->callback_data;
                 }
-        if (l < sizeof(prompt) - 1)
+        if (callback == NULL && ui_method == NULL)
                 {
-                strncpy(prompt, "Enter Passphrase <enter to cancel>:",
-                        sizeof(prompt) - l);
-                l += 35;
+                HWCRHKerr(HWCRHK_F_HWCRHK_GET_PASS,HWCRHK_R_NO_CALLBACK);
+                return -1;
                 }
-        prompt[l] = '\0';
 
-        /* I know, passing on the prompt instead of the user data *is*
-           a bad thing.  However, that's all we have right now.
-           --  Richard Levitte */
-        *len_io = password_callback(buf, *len_io, 0, prompt);
+        if (ui_method)
+                {
+                UI *ui = UI_new_method(ui_method);
+                if (ui)
+                        {
+                        int ok;
+                        char *prompt = UI_construct_prompt(ui,
+                                "pass phrase", prompt_info);
+
+                        ok = UI_add_input_string(ui,prompt,
+                                UI_INPUT_FLAG_DEFAULT_PWD,
+                                buf,0,(*len_io) - 1);
+                        UI_add_user_data(ui, callback_data);
+                        UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
+
+                        if (ok >= 0)
+                                do
+                                        {
+                                        ok=UI_process(ui);
+                                        }
+                                while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
+
+                        if (ok >= 0)
+                                *len_io = strlen(buf);
+
+                        UI_free(ui);
+                        OPENSSL_free(prompt);
+                        }
+                }
+        else
+                {
+                *len_io = callback(buf, *len_io, 0, callback_data);
+                }
         if(!*len_io)
                 return -1;
         return 0;
         }
 
-static void hwcrhk_log_message(void *logstream, const char *message)
+static int hwcrhk_insert_card(const char *prompt_info,
+                      const char *wrong_info,
+                      HWCryptoHook_PassphraseContext *ppctx,
+                      HWCryptoHook_CallerContext *cactx)
+        {
+        int ok = -1;
+        UI *ui;
+        void *callback_data = NULL;
+        UI_METHOD *ui_method = NULL;
+
+        if (cactx)
+                {
+                if (cactx->ui_method)
+                        ui_method = cactx->ui_method;
+                if (cactx->callback_data)
+                        callback_data = cactx->callback_data;
+                }
+        if (ppctx)
+                {
+                if (ppctx->ui_method)
+                        ui_method = ppctx->ui_method;
+                if (ppctx->callback_data)
+                        callback_data = ppctx->callback_data;
+                }
+        if (ui_method == NULL)
+                {
+                HWCRHKerr(HWCRHK_F_HWCRHK_INSERT_CARD,
+                        HWCRHK_R_NO_CALLBACK);
+                return -1;
+                }
+
+        ui = UI_new_method(ui_method);
+
+        if (ui)
+                {
+                char answer;
+                char buf[BUFSIZ];
+
+                if (wrong_info)
+                        BIO_snprintf(buf, sizeof(buf)-1,
+                                "Current card: \"%s\"\n", wrong_info);
+                ok = UI_dup_info_string(ui, buf);
+                if (ok >= 0 && prompt_info)
+                        {
+                        BIO_snprintf(buf, sizeof(buf)-1,
+                                "Insert card \"%s\"", prompt_info);
+                        ok = UI_dup_input_boolean(ui, buf,
+                                "\n then hit <enter> or C<enter> to cancel\n",
+                                "\r\n", "Cc", UI_INPUT_FLAG_ECHO, &answer);
+                        }
+                UI_add_user_data(ui, callback_data);
+
+                if (ok >= 0)
+                        ok = UI_process(ui);
+                UI_free(ui);
+
+                if (ok == -2 || (ok >= 0 && answer == 'C'))
+                        ok = 1;
+                else if (ok < 0)
+                        ok = -1;
+                else
+                        ok = 0;
+                }
+        return ok;
+        }
+
+static void hwcrhk_log_message(void *logstr, const char *message)
         {
         BIO *lstream = NULL;
 
         CRYPTO_w_lock(CRYPTO_LOCK_BIO);
-        if (logstream)
-                lstream=*(BIO **)logstream;
+        if (logstr)
+                lstream=*(BIO **)logstr;
         if (lstream)
                 {
                 BIO_write(lstream, message, strlen(message));
@@ -1015,5 +1302,20 @@ static void hwcrhk_log_message(void *logstream, const char *message)
         CRYPTO_w_unlock(CRYPTO_LOCK_BIO);
         }
 
-#endif /* !NO_HW_NCIPHER */
-#endif /* !NO_HW */
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */      
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_hwcrhk_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_NCIPHER */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.c b/src/lib/libcrypto/engine/hw_ncipher_err.c
new file mode 100644
index 0000000000..24024cfc6f
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.c
@@ -0,0 +1,156 @@
+/* hw_ncipher_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_ncipher_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA HWCRHK_str_functs[]=
+        {
+{ERR_PACK(0,HWCRHK_F_HWCRHK_CTRL,0),    "HWCRHK_CTRL"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_FINISH,0),  "HWCRHK_FINISH"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_GET_PASS,0),        "HWCRHK_GET_PASS"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INIT,0),    "HWCRHK_INIT"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_INSERT_CARD,0),     "HWCRHK_INSERT_CARD"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PRIVKEY,0),    "HWCRHK_LOAD_PRIVKEY"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_LOAD_PUBKEY,0),     "HWCRHK_LOAD_PUBKEY"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_MOD_EXP,0), "HWCRHK_MOD_EXP"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RAND_BYTES,0),      "HWCRHK_RAND_BYTES"},
+{ERR_PACK(0,HWCRHK_F_HWCRHK_RSA_MOD_EXP,0),     "HWCRHK_RSA_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA HWCRHK_str_reasons[]=
+        {
+{HWCRHK_R_ALREADY_LOADED                 ,"already loaded"},
+{HWCRHK_R_BIO_WAS_FREED                  ,"bio was freed"},
+{HWCRHK_R_CHIL_ERROR                     ,"chil error"},
+{HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED   ,"ctrl command not implemented"},
+{HWCRHK_R_DSO_FAILURE                    ,"dso failure"},
+{HWCRHK_R_MISSING_KEY_COMPONENTS         ,"missing key components"},
+{HWCRHK_R_NOT_INITIALISED                ,"not initialised"},
+{HWCRHK_R_NOT_LOADED                     ,"not loaded"},
+{HWCRHK_R_NO_CALLBACK                    ,"no callback"},
+{HWCRHK_R_NO_KEY                         ,"no key"},
+{HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED,"private key algorithms disabled"},
+{HWCRHK_R_REQUEST_FAILED                 ,"request failed"},
+{HWCRHK_R_REQUEST_FALLBACK               ,"request fallback"},
+{HWCRHK_R_UNIT_FAILURE                   ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+static ERR_STRING_DATA HWCRHK_lib_name[]=
+        {
+{0      ,HWCRHK_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int HWCRHK_lib_error_code=0;
+static int HWCRHK_error_init=1;
+
+static void ERR_load_HWCRHK_strings(void)
+        {
+        if (HWCRHK_lib_error_code == 0)
+                HWCRHK_lib_error_code=ERR_get_next_error_library();
+
+        if (HWCRHK_error_init)
+                {
+                HWCRHK_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+                ERR_load_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+                HWCRHK_lib_name->error = ERR_PACK(HWCRHK_lib_error_code,0,0);
+                ERR_load_strings(0,HWCRHK_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_HWCRHK_strings(void)
+        {
+        if (HWCRHK_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_functs);
+                ERR_unload_strings(HWCRHK_lib_error_code,HWCRHK_str_reasons);
+#endif
+
+#ifdef HWCRHK_LIB_NAME
+                ERR_unload_strings(0,HWCRHK_lib_name);
+#endif
+                HWCRHK_error_init=1;
+                }
+        }
+
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line)
+        {
+        if (HWCRHK_lib_error_code == 0)
+                HWCRHK_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(HWCRHK_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_ncipher_err.h b/src/lib/libcrypto/engine/hw_ncipher_err.h
new file mode 100644
index 0000000000..4d65b1d470
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_ncipher_err.h
@@ -0,0 +1,100 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_HWCRHK_ERR_H
+#define HEADER_HWCRHK_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_HWCRHK_strings(void);
+static void ERR_unload_HWCRHK_strings(void);
+static void ERR_HWCRHK_error(int function, int reason, char *file, int line);
+#define HWCRHKerr(f,r) ERR_HWCRHK_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the HWCRHK functions. */
+
+/* Function codes. */
+#define HWCRHK_F_HWCRHK_CTRL                             100
+#define HWCRHK_F_HWCRHK_FINISH                           101
+#define HWCRHK_F_HWCRHK_GET_PASS                         102
+#define HWCRHK_F_HWCRHK_INIT                             103
+#define HWCRHK_F_HWCRHK_INSERT_CARD                      104
+#define HWCRHK_F_HWCRHK_LOAD_PRIVKEY                     105
+#define HWCRHK_F_HWCRHK_LOAD_PUBKEY                      106
+#define HWCRHK_F_HWCRHK_MOD_EXP                          107
+#define HWCRHK_F_HWCRHK_RAND_BYTES                       108
+#define HWCRHK_F_HWCRHK_RSA_MOD_EXP                      109
+
+/* Reason codes. */
+#define HWCRHK_R_ALREADY_LOADED                          100
+#define HWCRHK_R_BIO_WAS_FREED                           101
+#define HWCRHK_R_CHIL_ERROR                              102
+#define HWCRHK_R_CTRL_COMMAND_NOT_IMPLEMENTED            103
+#define HWCRHK_R_DSO_FAILURE                             104
+#define HWCRHK_R_MISSING_KEY_COMPONENTS                  105
+#define HWCRHK_R_NOT_INITIALISED                         106
+#define HWCRHK_R_NOT_LOADED                              107
+#define HWCRHK_R_NO_CALLBACK                             108
+#define HWCRHK_R_NO_KEY                                  109
+#define HWCRHK_R_PRIVATE_KEY_ALGORITHMS_DISABLED         110
+#define HWCRHK_R_REQUEST_FAILED                          111
+#define HWCRHK_R_REQUEST_FALLBACK                        112
+#define HWCRHK_R_UNIT_FAILURE                            113
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_nuron.c b/src/lib/libcrypto/engine/hw_nuron.c
new file mode 100644
index 0000000000..2672012154
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_nuron.c
@@ -0,0 +1,399 @@
+/* crypto/engine/hw_nuron.c */
+/* Written by Ben Laurie for the OpenSSL Project, leaning heavily on Geoff
+ * Thorpe's Atalla implementation.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_NURON
+
+#define NURON_LIB_NAME "nuron engine"
+#include "hw_nuron_err.c"
+
+static const char def_NURON_LIBNAME[] = "nuronssl";
+static const char *NURON_LIBNAME = def_NURON_LIBNAME;
+static const char *NURON_F1 = "nuron_mod_exp";
+
+/* The definitions for control commands specific to this engine */
+#define NURON_CMD_SO_PATH               ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN nuron_cmd_defns[] = {
+        {NURON_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'nuronssl' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+typedef int tfnModExp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,const BIGNUM *m);
+static tfnModExp *pfnModExp = NULL;
+
+static DSO *pvDSOHandle = NULL;
+
+static int nuron_destroy(ENGINE *e)
+        {
+        ERR_unload_NURON_strings();
+        return 1;
+        }
+
+static int nuron_init(ENGINE *e)
+        {
+        if(pvDSOHandle != NULL)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_ALREADY_LOADED);
+                return 0;
+                }
+
+        pvDSOHandle = DSO_load(NULL, NURON_LIBNAME, NULL,
+                DSO_FLAG_NAME_TRANSLATION_EXT_ONLY);
+        if(!pvDSOHandle)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_NOT_FOUND);
+                return 0;
+                }
+
+        pfnModExp = (tfnModExp *)DSO_bind_func(pvDSOHandle, NURON_F1);
+        if(!pfnModExp)
+                {
+                NURONerr(NURON_F_NURON_INIT,NURON_R_DSO_FUNCTION_NOT_FOUND);
+                return 0;
+                }
+
+        return 1;
+        }
+
+static int nuron_finish(ENGINE *e)
+        {
+        if(pvDSOHandle == NULL)
+                {
+                NURONerr(NURON_F_NURON_FINISH,NURON_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(pvDSOHandle))
+                {
+                NURONerr(NURON_F_NURON_FINISH,NURON_R_DSO_FAILURE);
+                return 0;
+                }
+        pvDSOHandle=NULL;
+        pfnModExp=NULL;
+        return 1;
+        }
+
+static int nuron_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((pvDSOHandle == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case NURON_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        NURONerr(NURON_F_NURON_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        NURONerr(NURON_F_NURON_CTRL,NURON_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                NURON_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        NURONerr(NURON_F_NURON_CTRL,NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+}
+
+static int nuron_mod_exp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p,
+                         const BIGNUM *m,BN_CTX *ctx)
+        {
+        if(!pvDSOHandle)
+                {
+                NURONerr(NURON_F_NURON_MOD_EXP,NURON_R_NOT_LOADED);
+                return 0;
+                }
+        return pfnModExp(r,a,p,m);
+        }
+
+#ifndef OPENSSL_NO_RSA
+static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        return nuron_mod_exp(r0,I,rsa->d,rsa->n,NULL);
+        }
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* This code was liberated and adapted from the commented-out code in
+ * dsa_ossl.c. Because of the unoptimised form of the Atalla acceleration
+ * (it doesn't have a CRT form for RSA), this function means that an
+ * Atalla system running with a DSA server certificate can handshake
+ * around 5 or 6 times faster/more than an equivalent system running with
+ * RSA. Just check out the "signs" statistics from the RSA and DSA parts
+ * of "openssl speed -engine atalla dsa1024 rsa1024". */
+static int nuron_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                             BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                             BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+ 
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!nuron_mod_exp(rr,a1,p1,m,ctx))
+                goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!nuron_mod_exp(&t,a2,p2,m,ctx))
+                goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx))
+                goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+        }
+
+
+static int nuron_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                             const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                             BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+/* This function is aliased to mod_exp (with the mont stuff dropped). */
+static int nuron_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int nuron_mod_exp_dh(const DH *dh, BIGNUM *r,
+                const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        return nuron_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+#ifndef OPENSSL_NO_RSA
+static RSA_METHOD nuron_rsa =
+        {
+        "Nuron RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        nuron_rsa_mod_exp,
+        nuron_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_METHOD nuron_dsa =
+        {
+        "Nuron DSA method",
+        NULL, /* dsa_do_sign */
+        NULL, /* dsa_sign_setup */
+        NULL, /* dsa_do_verify */
+        nuron_dsa_mod_exp, /* dsa_mod_exp */
+        nuron_mod_exp_dsa, /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+static DH_METHOD nuron_dh =
+        {
+        "Nuron DH method",
+        NULL,
+        NULL,
+        nuron_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_nuron_id = "nuron";
+static const char *engine_nuron_name = "Nuron hardware engine support";
+
+/* This internal function is used by ENGINE_nuron() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DSA
+        const DSA_METHOD *meth2;
+#endif
+#ifndef OPENSSL_NO_DH
+        const DH_METHOD *meth3;
+#endif
+        if(!ENGINE_set_id(e, engine_nuron_id) ||
+                        !ENGINE_set_name(e, engine_nuron_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &nuron_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &nuron_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &nuron_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, nuron_destroy) ||
+                        !ENGINE_set_init_function(e, nuron_init) ||
+                        !ENGINE_set_finish_function(e, nuron_finish) ||
+                        !ENGINE_set_ctrl_function(e, nuron_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, nuron_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the nuron-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1=RSA_PKCS1_SSLeay();
+        nuron_rsa.rsa_pub_enc=meth1->rsa_pub_enc;
+        nuron_rsa.rsa_pub_dec=meth1->rsa_pub_dec;
+        nuron_rsa.rsa_priv_enc=meth1->rsa_priv_enc;
+        nuron_rsa.rsa_priv_dec=meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DSA
+        /* Use the DSA_OpenSSL() method and just hook the mod_exp-ish
+         * bits. */
+        meth2=DSA_OpenSSL();
+        nuron_dsa.dsa_do_sign=meth2->dsa_do_sign;
+        nuron_dsa.dsa_sign_setup=meth2->dsa_sign_setup;
+        nuron_dsa.dsa_do_verify=meth2->dsa_do_verify;
+#endif
+
+#ifndef OPENSSL_NO_DH
+        /* Much the same for Diffie-Hellman */
+        meth3=DH_OpenSSL();
+        nuron_dh.generate_key=meth3->generate_key;
+        nuron_dh.compute_key=meth3->compute_key;
+#endif
+
+        /* Ensure the nuron error handling is set up */
+        ERR_load_NURON_strings();
+        return 1;
+        }
+
+static ENGINE *engine_nuron(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_nuron(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_nuron();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */      
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_nuron_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }       
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_NURON */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_nuron_err.c b/src/lib/libcrypto/engine/hw_nuron_err.c
new file mode 100644
index 0000000000..df9d7bde76
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_nuron_err.c
@@ -0,0 +1,142 @@
+/* hw_nuron_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_nuron_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA NURON_str_functs[]=
+        {
+{ERR_PACK(0,NURON_F_NURON_CTRL,0),      "NURON_CTRL"},
+{ERR_PACK(0,NURON_F_NURON_FINISH,0),    "NURON_FINISH"},
+{ERR_PACK(0,NURON_F_NURON_INIT,0),      "NURON_INIT"},
+{ERR_PACK(0,NURON_F_NURON_MOD_EXP,0),   "NURON_MOD_EXP"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA NURON_str_reasons[]=
+        {
+{NURON_R_ALREADY_LOADED                  ,"already loaded"},
+{NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{NURON_R_DSO_FAILURE                     ,"dso failure"},
+{NURON_R_DSO_FUNCTION_NOT_FOUND          ,"dso function not found"},
+{NURON_R_DSO_NOT_FOUND                   ,"dso not found"},
+{NURON_R_NOT_LOADED                      ,"not loaded"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef NURON_LIB_NAME
+static ERR_STRING_DATA NURON_lib_name[]=
+        {
+{0      ,NURON_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int NURON_lib_error_code=0;
+static int NURON_error_init=1;
+
+static void ERR_load_NURON_strings(void)
+        {
+        if (NURON_lib_error_code == 0)
+                NURON_lib_error_code=ERR_get_next_error_library();
+
+        if (NURON_error_init)
+                {
+                NURON_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(NURON_lib_error_code,NURON_str_functs);
+                ERR_load_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+                NURON_lib_name->error = ERR_PACK(NURON_lib_error_code,0,0);
+                ERR_load_strings(0,NURON_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_NURON_strings(void)
+        {
+        if (NURON_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(NURON_lib_error_code,NURON_str_functs);
+                ERR_unload_strings(NURON_lib_error_code,NURON_str_reasons);
+#endif
+
+#ifdef NURON_LIB_NAME
+                ERR_unload_strings(0,NURON_lib_name);
+#endif
+                NURON_error_init=1;
+                }
+        }
+
+static void ERR_NURON_error(int function, int reason, char *file, int line)
+        {
+        if (NURON_lib_error_code == 0)
+                NURON_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(NURON_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_nuron_err.h b/src/lib/libcrypto/engine/hw_nuron_err.h
new file mode 100644
index 0000000000..a56bfdf303
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_nuron_err.h
@@ -0,0 +1,86 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_NURON_ERR_H
+#define HEADER_NURON_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_NURON_strings(void);
+static void ERR_unload_NURON_strings(void);
+static void ERR_NURON_error(int function, int reason, char *file, int line);
+#define NURONerr(f,r) ERR_NURON_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the NURON functions. */
+
+/* Function codes. */
+#define NURON_F_NURON_CTRL                               100
+#define NURON_F_NURON_FINISH                             101
+#define NURON_F_NURON_INIT                               102
+#define NURON_F_NURON_MOD_EXP                            103
+
+/* Reason codes. */
+#define NURON_R_ALREADY_LOADED                           100
+#define NURON_R_CTRL_COMMAND_NOT_IMPLEMENTED             101
+#define NURON_R_DSO_FAILURE                              102
+#define NURON_R_DSO_FUNCTION_NOT_FOUND                   103
+#define NURON_R_DSO_NOT_FOUND                            104
+#define NURON_R_NOT_LOADED                               105
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c b/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c
new file mode 100644
index 0000000000..f946389b8a
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_openbsd_dev_crypto.c
@@ -0,0 +1,594 @@
+/* Written by Ben Laurie <ben@algroup.co.uk> August 2001 */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include "eng_int.h"
+/* Maybe this is needed? ... */
+#ifdef FLAT_INC
+#include "evp_locl.h"
+#else
+#include "../evp/evp_locl.h"
+#endif
+#include <openssl/conf.h>
+
+#ifndef OPENSSL_OPENBSD_DEV_CRYPTO
+
+void ENGINE_load_openbsd_dev_crypto(void)
+        {
+        /* This is a NOP unless OPENSSL_OPENBSD_DEV_CRYPTO is defined */
+        return;
+        }
+
+#else /* OPENSSL_OPENBSD_DEV_CRYPTO */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <assert.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#include <crypto/cryptodev.h>
+
+/****************************************************/
+/* Declare the normal generic ENGINE stuff here ... */
+
+static int dev_crypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                                const int **nids, int nid);
+static int dev_crypto_digests(ENGINE *e, const EVP_MD **digest,
+                                const int **nids, int nid);
+
+static const char dev_crypto_id[] = "openbsd_dev_crypto";
+static const char dev_crypto_name[] = "OpenBSD /dev/crypto";
+
+static long allow_misaligned;
+
+#define DEV_CRYPTO_CMD_ALLOW_MISALIGNED         ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN dev_crypto_cmd_defns[]=
+        {
+        { DEV_CRYPTO_CMD_ALLOW_MISALIGNED,
+          "allow_misaligned",
+          "Permit misaligned data to be used",
+          ENGINE_CMD_FLAG_NUMERIC },
+        { 0, NULL, NULL, 0 }
+        };
+
+static int dev_crypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        switch(cmd)
+                {
+        case DEV_CRYPTO_CMD_ALLOW_MISALIGNED:
+                allow_misaligned=i;
+                printf("allow misaligned=%ld\n",allow_misaligned);
+                break;
+                }
+
+        return 1;
+        }
+
+static ENGINE *engine_openbsd_dev_crypto(void)
+        {
+        ENGINE *engine=ENGINE_new();
+
+        if(!ENGINE_set_id(engine, dev_crypto_id) ||
+           !ENGINE_set_name(engine, dev_crypto_name) ||
+           !ENGINE_set_ciphers(engine, dev_crypto_ciphers) ||
+           !ENGINE_set_digests(engine, dev_crypto_digests) ||
+           !ENGINE_set_ctrl_function(engine, dev_crypto_ctrl) ||
+           !ENGINE_set_cmd_defns(engine, dev_crypto_cmd_defns))
+                {
+                ENGINE_free(engine);
+                return NULL;
+                }
+
+        return engine;
+        }
+
+void ENGINE_load_openbsd_dev_crypto(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_openbsd_dev_crypto();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/******************************************************************************/
+/* Clip in the stuff from crypto/evp/openbsd_hw.c here. NB: What has changed? */
+/* I've removed the exposed EVP_*** functions, they're accessed through the   */
+/* "dev_crypto_[ciphers|digests]" handlers. I've also moved the EVP_CIPHER    */
+/* and EVP_MD structures to the bottom where they are close to the handlers   */
+/* that expose them. What should be done? The global data (file-descriptors,  */
+/* etc) should be put into ENGINE's ex_data support, and per-context data     */
+/* (also file-descriptors perhaps) should be put into the contexts. Also code */
+/* formatting, fprintf statements, and OpenSSL-style error handling should be */
+/* added (dynamically, like the other ENGINEs). Also, "dynamic" support       */
+/* be added to this ENGINE once it's up and running so that it could be built */
+/* as a shared-library. What else? device initialisation should take place    */
+/* inside an ENGINE 'init()' handler (and likewise 'finish()'). ciphers and   */
+/* digests won't be used by the framework unless the ENGINE has been          */
+/* successfully initialised (that's one of the things you get for free) so    */
+/* initialisation, including returning failure if device setup fails, can be  */
+/* handled quite cleanly. This could presumably handle the opening (and then  */
+/* closing inside 'finish()') of the 'cryptodev_fd' file-descriptor).         */
+
+/* longest key supported in hardware */
+#define MAX_HW_KEY      24
+#define MAX_HW_IV       8
+
+#define MD5_DIGEST_LENGTH       16
+#define MD5_CBLOCK              64
+
+static int fd;
+static int dev_failed;
+
+typedef struct session_op session_op;
+
+#define CDATA(ctx) EVP_C_DATA(session_op,ctx)
+
+static void err(const char *str)
+    {
+    fprintf(stderr,"%s: errno %d\n",str,errno);
+    }
+
+static int dev_crypto_init(session_op *ses)
+    {
+    if(dev_failed)
+        return 0;
+    if(!fd)
+        {
+        int cryptodev_fd;
+
+        if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0)
+            {
+            err("/dev/crypto");
+            dev_failed=1;
+            return 0;
+            }
+        if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1)
+            {
+            err("CRIOGET failed");
+            close(cryptodev_fd);
+            dev_failed=1;
+            return 0;
+            }
+        close(cryptodev_fd);
+        }
+    assert(ses);
+    memset(ses,'\0',sizeof *ses);
+
+    return 1;
+    }
+
+static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx)
+    {
+    fprintf(stderr,"cleanup %d\n",CDATA(ctx)->ses);
+    if(ioctl(fd,CIOCFSESSION,&CDATA(ctx)->ses) == -1)
+        err("CIOCFSESSION failed");
+
+    OPENSSL_free(CDATA(ctx)->key);
+
+    return 1;
+    }
+
+static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx,int cipher,
+                               const unsigned char *key,int klen)
+    {
+    if(!dev_crypto_init(CDATA(ctx)))
+        return 0;
+
+    CDATA(ctx)->key=OPENSSL_malloc(MAX_HW_KEY);
+
+    assert(ctx->cipher->iv_len <= MAX_HW_IV);
+
+    memcpy(CDATA(ctx)->key,key,klen);
+    
+    CDATA(ctx)->cipher=cipher;
+    CDATA(ctx)->keylen=klen;
+
+    if (ioctl(fd,CIOCGSESSION,CDATA(ctx)) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    return 1;
+    }
+
+static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
+                             const unsigned char *in,unsigned int inl)
+    {
+    struct crypt_op cryp;
+    unsigned char lb[MAX_HW_IV];
+
+    if(!inl)
+        return 1;
+
+    assert(CDATA(ctx));
+    assert(!dev_failed);
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=CDATA(ctx)->ses;
+    cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+    cryp.flags=0;
+    cryp.len=inl;
+    assert((inl&(ctx->cipher->block_size-1)) == 0);
+    cryp.src=(caddr_t)in;
+    cryp.dst=(caddr_t)out;
+    cryp.mac=0;
+    if(ctx->cipher->iv_len)
+        cryp.iv=(caddr_t)ctx->iv;
+
+    if(!ctx->encrypt)
+        memcpy(lb,&in[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL) /* buffers are misaligned */
+            {
+            unsigned int cinl=0;
+            char *cin=NULL;
+            char *cout=NULL;
+
+            /* NB: this can only make cinl != inl with stream ciphers */
+            cinl=(inl+3)/4*4;
+
+            if(((unsigned long)in&3) || cinl != inl)
+                {
+                cin=OPENSSL_malloc(cinl);
+                memcpy(cin,in,inl);
+                cryp.src=cin;
+                }
+
+            if(((unsigned long)out&3) || cinl != inl)
+                {
+                cout=OPENSSL_malloc(cinl);
+                cryp.dst=cout;
+                }
+
+            cryp.len=cinl;
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(2) failed");
+                printf("src=%p dst=%p\n",cryp.src,cryp.dst);
+                abort();
+                return 0;
+                }
+                
+            if(cout)
+                {
+                memcpy(out,cout,inl);
+                OPENSSL_free(cout);
+                }
+            if(cin)
+                OPENSSL_free(cin);
+            }
+        else 
+            {       
+            err("CIOCCRYPT failed");
+            abort();
+            return 0;
+            }
+        }
+
+    if(ctx->encrypt)
+        memcpy(ctx->iv,&out[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+    else
+        memcpy(ctx->iv,lb,ctx->cipher->iv_len);
+
+    return 1;
+    }
+
+static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_3DES_CBC,key,24); }
+
+static int dev_crypto_rc4_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_ARC4,key,16); }
+
+typedef struct
+    {
+    session_op sess;
+    char *data;
+    int len;
+    unsigned char md[EVP_MAX_MD_SIZE];
+    } MD_DATA;
+
+static int dev_crypto_init_digest(MD_DATA *md_data,int mac)
+    {
+    if(!dev_crypto_init(&md_data->sess))
+        return 0;
+
+    md_data->len=0;
+    md_data->data=NULL;
+
+    md_data->sess.mac=mac;
+
+    if (ioctl(fd,CIOCGSESSION,&md_data->sess) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    fprintf(stderr,"opened %d\n",md_data->sess.ses);
+    return 1;
+    }
+
+static int dev_crypto_cleanup_digest(MD_DATA *md_data)
+    {
+    fprintf(stderr,"cleanup %d\n",md_data->sess.ses);
+    if (ioctl(fd,CIOCFSESSION,&md_data->sess.ses) == -1)
+        {
+        err("CIOCFSESSION failed");
+        return 0;
+        }
+
+    return 1;
+    }
+
+/* FIXME: if device can do chained MACs, then don't accumulate */
+/* FIXME: move accumulation to the framework */
+static int dev_crypto_md5_init(EVP_MD_CTX *ctx)
+    { return dev_crypto_init_digest(ctx->md_data,CRYPTO_MD5); }
+
+static int do_digest(int ses,unsigned char *md,const void *data,int len)
+    {
+    struct crypt_op cryp;
+    static unsigned char md5zero[16]=
+        {
+        0xd4,0x1d,0x8c,0xd9,0x8f,0x00,0xb2,0x04,
+        0xe9,0x80,0x09,0x98,0xec,0xf8,0x42,0x7e
+        };
+
+    /* some cards can't do zero length */
+    if(!len)
+        {
+        memcpy(md,md5zero,16);
+        return 1;
+        }
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=ses;
+    cryp.op=COP_ENCRYPT;/* required to do the MAC rather than check it */
+    cryp.len=len;
+    cryp.src=(caddr_t)data;
+    cryp.dst=(caddr_t)data; // FIXME!!!
+    cryp.mac=(caddr_t)md;
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL && allow_misaligned) /* buffer is misaligned */
+            {
+            char *dcopy;
+
+            dcopy=OPENSSL_malloc(len);
+            memcpy(dcopy,data,len);
+            cryp.src=dcopy;
+            cryp.dst=cryp.src; // FIXME!!!
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(MAC2) failed");
+                abort();
+                return 0;
+                }
+            OPENSSL_free(dcopy);
+            }
+        else
+            {
+            err("CIOCCRYPT(MAC) failed");
+            abort();
+            return 0;
+            }
+        }
+    //    printf("done\n");
+
+    return 1;
+    }
+
+static int dev_crypto_md5_update(EVP_MD_CTX *ctx,const void *data,
+                                 unsigned long len)
+    {
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        return do_digest(md_data->sess.ses,md_data->md,data,len);
+
+    md_data->data=OPENSSL_realloc(md_data->data,md_data->len+len);
+    memcpy(md_data->data+md_data->len,data,len);
+    md_data->len+=len;
+
+    return 1;
+    }   
+
+static int dev_crypto_md5_final(EVP_MD_CTX *ctx,unsigned char *md)
+    {
+    int ret;
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        {
+        memcpy(md,md_data->md,MD5_DIGEST_LENGTH);
+        ret=1;
+        }
+    else
+        {
+        ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len);
+        OPENSSL_free(md_data->data);
+        md_data->data=NULL;
+        md_data->len=0;
+        }
+
+    return ret;
+    }
+
+static int dev_crypto_md5_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+    {
+    const MD_DATA *from_md=from->md_data;
+    MD_DATA *to_md=to->md_data;
+
+    // How do we copy sessions?
+    assert(from->digest->flags&EVP_MD_FLAG_ONESHOT);
+
+    to_md->data=OPENSSL_malloc(from_md->len);
+    memcpy(to_md->data,from_md->data,from_md->len);
+
+    return 1;
+    }
+
+static int dev_crypto_md5_cleanup(EVP_MD_CTX *ctx)
+    {
+    return dev_crypto_cleanup_digest(ctx->md_data);
+    }
+
+/**************************************************************************/
+/* Here are the moved declarations of the EVP_CIPHER and EVP_MD           */
+/* implementations. They're down here to be within easy editor-distance   */
+/* of the digests and ciphers handler functions.                          */
+
+#define dev_crypto_des_ede3_cbc_cipher dev_crypto_cipher
+
+BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, session_op, NID_des_ede3, 8, 24, 8,
+                     0, dev_crypto_des_ede3_init_key,
+                     dev_crypto_cleanup, 
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,
+                     NULL)
+
+static const EVP_CIPHER r4_cipher=
+    {
+    NID_rc4,
+    1,16,0,     /* FIXME: key should be up to 256 bytes */
+    EVP_CIPH_VARIABLE_LENGTH,
+    dev_crypto_rc4_init_key,
+    dev_crypto_cipher,
+    dev_crypto_cleanup,
+    sizeof(session_op),
+    NULL,
+    NULL,
+    NULL
+    };
+
+static const EVP_MD md5_md=
+    {
+    NID_md5,
+    NID_md5WithRSAEncryption,
+    MD5_DIGEST_LENGTH,
+    EVP_MD_FLAG_ONESHOT,        // XXX: set according to device info...
+    dev_crypto_md5_init,
+    dev_crypto_md5_update,
+    dev_crypto_md5_final,
+    dev_crypto_md5_copy,
+    dev_crypto_md5_cleanup,
+    EVP_PKEY_RSA_method,
+    MD5_CBLOCK,
+    sizeof(MD_DATA),
+    };
+
+/****************************************************************/
+/* Implement the dev_crypto_[ciphers|digests] handlers here ... */
+
+static int cipher_nids[] = {NID_des_ede3_cbc, NID_rc4};
+static int cipher_nids_num = 2;
+static int digest_nids[] = {NID_md5};
+static int digest_nids_num = 1;
+
+static int dev_crypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
+                                const int **nids, int nid)
+        {
+        if(!cipher)
+                {
+                /* We are returning a list of supported nids */
+                *nids = cipher_nids;
+                return cipher_nids_num;
+                }
+        /* We are being asked for a specific cipher */
+        if(nid == NID_rc4)
+                *cipher = &r4_cipher;
+        else if(nid == NID_des_ede3_cbc)
+                *cipher = &dev_crypto_des_ede3_cbc;
+        else
+                {
+                *cipher = NULL;
+                return 0;
+                }
+        return 1;
+        }
+
+static int dev_crypto_digests(ENGINE *e, const EVP_MD **digest,
+                                const int **nids, int nid)
+        {
+        if(!digest)
+                {
+                /* We are returning a list of supported nids */
+                *nids = digest_nids;
+                return digest_nids_num;
+                }
+        /* We are being asked for a specific digest */
+        if(nid == NID_md5)
+                *digest = &md5_md;
+        else
+                {
+                *digest = NULL;
+                return 0;
+                }
+        return 1;
+        }
+
+#endif /* OPENSSL_OPENBSD_DEV_CRYPTO */
diff --git a/src/lib/libcrypto/engine/hw_sureware_err.c b/src/lib/libcrypto/engine/hw_sureware_err.c
new file mode 100644
index 0000000000..69955dadbb
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_sureware_err.c
@@ -0,0 +1,150 @@
+/* hw_sureware_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_sureware_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA SUREWARE_str_functs[]=
+        {
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_CTRL,0),      "SUREWAREHK_CTRL"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_DSA_DO_SIGN,0),       "SUREWAREHK_DSA_DO_SIGN"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_EX_FREE,0),   "SUREWAREHK_EX_FREE"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_FINISH,0),    "SUREWAREHK_FINISH"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_INIT,0),      "SUREWAREHK_INIT"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY,0),  "SUREWAREHK_LOAD_PRIVATE_KEY"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY,0),   "SUREWAREHK_LOAD_PUBLIC_KEY"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_MOD_EXP,0),   "SUREWAREHK_MOD_EXP"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RAND_BYTES,0),        "SUREWAREHK_RAND_BYTES"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RAND_SEED,0), "SUREWAREHK_RAND_SEED"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC,0),      "SUREWAREHK_RSA_PRIV_DEC"},
+{ERR_PACK(0,SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC,0),      "SUREWAREHK_RSA_PRIV_ENC"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA SUREWARE_str_reasons[]=
+        {
+{SUREWARE_R_BIO_WAS_FREED                ,"bio was freed"},
+{SUREWARE_R_MISSING_KEY_COMPONENTS       ,"missing key components"},
+{SUREWARE_R_REQUEST_FAILED               ,"request failed"},
+{SUREWARE_R_REQUEST_FALLBACK             ,"request fallback"},
+{SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL  ,"size too large or too small"},
+{SUREWARE_R_UNIT_FAILURE                 ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+static ERR_STRING_DATA SUREWARE_lib_name[]=
+        {
+{0      ,SUREWARE_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int SUREWARE_lib_error_code=0;
+static int SUREWARE_error_init=1;
+
+static void ERR_load_SUREWARE_strings(void)
+        {
+        if (SUREWARE_lib_error_code == 0)
+                SUREWARE_lib_error_code=ERR_get_next_error_library();
+
+        if (SUREWARE_error_init)
+                {
+                SUREWARE_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+                ERR_load_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+                SUREWARE_lib_name->error = ERR_PACK(SUREWARE_lib_error_code,0,0);
+                ERR_load_strings(0,SUREWARE_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_SUREWARE_strings(void)
+        {
+        if (SUREWARE_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_functs);
+                ERR_unload_strings(SUREWARE_lib_error_code,SUREWARE_str_reasons);
+#endif
+
+#ifdef SUREWARE_LIB_NAME
+                ERR_unload_strings(0,SUREWARE_lib_name);
+#endif
+                SUREWARE_error_init=1;
+                }
+        }
+
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line)
+        {
+        if (SUREWARE_lib_error_code == 0)
+                SUREWARE_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(SUREWARE_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_sureware_err.h b/src/lib/libcrypto/engine/hw_sureware_err.h
new file mode 100644
index 0000000000..bc52af5e05
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_sureware_err.h
@@ -0,0 +1,94 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_SUREWARE_ERR_H
+#define HEADER_SUREWARE_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_SUREWARE_strings(void);
+static void ERR_unload_SUREWARE_strings(void);
+static void ERR_SUREWARE_error(int function, int reason, char *file, int line);
+#define SUREWAREerr(f,r) ERR_SUREWARE_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the SUREWARE functions. */
+
+/* Function codes. */
+#define SUREWARE_F_SUREWAREHK_CTRL                       100
+#define SUREWARE_F_SUREWAREHK_DSA_DO_SIGN                101
+#define SUREWARE_F_SUREWAREHK_EX_FREE                    102
+#define SUREWARE_F_SUREWAREHK_FINISH                     103
+#define SUREWARE_F_SUREWAREHK_INIT                       104
+#define SUREWARE_F_SUREWAREHK_LOAD_PRIVATE_KEY           105
+#define SUREWARE_F_SUREWAREHK_LOAD_PUBLIC_KEY            106
+#define SUREWARE_F_SUREWAREHK_MOD_EXP                    107
+#define SUREWARE_F_SUREWAREHK_RAND_BYTES                 108
+#define SUREWARE_F_SUREWAREHK_RAND_SEED                  109
+#define SUREWARE_F_SUREWAREHK_RSA_PRIV_DEC               110
+#define SUREWARE_F_SUREWAREHK_RSA_PRIV_ENC               111
+
+/* Reason codes. */
+#define SUREWARE_R_BIO_WAS_FREED                         100
+#define SUREWARE_R_MISSING_KEY_COMPONENTS                105
+#define SUREWARE_R_REQUEST_FAILED                        101
+#define SUREWARE_R_REQUEST_FALLBACK                      102
+#define SUREWARE_R_SIZE_TOO_LARGE_OR_TOO_SMALL           103
+#define SUREWARE_R_UNIT_FAILURE                          104
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/hw_ubsec.c b/src/lib/libcrypto/engine/hw_ubsec.c
new file mode 100644
index 0000000000..743c06043c
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_ubsec.c
@@ -0,0 +1,1041 @@
+/* crypto/engine/hw_ubsec.c */
+/* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
+ * project 2000.
+ *
+ * Cloned shamelessly by Joe Tardo. 
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/dso.h>
+#include <openssl/engine.h>
+
+#ifndef OPENSSL_NO_HW
+#ifndef OPENSSL_NO_HW_UBSEC
+
+#ifdef FLAT_INC
+#include "hw_ubsec.h"
+#else
+#include "vendor_defns/hw_ubsec.h"
+#endif
+
+#define UBSEC_LIB_NAME "ubsec engine"
+#include "hw_ubsec_err.c"
+
+#define FAIL_TO_SOFTWARE -15
+
+static int ubsec_destroy(ENGINE *e);
+static int ubsec_init(ENGINE *e);
+static int ubsec_finish(ENGINE *e);
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx);
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *q, const BIGNUM *dp,
+                        const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx);
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
+#endif
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+#ifndef OPENSSL_NO_DSA
+#if NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont);
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx);
+#endif
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa);
+#endif
+#ifndef OPENSSL_NO_DH
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx);
+static int ubsec_dh_compute_key(unsigned char *key,const BIGNUM *pub_key,DH *dh);
+static int ubsec_dh_generate_key(DH *dh);
+#endif
+
+#if NOT_USED
+static int ubsec_rand_bytes(unsigned char *buf, int num);
+static int ubsec_rand_status(void);
+#endif
+
+#define UBSEC_CMD_SO_PATH               ENGINE_CMD_BASE
+static const ENGINE_CMD_DEFN ubsec_cmd_defns[] = {
+        {UBSEC_CMD_SO_PATH,
+                "SO_PATH",
+                "Specifies the path to the 'ubsec' shared library",
+                ENGINE_CMD_FLAG_STRING},
+        {0, NULL, NULL, 0}
+        };
+
+#ifndef OPENSSL_NO_RSA
+/* Our internal RSA_METHOD that we provide pointers to */
+static RSA_METHOD ubsec_rsa =
+        {
+        "UBSEC RSA method",
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        ubsec_rsa_mod_exp,
+        ubsec_mod_exp_mont,
+        NULL,
+        NULL,
+        0,
+        NULL,
+        NULL,
+        NULL
+        };
+#endif
+
+#ifndef OPENSSL_NO_DSA
+/* Our internal DSA_METHOD that we provide pointers to */
+static DSA_METHOD ubsec_dsa =
+        {
+        "UBSEC DSA method",
+        ubsec_dsa_do_sign, /* dsa_do_sign */
+        NULL, /* dsa_sign_setup */
+        ubsec_dsa_verify, /* dsa_do_verify */
+        NULL, /* ubsec_dsa_mod_exp */ /* dsa_mod_exp */
+        NULL, /* ubsec_mod_exp_dsa */ /* bn_mod_exp */
+        NULL, /* init */
+        NULL, /* finish */
+        0, /* flags */
+        NULL /* app_data */
+        };
+#endif
+
+#ifndef OPENSSL_NO_DH
+/* Our internal DH_METHOD that we provide pointers to */
+static DH_METHOD ubsec_dh =
+        {
+        "UBSEC DH method",
+        ubsec_dh_generate_key,
+        ubsec_dh_compute_key,
+        ubsec_mod_exp_dh,
+        NULL,
+        NULL,
+        0,
+        NULL
+        };
+#endif
+
+/* Constants used when creating the ENGINE */
+static const char *engine_ubsec_id = "ubsec";
+static const char *engine_ubsec_name = "UBSEC hardware engine support";
+
+/* This internal function is used by ENGINE_ubsec() and possibly by the
+ * "dynamic" ENGINE support too */
+static int bind_helper(ENGINE *e)
+        {
+#ifndef OPENSSL_NO_RSA
+        const RSA_METHOD *meth1;
+#endif
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+        const DH_METHOD *meth3;
+#endif /* HAVE_UBSEC_DH */
+#endif
+        if(!ENGINE_set_id(e, engine_ubsec_id) ||
+                        !ENGINE_set_name(e, engine_ubsec_name) ||
+#ifndef OPENSSL_NO_RSA
+                        !ENGINE_set_RSA(e, &ubsec_rsa) ||
+#endif
+#ifndef OPENSSL_NO_DSA
+                        !ENGINE_set_DSA(e, &ubsec_dsa) ||
+#endif
+#ifndef OPENSSL_NO_DH
+                        !ENGINE_set_DH(e, &ubsec_dh) ||
+#endif
+                        !ENGINE_set_destroy_function(e, ubsec_destroy) ||
+                        !ENGINE_set_init_function(e, ubsec_init) ||
+                        !ENGINE_set_finish_function(e, ubsec_finish) ||
+                        !ENGINE_set_ctrl_function(e, ubsec_ctrl) ||
+                        !ENGINE_set_cmd_defns(e, ubsec_cmd_defns))
+                return 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* We know that the "PKCS1_SSLeay()" functions hook properly
+         * to the Broadcom-specific mod_exp and mod_exp_crt so we use
+         * those functions. NB: We don't use ENGINE_openssl() or
+         * anything "more generic" because something like the RSAref
+         * code may not hook properly, and if you own one of these
+         * cards then you have the right to do RSA operations on it
+         * anyway! */ 
+        meth1 = RSA_PKCS1_SSLeay();
+        ubsec_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
+        ubsec_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
+        ubsec_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
+        ubsec_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
+#endif
+
+#ifndef OPENSSL_NO_DH
+#ifndef HAVE_UBSEC_DH
+        /* Much the same for Diffie-Hellman */
+        meth3 = DH_OpenSSL();
+        ubsec_dh.generate_key = meth3->generate_key;
+        ubsec_dh.compute_key = meth3->compute_key;
+#endif /* HAVE_UBSEC_DH */
+#endif
+
+        /* Ensure the ubsec error handling is set up */
+        ERR_load_UBSEC_strings();
+        return 1;
+        }
+
+static ENGINE *engine_ubsec(void)
+        {
+        ENGINE *ret = ENGINE_new();
+        if(!ret)
+                return NULL;
+        if(!bind_helper(ret))
+                {
+                ENGINE_free(ret);
+                return NULL;
+                }
+        return ret;
+        }
+
+void ENGINE_load_ubsec(void)
+        {
+        /* Copied from eng_[openssl|dyn].c */
+        ENGINE *toadd = engine_ubsec();
+        if(!toadd) return;
+        ENGINE_add(toadd);
+        ENGINE_free(toadd);
+        ERR_clear_error();
+        }
+
+/* This is a process-global DSO handle used for loading and unloading
+ * the UBSEC library. NB: This is only set (or unset) during an
+ * init() or finish() call (reference counts permitting) and they're
+ * operating with global locks, so this should be thread-safe
+ * implicitly. */
+
+static DSO *ubsec_dso = NULL;
+
+/* These are the function pointers that are (un)set when the library has
+ * successfully (un)loaded. */
+
+static t_UBSEC_ubsec_bytes_to_bits *p_UBSEC_ubsec_bytes_to_bits = NULL;
+static t_UBSEC_ubsec_bits_to_bytes *p_UBSEC_ubsec_bits_to_bytes = NULL;
+static t_UBSEC_ubsec_open *p_UBSEC_ubsec_open = NULL;
+static t_UBSEC_ubsec_close *p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+static t_UBSEC_diffie_hellman_generate_ioctl 
+        *p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+static t_UBSEC_diffie_hellman_agree_ioctl *p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static t_UBSEC_rsa_mod_exp_ioctl *p_UBSEC_rsa_mod_exp_ioctl = NULL;
+static t_UBSEC_rsa_mod_exp_crt_ioctl *p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static t_UBSEC_dsa_sign_ioctl *p_UBSEC_dsa_sign_ioctl = NULL;
+static t_UBSEC_dsa_verify_ioctl *p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+static t_UBSEC_math_accelerate_ioctl *p_UBSEC_math_accelerate_ioctl = NULL;
+static t_UBSEC_rng_ioctl *p_UBSEC_rng_ioctl = NULL;
+static t_UBSEC_max_key_len_ioctl *p_UBSEC_max_key_len_ioctl = NULL;
+
+static int max_key_len = 1024;  /* ??? */
+
+/* 
+ * These are the static string constants for the DSO file name and the function
+ * symbol names to bind to. 
+ */
+
+static const char *UBSEC_LIBNAME = "ubsec";
+static const char *UBSEC_F1 = "ubsec_bytes_to_bits";
+static const char *UBSEC_F2 = "ubsec_bits_to_bytes";
+static const char *UBSEC_F3 = "ubsec_open";
+static const char *UBSEC_F4 = "ubsec_close";
+#ifndef OPENSSL_NO_DH
+static const char *UBSEC_F5 = "diffie_hellman_generate_ioctl";
+static const char *UBSEC_F6 = "diffie_hellman_agree_ioctl";
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+static const char *UBSEC_F7 = "rsa_mod_exp_ioctl";
+static const char *UBSEC_F8 = "rsa_mod_exp_crt_ioctl";
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+static const char *UBSEC_F9 = "dsa_sign_ioctl";
+static const char *UBSEC_F10 = "dsa_verify_ioctl";
+#endif
+static const char *UBSEC_F11 = "math_accelerate_ioctl";
+static const char *UBSEC_F12 = "rng_ioctl";
+static const char *UBSEC_F13 = "ubsec_max_key_len_ioctl";
+
+/* Destructor (complements the "ENGINE_ubsec()" constructor) */
+static int ubsec_destroy(ENGINE *e)
+        {
+        ERR_unload_UBSEC_strings();
+        return 1;
+        }
+
+/* (de)initialisation functions. */
+static int ubsec_init(ENGINE *e)
+        {
+        t_UBSEC_ubsec_bytes_to_bits *p1;
+        t_UBSEC_ubsec_bits_to_bytes *p2;
+        t_UBSEC_ubsec_open *p3;
+        t_UBSEC_ubsec_close *p4;
+#ifndef OPENSSL_NO_DH
+        t_UBSEC_diffie_hellman_generate_ioctl *p5;
+        t_UBSEC_diffie_hellman_agree_ioctl *p6;
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+        t_UBSEC_rsa_mod_exp_ioctl *p7;
+        t_UBSEC_rsa_mod_exp_crt_ioctl *p8;
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+        t_UBSEC_dsa_sign_ioctl *p9;
+        t_UBSEC_dsa_verify_ioctl *p10;
+#endif
+        t_UBSEC_math_accelerate_ioctl *p11;
+        t_UBSEC_rng_ioctl *p12;
+        t_UBSEC_max_key_len_ioctl *p13;
+        int fd = 0;
+
+        if(ubsec_dso != NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_ALREADY_LOADED);
+                goto err;
+                }
+        /* 
+         * Attempt to load libubsec.so/ubsec.dll/whatever. 
+         */
+        ubsec_dso = DSO_load(NULL, UBSEC_LIBNAME, NULL, 0);
+        if(ubsec_dso == NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+                goto err;
+                }
+
+        if (
+        !(p1 = (t_UBSEC_ubsec_bytes_to_bits *) DSO_bind_func(ubsec_dso, UBSEC_F1)) ||
+        !(p2 = (t_UBSEC_ubsec_bits_to_bytes *) DSO_bind_func(ubsec_dso, UBSEC_F2)) ||
+        !(p3 = (t_UBSEC_ubsec_open *) DSO_bind_func(ubsec_dso, UBSEC_F3)) ||
+        !(p4 = (t_UBSEC_ubsec_close *) DSO_bind_func(ubsec_dso, UBSEC_F4)) ||
+#ifndef OPENSSL_NO_DH
+        !(p5 = (t_UBSEC_diffie_hellman_generate_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F5)) ||
+        !(p6 = (t_UBSEC_diffie_hellman_agree_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F6)) ||
+#endif
+/* #ifndef OPENSSL_NO_RSA */
+        !(p7 = (t_UBSEC_rsa_mod_exp_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F7)) ||
+        !(p8 = (t_UBSEC_rsa_mod_exp_crt_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F8)) ||
+/* #endif */
+#ifndef OPENSSL_NO_DSA
+        !(p9 = (t_UBSEC_dsa_sign_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F9)) ||
+        !(p10 = (t_UBSEC_dsa_verify_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F10)) ||
+#endif
+        !(p11 = (t_UBSEC_math_accelerate_ioctl *) 
+                                DSO_bind_func(ubsec_dso, UBSEC_F11)) ||
+        !(p12 = (t_UBSEC_rng_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F12)) ||
+        !(p13 = (t_UBSEC_max_key_len_ioctl *) DSO_bind_func(ubsec_dso, UBSEC_F13)))
+                {
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_DSO_FAILURE);
+                goto err;
+                }
+
+        /* Copy the pointers */
+        p_UBSEC_ubsec_bytes_to_bits = p1;
+        p_UBSEC_ubsec_bits_to_bytes = p2;
+        p_UBSEC_ubsec_open = p3;
+        p_UBSEC_ubsec_close = p4;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = p5;
+        p_UBSEC_diffie_hellman_agree_ioctl = p6;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = p7;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = p8;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = p9;
+        p_UBSEC_dsa_verify_ioctl = p10;
+#endif
+        p_UBSEC_math_accelerate_ioctl = p11;
+        p_UBSEC_rng_ioctl = p12;
+        p_UBSEC_max_key_len_ioctl = p13;
+
+        /* Perform an open to see if there's actually any unit running. */
+        if (((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) > 0) && (p_UBSEC_max_key_len_ioctl(fd, &max_key_len) == 0))
+        {
+           p_UBSEC_ubsec_close(fd);
+           return 1;
+        }
+        else
+        {
+          UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+        }
+
+err:
+        if(ubsec_dso)
+                DSO_free(ubsec_dso);
+        p_UBSEC_ubsec_bytes_to_bits = NULL;
+        p_UBSEC_ubsec_bits_to_bytes = NULL;
+        p_UBSEC_ubsec_open = NULL;
+        p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+        p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = NULL;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = NULL;
+        p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+        p_UBSEC_math_accelerate_ioctl = NULL;
+        p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+
+        return 0;
+        }
+
+static int ubsec_finish(ENGINE *e)
+        {
+        if(ubsec_dso == NULL)
+                {
+                UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_NOT_LOADED);
+                return 0;
+                }
+        if(!DSO_free(ubsec_dso))
+                {
+                UBSECerr(UBSEC_F_UBSEC_FINISH, UBSEC_R_DSO_FAILURE);
+                return 0;
+                }
+        ubsec_dso = NULL;
+        p_UBSEC_ubsec_bytes_to_bits = NULL;
+        p_UBSEC_ubsec_bits_to_bytes = NULL;
+        p_UBSEC_ubsec_open = NULL;
+        p_UBSEC_ubsec_close = NULL;
+#ifndef OPENSSL_NO_DH
+        p_UBSEC_diffie_hellman_generate_ioctl = NULL;
+        p_UBSEC_diffie_hellman_agree_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_RSA
+        p_UBSEC_rsa_mod_exp_ioctl = NULL;
+        p_UBSEC_rsa_mod_exp_crt_ioctl = NULL;
+#endif
+#ifndef OPENSSL_NO_DSA
+        p_UBSEC_dsa_sign_ioctl = NULL;
+        p_UBSEC_dsa_verify_ioctl = NULL;
+#endif
+        p_UBSEC_math_accelerate_ioctl = NULL;
+        p_UBSEC_rng_ioctl = NULL;
+        p_UBSEC_max_key_len_ioctl = NULL;
+        return 1;
+        }
+
+static int ubsec_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+        {
+        int initialised = ((ubsec_dso == NULL) ? 0 : 1);
+        switch(cmd)
+                {
+        case UBSEC_CMD_SO_PATH:
+                if(p == NULL)
+                        {
+                        UBSECerr(UBSEC_F_UBSEC_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                        return 0;
+                        }
+                if(initialised)
+                        {
+                        UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_ALREADY_LOADED);
+                        return 0;
+                        }
+                UBSEC_LIBNAME = (const char *)p;
+                return 1;
+        default:
+                break;
+                }
+        UBSECerr(UBSEC_F_UBSEC_CTRL,UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED);
+        return 0;
+        }
+
+static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx)
+        {
+        int     y_len = 0;
+        int     fd;
+
+        if(ubsec_dso == NULL)
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_NOT_LOADED);
+                return 0;
+        }
+
+        /* Check if hardware can't handle this argument. */
+        y_len = BN_num_bits(m);
+        if (y_len > max_key_len) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return BN_mod_exp(r, a, p, m, ctx);
+        } 
+
+        if(!bn_wexpand(r, m->top))
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
+                return 0;
+        }
+        memset(r->d, 0, BN_num_bytes(m));
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                return BN_mod_exp(r, a, p, m, ctx);
+        }
+
+        if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
+                (unsigned char *)m->d, BN_num_bits(m), (unsigned char *)p->d, 
+                BN_num_bits(p), (unsigned char *)r->d, &y_len) != 0)
+        {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                return BN_mod_exp(r, a, p, m, ctx);
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (BN_num_bits(m)+BN_BITS2-1)/BN_BITS2;
+        return 1;
+        }
+
+#ifndef OPENSSL_NO_RSA
+static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+        {
+        BN_CTX *ctx;
+        int to_return = 0;
+
+        if((ctx = BN_CTX_new()) == NULL)
+                goto err;
+
+        if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp)
+                {
+                UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP, UBSEC_R_MISSING_KEY_COMPONENTS);
+                goto err;
+                }
+
+        to_return = ubsec_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
+                    rsa->dmq1, rsa->iqmp, ctx);
+        if (to_return == FAIL_TO_SOFTWARE)
+        {
+          /*
+           * Do in software as hardware failed.
+           */
+           const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+           to_return = (*meth->rsa_mod_exp)(r0, I, rsa);
+        }
+err:
+        if(ctx)
+                BN_CTX_free(ctx);
+        return to_return;
+        }
+#endif
+
+static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                        const BIGNUM *q, const BIGNUM *dp,
+                        const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx)
+        {
+        int     y_len,
+                m_len,
+                fd;
+
+        m_len = BN_num_bytes(p) + BN_num_bytes(q) + 1;
+        y_len = BN_num_bits(p) + BN_num_bits(q);
+
+        /* Check if hardware can't handle this argument. */
+        if (y_len > max_key_len) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
+                return FAIL_TO_SOFTWARE;
+        } 
+
+        if (!bn_wexpand(r, p->top + q->top + 1)) {
+                UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP_CRT, UBSEC_R_BN_EXPAND_FAIL);
+                return 0;
+        }
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                return FAIL_TO_SOFTWARE;
+        }
+
+        if (p_UBSEC_rsa_mod_exp_crt_ioctl(fd,
+                (unsigned char *)a->d, BN_num_bits(a), 
+                (unsigned char *)qinv->d, BN_num_bits(qinv),
+                (unsigned char *)dp->d, BN_num_bits(dp),
+                (unsigned char *)p->d, BN_num_bits(p),
+                (unsigned char *)dq->d, BN_num_bits(dq),
+                (unsigned char *)q->d, BN_num_bits(q),
+                (unsigned char *)r->d,  &y_len) != 0) {
+                UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+                return FAIL_TO_SOFTWARE;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (BN_num_bits(p) + BN_num_bits(q) + BN_BITS2 - 1)/BN_BITS2;
+        return 1;
+}
+
+#ifndef OPENSSL_NO_DSA
+#if NOT_USED
+static int ubsec_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
+                BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
+                BN_CTX *ctx, BN_MONT_CTX *in_mont)
+        {
+        BIGNUM t;
+        int to_return = 0;
+ 
+        BN_init(&t);
+        /* let rr = a1 ^ p1 mod m */
+        if (!ubsec_mod_exp(rr,a1,p1,m,ctx)) goto end;
+        /* let t = a2 ^ p2 mod m */
+        if (!ubsec_mod_exp(&t,a2,p2,m,ctx)) goto end;
+        /* let rr = rr * t mod m */
+        if (!BN_mod_mul(rr,rr,&t,m,ctx)) goto end;
+        to_return = 1;
+end:
+        BN_free(&t);
+        return to_return;
+        }
+
+static int ubsec_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx)
+        {
+        return ubsec_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+#endif
+
+/*
+ * This function is aliased to mod_exp (with the mont stuff dropped).
+ */
+static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
+        {
+        int ret = 0;
+
+#ifndef OPENSSL_NO_RSA
+        /* Do in software if the key is too large for the hardware. */
+        if (BN_num_bits(m) > max_key_len)
+                {
+                const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+                ret = (*meth->bn_mod_exp)(r, a, p, m, ctx, m_ctx);
+                }
+        else
+#endif
+                {
+                ret = ubsec_mod_exp(r, a, p, m, ctx);
+                }
+        
+        return ret;
+        }
+
+#ifndef OPENSSL_NO_DH
+/* This function is aliased to mod_exp (with the dh and mont dropped). */
+static int ubsec_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
+                const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
+                BN_MONT_CTX *m_ctx)
+        {
+        return ubsec_mod_exp(r, a, p, m, ctx);
+        }
+#endif
+
+#ifndef OPENSSL_NO_DSA
+static DSA_SIG *ubsec_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
+        {
+        DSA_SIG *to_return = NULL;
+        int s_len = 160, r_len = 160, d_len, fd;
+        BIGNUM m, *r=NULL, *s=NULL;
+
+        BN_init(&m);
+
+        s = BN_new();
+        r = BN_new();
+        if ((s == NULL) || (r==NULL))
+                goto err;
+
+        d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dlen);
+
+        if(!bn_wexpand(r, (160+BN_BITS2-1)/BN_BITS2) ||
+           (!bn_wexpand(s, (160+BN_BITS2-1)/BN_BITS2))) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        if (BN_bin2bn(dgst,dlen,&m) == NULL) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        } 
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return =  meth->dsa_do_sign(dgst, dlen, dsa);
+                goto err;
+        }
+
+        if (p_UBSEC_dsa_sign_ioctl(fd, 0, /* compute hash before signing */
+                (unsigned char *)dgst, d_len,
+                NULL, 0,  /* compute random value */
+                (unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+                (unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+                (unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+                (unsigned char *)dsa->priv_key->d, BN_num_bits(dsa->priv_key),
+                (unsigned char *)r->d, &r_len,
+                (unsigned char *)s->d, &s_len ) != 0) {
+                const DSA_METHOD *meth;
+
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_sign(dgst, dlen, dsa);
+
+                goto err;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        r->top = (160+BN_BITS2-1)/BN_BITS2;
+        s->top = (160+BN_BITS2-1)/BN_BITS2;
+
+        to_return = DSA_SIG_new();
+        if(to_return == NULL) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_SIGN, UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        to_return->r = r;
+        to_return->s = s;
+
+err:
+        if (!to_return) {
+                if (r) BN_free(r);
+                if (s) BN_free(s);
+        }                                 
+        BN_clear_free(&m);
+        return to_return;
+}
+
+static int ubsec_dsa_verify(const unsigned char *dgst, int dgst_len,
+                                DSA_SIG *sig, DSA *dsa)
+        {
+        int v_len, d_len;
+        int to_return = 0;
+        int fd;
+        BIGNUM v;
+
+        BN_init(&v);
+
+        if(!bn_wexpand(&v, dsa->p->top)) {
+                UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY ,UBSEC_R_BN_EXPAND_FAIL);
+                goto err;
+        }
+
+        v_len = BN_num_bits(dsa->p);
+
+        d_len = p_UBSEC_ubsec_bytes_to_bits((unsigned char *)dgst, dgst_len);
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
+                const DSA_METHOD *meth;
+                fd = 0;
+                UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+                goto err;
+        }
+
+        if (p_UBSEC_dsa_verify_ioctl(fd, 0, /* compute hash before signing */
+                (unsigned char *)dgst, d_len,
+                (unsigned char *)dsa->p->d, BN_num_bits(dsa->p), 
+                (unsigned char *)dsa->q->d, BN_num_bits(dsa->q),
+                (unsigned char *)dsa->g->d, BN_num_bits(dsa->g),
+                (unsigned char *)dsa->pub_key->d, BN_num_bits(dsa->pub_key),
+                (unsigned char *)sig->r->d, BN_num_bits(sig->r),
+                (unsigned char *)sig->s->d, BN_num_bits(sig->s),
+                (unsigned char *)v.d, &v_len) != 0) {
+                const DSA_METHOD *meth;
+                UBSECerr(UBSEC_F_UBSEC_DSA_VERIFY , UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DSA_OpenSSL();
+                to_return = meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
+
+                goto err;
+        }
+
+        p_UBSEC_ubsec_close(fd);
+
+        to_return = 1;
+err:
+        BN_clear_free(&v);
+        return to_return;
+        }
+#endif
+
+#ifndef OPENSSL_NO_DH
+static int ubsec_dh_compute_key (unsigned char *key,const BIGNUM *pub_key,DH *dh)
+        {
+        int      ret      = -1,
+                 k_len,
+                 fd;
+
+        k_len = BN_num_bits(dh->p);
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_agree_ioctl(fd,
+                                               (unsigned char *)dh->priv_key->d, BN_num_bits(dh->priv_key),
+                                               (unsigned char *)pub_key->d, BN_num_bits(pub_key),
+                                               (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                               key, &k_len) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->compute_key(key, pub_key, dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = p_UBSEC_ubsec_bits_to_bytes(k_len);
+err:
+        return ret;
+        }
+
+static int ubsec_dh_generate_key (DH *dh)
+        {
+        int      ret               = 0,
+                 random_bits       = 0,
+                 pub_key_len       = 0,
+                 priv_key_len      = 0,
+                 fd;
+        BIGNUM   *pub_key          = NULL;
+        BIGNUM   *priv_key         = NULL;
+
+        /* 
+         *  How many bits should Random x be? dh_key.c
+         *  sets the range from 0 to num_bits(modulus) ???
+         */
+
+        if (dh->priv_key == NULL)
+                {
+                priv_key = BN_new();
+                if (priv_key == NULL) goto err;
+                priv_key_len = BN_num_bits(dh->p);
+                bn_wexpand(priv_key, dh->p->top);
+                do
+                        if (!BN_rand_range(priv_key, dh->p)) goto err;
+                while (BN_is_zero(priv_key));
+                random_bits = BN_num_bits(priv_key);
+                }
+        else
+                {
+                priv_key = dh->priv_key;
+                }
+
+        if (dh->pub_key == NULL)
+                {
+                pub_key = BN_new();
+                pub_key_len = BN_num_bits(dh->p);
+                bn_wexpand(pub_key, dh->p->top);
+                if(pub_key == NULL) goto err;
+                }
+        else
+                {
+                pub_key = dh->pub_key;
+                }
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const DH_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+                goto err;
+                }
+
+        if (p_UBSEC_diffie_hellman_generate_ioctl(fd,
+                                                  (unsigned char *)priv_key->d, &priv_key_len,
+                                                  (unsigned char *)pub_key->d,  &pub_key_len,
+                                                  (unsigned char *)dh->g->d, BN_num_bits(dh->g),
+                                                  (unsigned char *)dh->p->d, BN_num_bits(dh->p),
+                                                  0, 0, random_bits) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const DH_METHOD *meth;
+
+                ENGINEerr(UBSEC_F_UBSEC_DH_COMPUTE_KEY, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                meth = DH_OpenSSL();
+                ret = meth->generate_key(dh);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        dh->pub_key = pub_key;
+        dh->pub_key->top = (pub_key_len + BN_BITS2-1) / BN_BITS2;
+        dh->priv_key = priv_key;
+        dh->priv_key->top = (priv_key_len + BN_BITS2-1) / BN_BITS2;
+
+        ret = 1;
+err:
+        return ret;
+        }
+#endif
+
+#if NOT_USED
+static int ubsec_rand_bytes(unsigned char * buf,
+                            int num)
+        {
+        int      ret      = 0,
+                 fd;
+
+        if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0)
+                {
+                const RAND_METHOD *meth;
+                ENGINEerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+                goto err;
+                }
+
+        num *= 8; /* bytes to bits */
+
+        if (p_UBSEC_rng_ioctl(fd,
+                              UBSEC_RNG_DIRECT,
+                              buf,
+                              &num) != 0)
+                {
+                /* Hardware's a no go, failover to software */
+                const RAND_METHOD *meth;
+
+                ENGINEerr(UBSEC_F_UBSEC_RNG_BYTES, UBSEC_R_REQUEST_FAILED);
+                p_UBSEC_ubsec_close(fd);
+
+                num = p_UBSEC_ubsec_bits_to_bytes(num);
+                meth = RAND_SSLeay();
+                meth->seed(buf, num);
+                ret = meth->bytes(buf, num);
+
+                goto err;
+                }
+
+        p_UBSEC_ubsec_close(fd);
+
+        ret = 1;
+err:
+        return(ret);
+        }
+
+
+static int ubsec_rand_status(void)
+        {
+        return 0;
+        }
+#endif
+
+/* This stuff is needed if this ENGINE is being compiled into a self-contained
+ * shared-library. */
+#ifdef ENGINE_DYNAMIC_SUPPORT
+static int bind_fn(ENGINE *e, const char *id)
+        {
+        if(id && (strcmp(id, engine_ubsec_id) != 0))
+                return 0;
+        if(!bind_helper(e))
+                return 0;
+        return 1;
+        }
+IMPLEMENT_DYNAMIC_CHECK_FN()
+IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
+#endif /* ENGINE_DYNAMIC_SUPPORT */
+
+#endif /* !OPENSSL_NO_HW_UBSEC */
+#endif /* !OPENSSL_NO_HW */
diff --git a/src/lib/libcrypto/engine/hw_ubsec_err.c b/src/lib/libcrypto/engine/hw_ubsec_err.c
new file mode 100644
index 0000000000..d707331fc2
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_ubsec_err.c
@@ -0,0 +1,151 @@
+/* hw_ubsec_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include "hw_ubsec_err.h"
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA UBSEC_str_functs[]=
+        {
+{ERR_PACK(0,UBSEC_F_UBSEC_CTRL,0),      "UBSEC_CTRL"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DH_COMPUTE_KEY,0),    "UBSEC_DH_COMPUTE_KEY"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DSA_SIGN,0),  "UBSEC_DSA_SIGN"},
+{ERR_PACK(0,UBSEC_F_UBSEC_DSA_VERIFY,0),        "UBSEC_DSA_VERIFY"},
+{ERR_PACK(0,UBSEC_F_UBSEC_FINISH,0),    "UBSEC_FINISH"},
+{ERR_PACK(0,UBSEC_F_UBSEC_INIT,0),      "UBSEC_INIT"},
+{ERR_PACK(0,UBSEC_F_UBSEC_MOD_EXP,0),   "UBSEC_MOD_EXP"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RNG_BYTES,0), "UBSEC_RNG_BYTES"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RSA_MOD_EXP,0),       "UBSEC_RSA_MOD_EXP"},
+{ERR_PACK(0,UBSEC_F_UBSEC_RSA_MOD_EXP_CRT,0),   "UBSEC_RSA_MOD_EXP_CRT"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA UBSEC_str_reasons[]=
+        {
+{UBSEC_R_ALREADY_LOADED                  ,"already loaded"},
+{UBSEC_R_BN_EXPAND_FAIL                  ,"bn expand fail"},
+{UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED    ,"ctrl command not implemented"},
+{UBSEC_R_DSO_FAILURE                     ,"dso failure"},
+{UBSEC_R_MISSING_KEY_COMPONENTS          ,"missing key components"},
+{UBSEC_R_NOT_LOADED                      ,"not loaded"},
+{UBSEC_R_REQUEST_FAILED                  ,"request failed"},
+{UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL     ,"size too large or too small"},
+{UBSEC_R_UNIT_FAILURE                    ,"unit failure"},
+{0,NULL}
+        };
+
+#endif
+
+#ifdef UBSEC_LIB_NAME
+static ERR_STRING_DATA UBSEC_lib_name[]=
+        {
+{0      ,UBSEC_LIB_NAME},
+{0,NULL}
+        };
+#endif
+
+
+static int UBSEC_lib_error_code=0;
+static int UBSEC_error_init=1;
+
+static void ERR_load_UBSEC_strings(void)
+        {
+        if (UBSEC_lib_error_code == 0)
+                UBSEC_lib_error_code=ERR_get_next_error_library();
+
+        if (UBSEC_error_init)
+                {
+                UBSEC_error_init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+                ERR_load_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+                UBSEC_lib_name->error = ERR_PACK(UBSEC_lib_error_code,0,0);
+                ERR_load_strings(0,UBSEC_lib_name);
+#endif
+                }
+        }
+
+static void ERR_unload_UBSEC_strings(void)
+        {
+        if (UBSEC_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_functs);
+                ERR_unload_strings(UBSEC_lib_error_code,UBSEC_str_reasons);
+#endif
+
+#ifdef UBSEC_LIB_NAME
+                ERR_unload_strings(0,UBSEC_lib_name);
+#endif
+                UBSEC_error_init=1;
+                }
+        }
+
+static void ERR_UBSEC_error(int function, int reason, char *file, int line)
+        {
+        if (UBSEC_lib_error_code == 0)
+                UBSEC_lib_error_code=ERR_get_next_error_library();
+        ERR_PUT_error(UBSEC_lib_error_code,function,reason,file,line);
+        }
diff --git a/src/lib/libcrypto/engine/hw_ubsec_err.h b/src/lib/libcrypto/engine/hw_ubsec_err.h
new file mode 100644
index 0000000000..023d3be771
--- /dev/null
+++ b/src/lib/libcrypto/engine/hw_ubsec_err.h
@@ -0,0 +1,95 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UBSEC_ERR_H
+#define HEADER_UBSEC_ERR_H
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+static void ERR_load_UBSEC_strings(void);
+static void ERR_unload_UBSEC_strings(void);
+static void ERR_UBSEC_error(int function, int reason, char *file, int line);
+#define UBSECerr(f,r) ERR_UBSEC_error((f),(r),__FILE__,__LINE__)
+
+/* Error codes for the UBSEC functions. */
+
+/* Function codes. */
+#define UBSEC_F_UBSEC_CTRL                               100
+#define UBSEC_F_UBSEC_DH_COMPUTE_KEY                     101
+#define UBSEC_F_UBSEC_DSA_SIGN                           102
+#define UBSEC_F_UBSEC_DSA_VERIFY                         103
+#define UBSEC_F_UBSEC_FINISH                             104
+#define UBSEC_F_UBSEC_INIT                               105
+#define UBSEC_F_UBSEC_MOD_EXP                            106
+#define UBSEC_F_UBSEC_RNG_BYTES                          107
+#define UBSEC_F_UBSEC_RSA_MOD_EXP                        108
+#define UBSEC_F_UBSEC_RSA_MOD_EXP_CRT                    109
+
+/* Reason codes. */
+#define UBSEC_R_ALREADY_LOADED                           100
+#define UBSEC_R_BN_EXPAND_FAIL                           101
+#define UBSEC_R_CTRL_COMMAND_NOT_IMPLEMENTED             102
+#define UBSEC_R_DSO_FAILURE                              103
+#define UBSEC_R_MISSING_KEY_COMPONENTS                   104
+#define UBSEC_R_NOT_LOADED                               105
+#define UBSEC_R_REQUEST_FAILED                           106
+#define UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL              107
+#define UBSEC_R_UNIT_FAILURE                             108
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/engine/tb_cipher.c b/src/lib/libcrypto/engine/tb_cipher.c
new file mode 100644
index 0000000000..c5a50fc910
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_cipher.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_cipher_engine(), the function that
+ * is used by EVP to hook in cipher code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_CIPHER_DEBUG */
+
+static ENGINE_TABLE *cipher_table = NULL;
+
+void ENGINE_unregister_ciphers(ENGINE *e)
+        {
+        engine_table_unregister(&cipher_table, e);
+        }
+
+static void engine_unregister_all_ciphers(void)
+        {
+        engine_table_cleanup(&cipher_table);
+        }
+
+int ENGINE_register_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_ciphers()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_ciphers(e);
+        }
+
+int ENGINE_set_default_ciphers(ENGINE *e)
+        {
+        if(e->ciphers)
+                {
+                const int *nids;
+                int num_nids = e->ciphers(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&cipher_table,
+                                        &engine_unregister_all_ciphers, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given cipher 'nid' */
+ENGINE *ENGINE_get_cipher_engine(int nid)
+        {
+        return engine_table_select(&cipher_table, nid);
+        }
+
+/* Obtains a cipher implementation from an ENGINE functional reference */
+const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid)
+        {
+        const EVP_CIPHER *ret;
+        ENGINE_CIPHERS_PTR fn = ENGINE_get_ciphers(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_CIPHER,
+                                ENGINE_R_UNIMPLEMENTED_CIPHER);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the cipher callback from an ENGINE structure */
+ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e)
+        {
+        return e->ciphers;
+        }
+
+/* Sets the cipher callback in an ENGINE structure */
+int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f)
+        {
+        e->ciphers = f;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_dh.c b/src/lib/libcrypto/engine/tb_dh.c
new file mode 100644
index 0000000000..c9347235ea
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_dh.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DH(), the function that is
+ * used by DH to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DH_DEBUG */
+
+static ENGINE_TABLE *dh_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DH(ENGINE *e)
+        {
+        engine_table_unregister(&dh_table, e);
+        }
+
+static void engine_unregister_all_DH(void)
+        {
+        engine_table_cleanup(&dh_table);
+        }
+
+int ENGINE_register_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DH()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DH(e);
+        }
+
+int ENGINE_set_default_DH(ENGINE *e)
+        {
+        if(e->dh_meth)
+                return engine_table_register(&dh_table,
+                                &engine_unregister_all_DH, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DH(void)
+        {
+        return engine_table_select(&dh_table, dummy_nid);
+        }
+
+/* Obtains an DH implementation from an ENGINE functional reference */
+const DH_METHOD *ENGINE_get_DH(const ENGINE *e)
+        {
+        return e->dh_meth;
+        }
+
+/* Sets an DH implementation in an ENGINE structure */
+int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth)
+        {
+        e->dh_meth = dh_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_digest.c b/src/lib/libcrypto/engine/tb_digest.c
new file mode 100644
index 0000000000..2c4dd6f796
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_digest.c
@@ -0,0 +1,145 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_digest_engine(), the function that
+ * is used by EVP to hook in digest code and cache defaults (etc), will display
+ * brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DIGEST_DEBUG */
+
+static ENGINE_TABLE *digest_table = NULL;
+
+void ENGINE_unregister_digests(ENGINE *e)
+        {
+        engine_table_unregister(&digest_table, e);
+        }
+
+static void engine_unregister_all_digests(void)
+        {
+        engine_table_cleanup(&digest_table);
+        }
+
+int ENGINE_register_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 0);
+                }
+        return 1;
+        }
+
+void ENGINE_register_all_digests()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_digests(e);
+        }
+
+int ENGINE_set_default_digests(ENGINE *e)
+        {
+        if(e->digests)
+                {
+                const int *nids;
+                int num_nids = e->digests(e, NULL, &nids, 0);
+                if(num_nids > 0)
+                        return engine_table_register(&digest_table,
+                                        &engine_unregister_all_digests, e, nids,
+                                        num_nids, 1);
+                }
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references) for a given digest 'nid' */
+ENGINE *ENGINE_get_digest_engine(int nid)
+        {
+        return engine_table_select(&digest_table, nid);
+        }
+
+/* Obtains a digest implementation from an ENGINE functional reference */
+const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid)
+        {
+        const EVP_MD *ret;
+        ENGINE_DIGESTS_PTR fn = ENGINE_get_digests(e);
+        if(!fn || !fn(e, &ret, NULL, nid))
+                {
+                ENGINEerr(ENGINE_F_ENGINE_GET_DIGEST,
+                                ENGINE_R_UNIMPLEMENTED_DIGEST);
+                return NULL;
+                }
+        return ret;
+        }
+
+/* Gets the digest callback from an ENGINE structure */
+ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e)
+        {
+        return e->digests;
+        }
+
+/* Sets the digest callback in an ENGINE structure */
+int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f)
+        {
+        e->digests = f;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_dsa.c b/src/lib/libcrypto/engine/tb_dsa.c
new file mode 100644
index 0000000000..e9209476b8
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_dsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_DSA(), the function that is
+ * used by DSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_DSA_DEBUG */
+
+static ENGINE_TABLE *dsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_DSA(ENGINE *e)
+        {
+        engine_table_unregister(&dsa_table, e);
+        }
+
+static void engine_unregister_all_DSA(void)
+        {
+        engine_table_cleanup(&dsa_table);
+        }
+
+int ENGINE_register_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_DSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_DSA(e);
+        }
+
+int ENGINE_set_default_DSA(ENGINE *e)
+        {
+        if(e->dsa_meth)
+                return engine_table_register(&dsa_table,
+                                &engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_DSA(void)
+        {
+        return engine_table_select(&dsa_table, dummy_nid);
+        }
+
+/* Obtains an DSA implementation from an ENGINE functional reference */
+const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e)
+        {
+        return e->dsa_meth;
+        }
+
+/* Sets an DSA implementation in an ENGINE structure */
+int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth)
+        {
+        e->dsa_meth = dsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_rand.c b/src/lib/libcrypto/engine/tb_rand.c
new file mode 100644
index 0000000000..0b1d031f1e
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_rand.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RAND(), the function that is
+ * used by RAND to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RAND_DEBUG */
+
+static ENGINE_TABLE *rand_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RAND(ENGINE *e)
+        {
+        engine_table_unregister(&rand_table, e);
+        }
+
+static void engine_unregister_all_RAND(void)
+        {
+        engine_table_cleanup(&rand_table);
+        }
+
+int ENGINE_register_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RAND()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RAND(e);
+        }
+
+int ENGINE_set_default_RAND(ENGINE *e)
+        {
+        if(e->rand_meth)
+                return engine_table_register(&rand_table,
+                                &engine_unregister_all_RAND, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RAND(void)
+        {
+        return engine_table_select(&rand_table, dummy_nid);
+        }
+
+/* Obtains an RAND implementation from an ENGINE functional reference */
+const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e)
+        {
+        return e->rand_meth;
+        }
+
+/* Sets an RAND implementation in an ENGINE structure */
+int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth)
+        {
+        e->rand_meth = rand_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/tb_rsa.c b/src/lib/libcrypto/engine/tb_rsa.c
new file mode 100644
index 0000000000..f84fea3968
--- /dev/null
+++ b/src/lib/libcrypto/engine/tb_rsa.c
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include "eng_int.h"
+
+/* If this symbol is defined then ENGINE_get_default_RSA(), the function that is
+ * used by RSA to hook in implementation code and cache defaults (etc), will
+ * display brief debugging summaries to stderr with the 'nid'. */
+/* #define ENGINE_RSA_DEBUG */
+
+static ENGINE_TABLE *rsa_table = NULL;
+static const int dummy_nid = 1;
+
+void ENGINE_unregister_RSA(ENGINE *e)
+        {
+        engine_table_unregister(&rsa_table, e);
+        }
+
+static void engine_unregister_all_RSA(void)
+        {
+        engine_table_cleanup(&rsa_table);
+        }
+
+int ENGINE_register_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 0);
+        return 1;
+        }
+
+void ENGINE_register_all_RSA()
+        {
+        ENGINE *e;
+
+        for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e))
+                ENGINE_register_RSA(e);
+        }
+
+int ENGINE_set_default_RSA(ENGINE *e)
+        {
+        if(e->rsa_meth)
+                return engine_table_register(&rsa_table,
+                                &engine_unregister_all_RSA, e, &dummy_nid, 1, 1);
+        return 1;
+        }
+
+/* Exposed API function to get a functional reference from the implementation
+ * table (ie. try to get a functional reference from the tabled structural
+ * references). */
+ENGINE *ENGINE_get_default_RSA(void)
+        {
+        return engine_table_select(&rsa_table, dummy_nid);
+        }
+
+/* Obtains an RSA implementation from an ENGINE functional reference */
+const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e)
+        {
+        return e->rsa_meth;
+        }
+
+/* Sets an RSA implementation in an ENGINE structure */
+int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth)
+        {
+        e->rsa_meth = rsa_meth;
+        return 1;
+        }
diff --git a/src/lib/libcrypto/engine/vendor_defns/aep.h b/src/lib/libcrypto/engine/vendor_defns/aep.h
new file mode 100644
index 0000000000..2b2792d2d6
--- /dev/null
+++ b/src/lib/libcrypto/engine/vendor_defns/aep.h
@@ -0,0 +1,178 @@
+/* This header declares the necessary definitions for using the exponentiation
+ * acceleration capabilities, and rnd number generation of the AEP card. 
+ *
+ */
+
+/*
+ *
+ * Some AEP defines
+ *
+ */
+
+/*Successful return value*/
+#define AEP_R_OK                                0x00000000
+
+/*Miscelleanous unsuccessful return value*/
+#define AEP_R_GENERAL_ERROR                     0x10000001
+
+/*Insufficient host memory*/
+#define AEP_R_HOST_MEMORY                       0x10000002
+
+#define AEP_R_FUNCTION_FAILED                   0x10000006
+
+/*Invalid arguments in function call*/
+#define AEP_R_ARGUMENTS_BAD                     0x10020000
+
+#define AEP_R_NO_TARGET_RESOURCES                               0x10030000
+
+/*Error occuring on socket operation*/
+#define AEP_R_SOCKERROR                                                 0x10000010
+
+/*Socket has been closed from the other end*/
+#define AEP_R_SOCKEOF                                                   0x10000011
+
+/*Invalid handles*/
+#define AEP_R_CONNECTION_HANDLE_INVALID         0x100000B3
+
+#define AEP_R_TRANSACTION_HANDLE_INVALID                0x10040000
+
+/*Transaction has not yet returned from accelerator*/
+#define AEP_R_TRANSACTION_NOT_READY                             0x00010000
+
+/*There is already a thread waiting on this transaction*/
+#define AEP_R_TRANSACTION_CLAIMED                               0x10050000
+
+/*The transaction timed out*/
+#define AEP_R_TIMED_OUT                                                 0x10060000
+
+#define AEP_R_FXN_NOT_IMPLEMENTED                               0x10070000
+
+#define AEP_R_TARGET_ERROR                                              0x10080000
+
+/*Error in the AEP daemon process*/
+#define AEP_R_DAEMON_ERROR                                              0x10090000
+
+/*Invalid ctx id*/
+#define AEP_R_INVALID_CTX_ID                                    0x10009000
+
+#define AEP_R_NO_KEY_MANAGER                                    0x1000a000
+
+/*Error obtaining a mutex*/
+#define AEP_R_MUTEX_BAD                         0x000001A0
+
+/*Fxn call before AEP_Initialise ot after AEP_Finialise*/
+#define AEP_R_AEPAPI_NOT_INITIALIZED                    0x10000190
+
+/*AEP_Initialise has already been called*/
+#define AEP_R_AEPAPI_ALREADY_INITIALIZED                0x10000191
+
+/*Maximum number of connections to daemon reached*/
+#define AEP_R_NO_MORE_CONNECTION_HNDLS                  0x10000200
+
+/*
+ *
+ * Some AEP Type definitions
+ *
+ */
+
+/* an unsigned 8-bit value */
+typedef unsigned char                           AEP_U8;
+
+/* an unsigned 8-bit character */
+typedef char                                    AEP_CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef AEP_U8                                  AEP_BBOOL;
+
+/*Unsigned value, at least 16 bits long*/
+typedef unsigned short                          AEP_U16;
+
+/* an unsigned value, at least 32 bits long */
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned int                            AEP_U32;
+#else
+typedef unsigned long                           AEP_U32;
+#endif
+
+#ifdef SIXTY_FOUR_BIT_LONG
+typedef unsigned long                           AEP_U64;
+#else
+typedef struct { unsigned long l1, l2; }        AEP_U64;
+#endif
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef AEP_U32                 AEP_FLAGS;
+
+typedef AEP_U8          *AEP_U8_PTR;
+typedef AEP_CHAR        *AEP_CHAR_PTR;
+typedef AEP_U32                 *AEP_U32_PTR;
+typedef AEP_U64                 *AEP_U64_PTR;
+typedef void            *AEP_VOID_PTR;
+
+/* Pointer to a AEP_VOID_PTR-- i.e., pointer to pointer to void */
+typedef AEP_VOID_PTR    *AEP_VOID_PTR_PTR;
+
+/*Used to identify an AEP connection handle*/
+typedef AEP_U32                                 AEP_CONNECTION_HNDL;
+
+/*Pointer to an AEP connection handle*/
+typedef AEP_CONNECTION_HNDL     *AEP_CONNECTION_HNDL_PTR;
+
+/*Used by an application (in conjunction with the apps process id) to 
+identify an individual transaction*/
+typedef AEP_U32                                 AEP_TRANSACTION_ID;
+
+/*Pointer to an applications transaction identifier*/
+typedef AEP_TRANSACTION_ID              *AEP_TRANSACTION_ID_PTR;
+
+/*Return value type*/
+typedef AEP_U32                                 AEP_RV;
+
+#define MAX_PROCESS_CONNECTIONS 256
+
+#define RAND_BLK_SIZE 1024
+
+typedef enum{
+        NotConnected=   0,
+        Connected=              1,
+        InUse=                  2
+} AEP_CONNECTION_STATE;
+
+
+typedef struct AEP_CONNECTION_ENTRY{
+        AEP_CONNECTION_STATE    conn_state;
+        AEP_CONNECTION_HNDL     conn_hndl;
+} AEP_CONNECTION_ENTRY;
+
+
+typedef AEP_RV t_AEP_OpenConnection(AEP_CONNECTION_HNDL_PTR phConnection);
+typedef AEP_RV t_AEP_CloseConnection(AEP_CONNECTION_HNDL hConnection);
+
+typedef AEP_RV t_AEP_ModExp(AEP_CONNECTION_HNDL hConnection,
+                            AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+                            AEP_VOID_PTR pN,
+                            AEP_VOID_PTR pResult,
+                            AEP_TRANSACTION_ID* pidTransID);
+
+typedef AEP_RV t_AEP_ModExpCrt(AEP_CONNECTION_HNDL hConnection,
+                               AEP_VOID_PTR pA, AEP_VOID_PTR pP,
+                               AEP_VOID_PTR pQ,
+                               AEP_VOID_PTR pDmp1, AEP_VOID_PTR pDmq1,
+                               AEP_VOID_PTR pIqmp,
+                               AEP_VOID_PTR pResult,
+                               AEP_TRANSACTION_ID* pidTransID);
+
+#ifdef AEPRAND
+typedef AEP_RV t_AEP_GenRandom(AEP_CONNECTION_HNDL hConnection,
+                               AEP_U32 Len,
+                               AEP_U32 Type,
+                               AEP_VOID_PTR pResult,
+                               AEP_TRANSACTION_ID* pidTransID);
+#endif
+
+typedef AEP_RV t_AEP_Initialize(AEP_VOID_PTR pInitArgs);
+typedef AEP_RV t_AEP_Finalize();
+typedef AEP_RV t_AEP_SetBNCallBacks(AEP_RV (*GetBigNumSizeFunc)(),
+                                    AEP_RV (*MakeAEPBigNumFunc)(),
+                                    AEP_RV (*ConverAEPBigNumFunc)());
+
diff --git a/src/lib/libcrypto/engine/vendor_defns/atalla.h b/src/lib/libcrypto/engine/vendor_defns/atalla.h
index 8111649c54..149970d441 100644
--- a/src/lib/libcrypto/engine/vendor_defns/atalla.h
+++ b/src/lib/libcrypto/engine/vendor_defns/atalla.h
@@ -46,16 +46,3 @@ typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
                                         unsigned char *input,
                                         unsigned int modulus_len);
 
-/* These are the static string constants for the DSO file name and the function
- * symbol names to bind to. Regrettably, the DSO name on *nix appears to be
- * "atasi.so" rather than something more consistent like "libatasi.so". At the
- * time of writing, I'm not sure what the file name on win32 is but clearly
- * native name translation is not possible (eg libatasi.so on *nix, and
- * atasi.dll on win32). For the purposes of testing, I have created a symbollic
- * link called "libatasi.so" so that we can use native name-translation - a
- * better solution will be needed. */
-static const char *ATALLA_LIBNAME = "atasi";
-static const char *ATALLA_F1 = "ASI_GetHardwareConfig";
-static const char *ATALLA_F2 = "ASI_RSAPrivateKeyOpFn";
-static const char *ATALLA_F3 = "ASI_GetPerformanceStatistics";
-
diff --git a/src/lib/libcrypto/engine/vendor_defns/cswift.h b/src/lib/libcrypto/engine/vendor_defns/cswift.h
index 0af14a1a92..60079326bb 100644
--- a/src/lib/libcrypto/engine/vendor_defns/cswift.h
+++ b/src/lib/libcrypto/engine/vendor_defns/cswift.h
@@ -32,12 +32,12 @@ typedef __uint32_t        SW_U32;
 typedef unsigned long     SW_U32;                 /* 32 bit integer   */
 #endif
  
-#if defined(WIN32)
+#if defined(OPENSSL_SYS_WIN32)
   typedef struct _SW_U64 {
       SW_U32 low32;
       SW_U32 high32;
   } SW_U64;                                         /* 64 bit integer   */
-#elif defined(MAC)
+#elif defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
   typedef longlong SW_U64
 #else /* Unix variants */
   typedef struct _SW_U64 {
@@ -156,6 +156,27 @@ typedef struct _SW_LARGENUMBER {
                             /*   bytes in network (big endian) order  */
 } SW_LARGENUMBER;               
 
+#if defined(OPENSSL_SYS_WIN32)
+    #include <windows.h>
+    typedef HANDLE          SW_OSHANDLE;          /* handle to kernel object */
+    #define SW_OS_INVALID_HANDLE  INVALID_HANDLE_VALUE
+    #define SW_CALLCONV _stdcall
+#elif defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+    /* async callback mechanisms */
+    /* swiftCallbackLevel */
+    #define SW_MAC_CALLBACK_LEVEL_NO         0          
+    #define SW_MAC_CALLBACK_LEVEL_HARDWARE   1  /* from the hardware ISR */
+    #define SW_MAC_CALLBACK_LEVEL_SECONDARY  2  /* as secondary ISR */
+    typedef int             SW_MAC_CALLBACK_LEVEL;
+    typedef int             SW_OSHANDLE;
+    #define SW_OS_INVALID_HANDLE  (-1)
+    #define SW_CALLCONV
+#else /* Unix variants */
+    typedef int             SW_OSHANDLE;          /* handle to driver */
+    #define SW_OS_INVALID_HANDLE  (-1)
+    #define SW_CALLCONV
+#endif 
+
 typedef struct _SW_CRT {
     SW_LARGENUMBER  p;      /* prime number p                         */
     SW_LARGENUMBER  q;      /* prime number q                         */
@@ -196,16 +217,16 @@ typedef SW_U32 SW_CONTEXT_HANDLE; /* opaque context handle */
 
 /* Now the OpenSSL bits, these function types are the for the function
  * pointers that will bound into the Rainbow shared libraries. */
-typedef SW_STATUS t_swAcquireAccContext(SW_CONTEXT_HANDLE *hac);
-typedef SW_STATUS t_swAttachKeyParam(SW_CONTEXT_HANDLE hac,
-                                SW_PARAM *key_params);
-typedef SW_STATUS t_swSimpleRequest(SW_CONTEXT_HANDLE hac,
-                                SW_COMMAND_CODE cmd,
-                                SW_LARGENUMBER pin[],
-                                SW_U32 pin_count,
-                                SW_LARGENUMBER pout[],
-                                SW_U32 pout_count);
-typedef SW_STATUS t_swReleaseAccContext(SW_CONTEXT_HANDLE hac);
+typedef SW_STATUS SW_CALLCONV t_swAcquireAccContext(SW_CONTEXT_HANDLE *hac);
+typedef SW_STATUS SW_CALLCONV t_swAttachKeyParam(SW_CONTEXT_HANDLE hac,
+                                                SW_PARAM *key_params);
+typedef SW_STATUS SW_CALLCONV t_swSimpleRequest(SW_CONTEXT_HANDLE hac,
+                                                SW_COMMAND_CODE cmd,
+                                                SW_LARGENUMBER pin[],
+                                                SW_U32 pin_count,
+                                                SW_LARGENUMBER pout[],
+                                                SW_U32 pout_count);
+typedef SW_STATUS SW_CALLCONV t_swReleaseAccContext(SW_CONTEXT_HANDLE hac);
 
 #ifdef __cplusplus
 }
diff --git a/src/lib/libcrypto/engine/vendor_defns/hw_4758_cca.h b/src/lib/libcrypto/engine/vendor_defns/hw_4758_cca.h
new file mode 100644
index 0000000000..296636e81a
--- /dev/null
+++ b/src/lib/libcrypto/engine/vendor_defns/hw_4758_cca.h
@@ -0,0 +1,149 @@
+/**********************************************************************/
+/*                                                                    */
+/*  Prototypes of the CCA verbs used by the 4758 CCA openssl driver   */
+/*                                                                    */
+/*  Maurice Gittens <maurice@gittens.nl>                              */
+/*                                                                    */
+/**********************************************************************/
+
+#ifndef __HW_4758_CCA__
+#define __HW_4758_CCA__
+
+/*
+ *  Only WIN32 support for now
+ */
+#if defined(WIN32)
+
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX_32"
+  #define CSNDKRR   "CSNDKRR_32"
+  #define CSNDPKE   "CSNDPKE_32"
+  #define CSNDPKD   "CSNDPKD_32"
+  #define CSNDDSV   "CSNDDSV_32"
+  #define CSNDDSG   "CSNDDSG_32"
+  #define CSNBRNG   "CSNBRNG_32"
+
+  #define SECURITYAPI __stdcall
+#else
+    /* Fixme!!         
+      Find out the values of these constants for other platforms.
+    */
+  #define CCA_LIB_NAME "CSUNSAPI"
+
+  #define CSNDPKX   "CSNDPKX"
+  #define CSNDKRR   "CSNDKRR"
+  #define CSNDPKE   "CSNDPKE"
+  #define CSNDPKD   "CSNDPKD"
+  #define CSNDDSV   "CSNDDSV"
+  #define CSNDDSG   "CSNDDSG"
+  #define CSNBRNG   "CSNBRNG"
+
+  #define SECURITYAPI
+#endif
+
+/*
+ * security API prototypes
+ */
+
+/* PKA Key Record Read */
+typedef void (SECURITYAPI *F_KEYRECORDREAD)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              unsigned char * key_label,
+              long          * key_token_length,
+              unsigned char * key_token);
+
+/* Random Number Generate */
+typedef void (SECURITYAPI *F_RANDOMNUMBERGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              unsigned char * form,
+              unsigned char * random_number);
+
+/* Digital Signature Generate */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREGENERATE)
+             (long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_private_key_id_length,
+              unsigned char * PKA_private_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              long          * signature_bit_length,
+              unsigned char * signature_field);
+
+/* Digital Signature Verify */
+typedef void (SECURITYAPI *F_DIGITALSIGNATUREVERIFY)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * PKA_public_key_id_length,
+              unsigned char * PKA_public_key_id,
+              long          * hash_length,
+              unsigned char * hash,
+              long          * signature_field_length,
+              unsigned char * signature_field);
+
+/* PKA Public Key Extract */
+typedef void (SECURITYAPI *F_PUBLICKEYEXTRACT)(
+              long          * return_code,
+              long          * reason_code,
+              long          * exit_data_length,
+              unsigned char * exit_data,
+              long          * rule_array_count,
+              unsigned char * rule_array,
+              long          * source_key_identifier_length,
+              unsigned char * source_key_identifier,
+              long          * target_key_token_length,
+              unsigned char * target_key_token);
+
+/* PKA Encrypt */
+typedef void   (SECURITYAPI *F_PKAENCRYPT)
+               (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  key_value_length,
+                 unsigned char *  key_value,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_public_key_length,
+                 unsigned char *  RSA_public_key,
+                 long          *  RSA_encipher_length,
+                 unsigned char *  RSA_encipher );
+
+/* PKA Decrypt */
+typedef void    (SECURITYAPI *F_PKADECRYPT)
+                (long          *  return_code,
+                 long          *  reason_code,
+                 long          *  exit_data_length,
+                 unsigned char *  exit_data,
+                 long          *  rule_array_count,
+                 unsigned char *  rule_array,
+                 long          *  enciphered_key_length,
+                 unsigned char *  enciphered_key,
+                 long          *  data_struct_length,
+                 unsigned char *  data_struct,
+                 long          *  RSA_private_key_length,
+                 unsigned char *  RSA_private_key,
+                 long          *  key_value_length,
+                 unsigned char *  key_value    );
+
+
+#endif
diff --git a/src/lib/libcrypto/err/Makefile.ssl b/src/lib/libcrypto/err/Makefile.ssl
index 58218d1cea..4e69b9fbab 100644
--- a/src/lib/libcrypto/err/Makefile.ssl
+++ b/src/lib/libcrypto/err/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    err
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,39 +79,34 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-err.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
-err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err.o: ../cryptlib.h
+err.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/buffer.h
+err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+err.o: ../../include/openssl/symhacks.h ../cryptlib.h err.c
 err_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-err_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-err_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+err_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 err_all.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-err_all.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-err_all.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
-err_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-err_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-err_all.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-err_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-err_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-err_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-err_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-err_all.o: ../../include/openssl/opensslv.h ../../include/openssl/pem2.h
+err_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+err_all.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+err_all.o: ../../include/openssl/ec.h ../../include/openssl/engine.h
+err_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+err_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+err_all.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+err_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+err_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem2.h
 err_all.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-err_all.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-err_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-err_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+err_all.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 err_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 err_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-err_all.o: ../../include/openssl/x509v3.h
-err_prn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-err_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+err_all.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
+err_all.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+err_all.o: err_all.c
+err_prn.o: ../../e_os.h ../../include/openssl/bio.h
+err_prn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 err_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 err_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err_prn.o: ../cryptlib.h
+err_prn.o: ../cryptlib.h err_prn.c
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 839f4ab81a..04773d65a6 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -119,38 +119,28 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 
+static void err_load_strings(int lib, ERR_STRING_DATA *str);
 
-static LHASH *error_hash=NULL;
-static LHASH *thread_hash=NULL;
-
-static unsigned long err_hash(ERR_STRING_DATA *a);
-static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b);
-static unsigned long pid_hash(ERR_STATE *pid);
-static int pid_cmp(ERR_STATE *a,ERR_STATE *pid);
-static unsigned long get_error_values(int inc,const char **file,int *line,
-                                      const char **data,int *flags);
 static void ERR_STATE_free(ERR_STATE *s);
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA ERR_str_libraries[]=
         {
 {ERR_PACK(ERR_LIB_NONE,0,0)             ,"unknown library"},
 {ERR_PACK(ERR_LIB_SYS,0,0)              ,"system library"},
 {ERR_PACK(ERR_LIB_BN,0,0)               ,"bignum routines"},
 {ERR_PACK(ERR_LIB_RSA,0,0)              ,"rsa routines"},
-{ERR_PACK(ERR_LIB_DSA,0,0)              ,"dsa routines"},
 {ERR_PACK(ERR_LIB_DH,0,0)               ,"Diffie-Hellman routines"},
 {ERR_PACK(ERR_LIB_EVP,0,0)              ,"digital envelope routines"},
 {ERR_PACK(ERR_LIB_BUF,0,0)              ,"memory buffer routines"},
-{ERR_PACK(ERR_LIB_BIO,0,0)              ,"BIO routines"},
 {ERR_PACK(ERR_LIB_OBJ,0,0)              ,"object identifier routines"},
 {ERR_PACK(ERR_LIB_PEM,0,0)              ,"PEM routines"},
-{ERR_PACK(ERR_LIB_ASN1,0,0)             ,"asn1 encoding routines"},
+{ERR_PACK(ERR_LIB_DSA,0,0)              ,"dsa routines"},
 {ERR_PACK(ERR_LIB_X509,0,0)             ,"x509 certificate routines"},
+{ERR_PACK(ERR_LIB_ASN1,0,0)             ,"asn1 encoding routines"},
 {ERR_PACK(ERR_LIB_CONF,0,0)             ,"configuration file routines"},
-{ERR_PACK(ERR_LIB_METH,0,0)             ,"X509 lookup 'method' routines"},
+{ERR_PACK(ERR_LIB_CRYPTO,0,0)           ,"common libcrypto routines"},
+{ERR_PACK(ERR_LIB_EC,0,0)               ,"elliptic curve routines"},
 {ERR_PACK(ERR_LIB_SSL,0,0)              ,"SSL routines"},
-{ERR_PACK(ERR_LIB_RSAREF,0,0)           ,"RSAref routines"},
-{ERR_PACK(ERR_LIB_PROXY,0,0)            ,"Proxy routines"},
 {ERR_PACK(ERR_LIB_BIO,0,0)              ,"BIO routines"},
 {ERR_PACK(ERR_LIB_PKCS7,0,0)            ,"PKCS7 routines"},
 {ERR_PACK(ERR_LIB_X509V3,0,0)           ,"X509 V3 routines"},
@@ -158,6 +148,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_RAND,0,0)             ,"random number generator"},
 {ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
+{ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
 {0,NULL},
         };
 
@@ -171,7 +162,7 @@ static ERR_STRING_DATA ERR_str_functs[]=
         {ERR_PACK(0,SYS_F_BIND,0),              "bind"},
         {ERR_PACK(0,SYS_F_LISTEN,0),            "listen"},
         {ERR_PACK(0,SYS_F_ACCEPT,0),            "accept"},
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
         {ERR_PACK(0,SYS_F_WSASTARTUP,0),        "WSAstartup"},
 #endif
         {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
@@ -180,41 +171,325 @@ static ERR_STRING_DATA ERR_str_functs[]=
 
 static ERR_STRING_DATA ERR_str_reasons[]=
         {
-{ERR_R_FATAL                             ,"fatal"},
 {ERR_R_SYS_LIB                          ,"system lib"},
 {ERR_R_BN_LIB                           ,"BN lib"},
 {ERR_R_RSA_LIB                          ,"RSA lib"},
 {ERR_R_DH_LIB                           ,"DH lib"},
 {ERR_R_EVP_LIB                          ,"EVP lib"},
 {ERR_R_BUF_LIB                          ,"BUF lib"},
-{ERR_R_BIO_LIB                          ,"BIO lib"},
 {ERR_R_OBJ_LIB                          ,"OBJ lib"},
 {ERR_R_PEM_LIB                          ,"PEM lib"},
+{ERR_R_DSA_LIB                          ,"DSA lib"},
 {ERR_R_X509_LIB                         ,"X509 lib"},
-{ERR_R_METH_LIB                         ,"METH lib"},
 {ERR_R_ASN1_LIB                         ,"ASN1 lib"},
 {ERR_R_CONF_LIB                         ,"CONF lib"},
+{ERR_R_CRYPTO_LIB                       ,"CRYPTO lib"},
+{ERR_R_EC_LIB                           ,"EC lib"},
 {ERR_R_SSL_LIB                          ,"SSL lib"},
-{ERR_R_PROXY_LIB                        ,"PROXY lib"},
 {ERR_R_BIO_LIB                          ,"BIO lib"},
 {ERR_R_PKCS7_LIB                        ,"PKCS7 lib"},
+{ERR_R_X509V3_LIB                       ,"X509V3 lib"},
 {ERR_R_PKCS12_LIB                       ,"PKCS12 lib"},
-{ERR_R_MALLOC_FAILURE                   ,"Malloc failure"},
-{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED      ,"called a function you should not call"},
-{ERR_R_PASSED_NULL_PARAMETER            ,"passed a null parameter"},
+{ERR_R_RAND_LIB                         ,"RAND lib"},
+{ERR_R_DSO_LIB                          ,"DSO lib"},
+{ERR_R_ENGINE_LIB                       ,"ENGINE lib"},
+{ERR_R_OCSP_LIB                         ,"OCSP lib"},
+
 {ERR_R_NESTED_ASN1_ERROR                ,"nested asn1 error"},
 {ERR_R_BAD_ASN1_OBJECT_HEADER           ,"bad asn1 object header"},
 {ERR_R_BAD_GET_ASN1_OBJECT_CALL         ,"bad get asn1 object call"},
 {ERR_R_EXPECTING_AN_ASN1_SEQUENCE       ,"expecting an asn1 sequence"},
 {ERR_R_ASN1_LENGTH_MISMATCH             ,"asn1 length mismatch"},
 {ERR_R_MISSING_ASN1_EOS                 ,"missing asn1 eos"},
-{ERR_R_DSO_LIB                          ,"DSO lib"},
-{ERR_R_ENGINE_LIB                       ,"ENGINE lib"},
+
+{ERR_R_FATAL                            ,"fatal"},
+{ERR_R_MALLOC_FAILURE                   ,"malloc failure"},
+{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED      ,"called a function you should not call"},
+{ERR_R_PASSED_NULL_PARAMETER            ,"passed a null parameter"},
+{ERR_R_INTERNAL_ERROR                   ,"internal error"},
 
 {0,NULL},
         };
 
 
+/* Define the predeclared (but externally opaque) "ERR_FNS" type */
+struct st_ERR_FNS
+        {
+        /* Works on the "error_hash" string table */
+        LHASH *(*cb_err_get)(int create);
+        void (*cb_err_del)(void);
+        ERR_STRING_DATA *(*cb_err_get_item)(const ERR_STRING_DATA *);
+        ERR_STRING_DATA *(*cb_err_set_item)(ERR_STRING_DATA *);
+        ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
+        /* Works on the "thread_hash" error-state table */
+        LHASH *(*cb_thread_get)(int create);
+        ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
+        ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
+        void (*cb_thread_del_item)(const ERR_STATE *);
+        /* Returns the next available error "library" numbers */
+        int (*cb_get_next_lib)(void);
+        };
+
+/* Predeclarations of the "err_defaults" functions */
+static LHASH *int_err_get(int create);
+static void int_err_del(void);
+static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
+static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
+static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
+static LHASH *int_thread_get(int create);
+static ERR_STATE *int_thread_get_item(const ERR_STATE *);
+static ERR_STATE *int_thread_set_item(ERR_STATE *);
+static void int_thread_del_item(const ERR_STATE *);
+static int int_err_get_next_lib(void);
+/* The static ERR_FNS table using these defaults functions */
+static const ERR_FNS err_defaults =
+        {
+        int_err_get,
+        int_err_del,
+        int_err_get_item,
+        int_err_set_item,
+        int_err_del_item,
+        int_thread_get,
+        int_thread_get_item,
+        int_thread_set_item,
+        int_thread_del_item,
+        int_err_get_next_lib
+        };
+
+/* The replacable table of ERR_FNS functions we use at run-time */
+static const ERR_FNS *err_fns = NULL;
+
+/* Eg. rather than using "err_get()", use "ERRFN(err_get)()". */
+#define ERRFN(a) err_fns->cb_##a
+
+/* The internal state used by "err_defaults" - as such, the setting, reading,
+ * creating, and deleting of this data should only be permitted via the
+ * "err_defaults" functions. This way, a linked module can completely defer all
+ * ERR state operation (together with requisite locking) to the implementations
+ * and state in the loading application. */
+static LHASH *int_error_hash = NULL;
+static LHASH *int_thread_hash = NULL;
+static int int_err_library_number= ERR_LIB_USER;
+
+/* Internal function that checks whether "err_fns" is set and if not, sets it to
+ * the defaults. */
+static void err_fns_check(void)
+        {
+        if (err_fns) return;
+        
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        if (!err_fns)
+                err_fns = &err_defaults;
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        }
+
+/* API functions to get or set the underlying ERR functions. */
+
+const ERR_FNS *ERR_get_implementation(void)
+        {
+        err_fns_check();
+        return err_fns;
+        }
+
+int ERR_set_implementation(const ERR_FNS *fns)
+        {
+        int ret = 0;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        /* It's too late if 'err_fns' is non-NULL. BTW: not much point setting
+         * an error is there?! */
+        if (!err_fns)
+                {
+                err_fns = fns;
+                ret = 1;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        return ret;
+        }
+
+/* These are the callbacks provided to "lh_new()" when creating the LHASH tables
+ * internal to the "err_defaults" implementation. */
+
+/* static unsigned long err_hash(ERR_STRING_DATA *a); */
+static unsigned long err_hash(const void *a_void);
+/* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b); */
+static int err_cmp(const void *a_void, const void *b_void);
+/* static unsigned long pid_hash(ERR_STATE *pid); */
+static unsigned long pid_hash(const void *pid_void);
+/* static int pid_cmp(ERR_STATE *a,ERR_STATE *pid); */
+static int pid_cmp(const void *a_void,const void *pid_void);
+static unsigned long get_error_values(int inc,int top,const char **file,int *line,
+                                      const char **data,int *flags);
+
+/* The internal functions used in the "err_defaults" implementation */
+
+static LHASH *int_err_get(int create)
+        {
+        LHASH *ret = NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        if (!int_error_hash && create)
+                {
+                CRYPTO_push_info("int_err_get (err.c)");
+                int_error_hash = lh_new(err_hash, err_cmp);
+                CRYPTO_pop_info();
+                }
+        if (int_error_hash)
+                ret = int_error_hash;
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        return ret;
+        }
+
+static void int_err_del(void)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        if (int_error_hash)
+                {
+                lh_free(int_error_hash);
+                int_error_hash = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        }
+
+static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
+        {
+        ERR_STRING_DATA *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(err_get)(0);
+        if (!hash)
+                return NULL;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STRING_DATA *)lh_retrieve(hash, d);
+        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+
+        return p;
+        }
+
+static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *d)
+        {
+        ERR_STRING_DATA *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(err_get)(1);
+        if (!hash)
+                return NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STRING_DATA *)lh_insert(hash, d);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        return p;
+        }
+
+static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *d)
+        {
+        ERR_STRING_DATA *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(err_get)(0);
+        if (!hash)
+                return NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STRING_DATA *)lh_delete(hash, d);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        return p;
+        }
+
+static LHASH *int_thread_get(int create)
+        {
+        LHASH *ret = NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        if (!int_thread_hash && create)
+                {
+                CRYPTO_push_info("int_thread_get (err.c)");
+                int_thread_hash = lh_new(pid_hash, pid_cmp);
+                CRYPTO_pop_info();
+                }
+        if (int_thread_hash)
+                ret = int_thread_hash;
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        return ret;
+        }
+
+static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
+        {
+        ERR_STATE *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(thread_get)(0);
+        if (!hash)
+                return NULL;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STATE *)lh_retrieve(hash, d);
+        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+
+        return p;
+        }
+
+static ERR_STATE *int_thread_set_item(ERR_STATE *d)
+        {
+        ERR_STATE *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(thread_get)(1);
+        if (!hash)
+                return NULL;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STATE *)lh_insert(hash, d);
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        return p;
+        }
+
+static void int_thread_del_item(const ERR_STATE *d)
+        {
+        ERR_STATE *p;
+        LHASH *hash;
+
+        err_fns_check();
+        hash = ERRFN(thread_get)(0);
+        if (!hash)
+                return;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        p = (ERR_STATE *)lh_delete(hash, d);
+        /* make sure we don't leak memory */
+        if (int_thread_hash && (lh_num_items(int_thread_hash) == 0))
+                {
+                lh_free(int_thread_hash);
+                int_thread_hash = NULL;
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        if (p)
+                ERR_STATE_free(p);
+        }
+
+static int int_err_get_next_lib(void)
+        {
+        int ret;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+        ret = int_err_library_number++;
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+
+        return ret;
+        }
+
+
 #define NUM_SYS_STR_REASONS 127
 #define LEN_SYS_STR_REASON 32
 
@@ -233,8 +508,11 @@ static void build_SYS_str_reasons()
         /* OPENSSL_malloc cannot be used here, use static storage instead */
         static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
         int i;
+        static int init = 1;
+
+        if (!init) return;
 
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
+        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
 
         for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
                 {
@@ -259,7 +537,9 @@ static void build_SYS_str_reasons()
         /* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
          * as required by ERR_load_strings. */
 
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
+        init = 0;
+        
+        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
         }
 #endif
 
@@ -276,7 +556,7 @@ static void ERR_STATE_free(ERR_STATE *s)
         {
         int i;
 
-        if(s == NULL)
+        if (s == NULL)
             return;
 
         for (i=0; i<ERR_NUM_ERRORS; i++)
@@ -288,66 +568,46 @@ static void ERR_STATE_free(ERR_STATE *s)
 
 void ERR_load_ERR_strings(void)
         {
-        static int init=1;
+        err_fns_check();
+#ifndef OPENSSL_NO_ERR
+        err_load_strings(0,ERR_str_libraries);
+        err_load_strings(0,ERR_str_reasons);
+        err_load_strings(ERR_LIB_SYS,ERR_str_functs);
+        build_SYS_str_reasons();
+        err_load_strings(ERR_LIB_SYS,SYS_str_reasons);
+#endif
+        }
 
-        if (init)
+static void err_load_strings(int lib, ERR_STRING_DATA *str)
+        {
+        while (str->error)
                 {
-                CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-                if (init == 0)
-                        {
-                        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-                        return;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-#ifndef NO_ERR
-                ERR_load_strings(0,ERR_str_libraries);
-                ERR_load_strings(0,ERR_str_reasons);
-                ERR_load_strings(ERR_LIB_SYS,ERR_str_functs);
-                build_SYS_str_reasons();
-                ERR_load_strings(ERR_LIB_SYS,SYS_str_reasons);
-#endif
-                init=0;
+                str->error|=ERR_PACK(lib,0,0);
+                ERRFN(err_set_item)(str);
+                str++;
                 }
         }
 
 void ERR_load_strings(int lib, ERR_STRING_DATA *str)
         {
-        if (error_hash == NULL)
-                {
-                CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
-                error_hash=lh_new(err_hash,err_cmp);
-                if (error_hash == NULL)
-                        {
-                        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
-                        return;
-                        }
-                CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
-
-                ERR_load_ERR_strings();
-                }
+        ERR_load_ERR_strings();
+        err_load_strings(lib, str);
+        }
 
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
+void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
+        {
         while (str->error)
                 {
                 str->error|=ERR_PACK(lib,0,0);
-                lh_insert(error_hash,str);
+                ERRFN(err_del_item)(str);
                 str++;
                 }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
         }
 
 void ERR_free_strings(void)
         {
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-
-        if (error_hash != NULL)
-                {
-                lh_free(error_hash);
-                error_hash=NULL;
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        err_fns_check();
+        ERRFN(err_del)();
         }
 
 /********************************************************/
@@ -406,30 +666,40 @@ void ERR_clear_error(void)
 
 
 unsigned long ERR_get_error(void)
-        { return(get_error_values(1,NULL,NULL,NULL,NULL)); }
+        { return(get_error_values(1,0,NULL,NULL,NULL,NULL)); }
 
 unsigned long ERR_get_error_line(const char **file,
              int *line)
-        { return(get_error_values(1,file,line,NULL,NULL)); }
+        { return(get_error_values(1,0,file,line,NULL,NULL)); }
 
 unsigned long ERR_get_error_line_data(const char **file, int *line,
              const char **data, int *flags)
-        { return(get_error_values(1,file,line,
-             data,flags)); }
+        { return(get_error_values(1,0,file,line,data,flags)); }
+
 
 unsigned long ERR_peek_error(void)
-        { return(get_error_values(0,NULL,NULL,NULL,NULL)); }
+        { return(get_error_values(0,0,NULL,NULL,NULL,NULL)); }
 
-unsigned long ERR_peek_error_line(const char **file,
-             int *line)
-        { return(get_error_values(0,file,line,NULL,NULL)); }
+unsigned long ERR_peek_error_line(const char **file, int *line)
+        { return(get_error_values(0,0,file,line,NULL,NULL)); }
 
 unsigned long ERR_peek_error_line_data(const char **file, int *line,
              const char **data, int *flags)
-        { return(get_error_values(0,file,line,
-             data,flags)); }
+        { return(get_error_values(0,0,file,line,data,flags)); }
+
+
+unsigned long ERR_peek_last_error(void)
+        { return(get_error_values(0,1,NULL,NULL,NULL,NULL)); }
+
+unsigned long ERR_peek_last_error_line(const char **file, int *line)
+        { return(get_error_values(0,1,file,line,NULL,NULL)); }
+
+unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
+             const char **data, int *flags)
+        { return(get_error_values(0,1,file,line,data,flags)); }
+
 
-static unsigned long get_error_values(int inc, const char **file, int *line,
+static unsigned long get_error_values(int inc, int top, const char **file, int *line,
              const char **data, int *flags)
         {       
         int i=0;
@@ -438,8 +708,21 @@ static unsigned long get_error_values(int inc, const char **file, int *line,
 
         es=ERR_get_state();
 
-        if (es->bottom == es->top) return(0);
-        i=(es->bottom+1)%ERR_NUM_ERRORS;
+        if (inc && top)
+                {
+                if (file) *file = "";
+                if (line) *line = 0;
+                if (data) *data = "";
+                if (flags) *flags = 0;
+                        
+                return ERR_R_INTERNAL_ERROR;
+                }
+
+        if (es->bottom == es->top) return 0;
+        if (top)
+                i=es->top;                       /* last error */
+        else
+                i=(es->bottom+1)%ERR_NUM_ERRORS; /* first error */
 
         ret=es->err_buffer[i];
         if (inc)
@@ -482,7 +765,7 @@ static unsigned long get_error_values(int inc, const char **file, int *line,
                         if (flags != NULL) *flags=es->err_data_flags[i];
                         }
                 }
-        return(ret);
+        return ret;
         }
 
 void ERR_error_string_n(unsigned long e, char *buf, size_t len)
@@ -544,58 +827,43 @@ char *ERR_error_string(unsigned long e, char *ret)
         if (ret == NULL) ret=buf;
         ERR_error_string_n(e, ret, 256);
 
-        return(ret);
+        return ret;
         }
 
 LHASH *ERR_get_string_table(void)
         {
-        return(error_hash);
+        err_fns_check();
+        return ERRFN(err_get)(0);
         }
 
-/* not thread-safe */
 LHASH *ERR_get_err_state_table(void)
         {
-        return(thread_hash);
+        err_fns_check();
+        return ERRFN(thread_get)(0);
         }
 
 const char *ERR_lib_error_string(unsigned long e)
         {
-        ERR_STRING_DATA d,*p=NULL;
+        ERR_STRING_DATA d,*p;
         unsigned long l;
 
+        err_fns_check();
         l=ERR_GET_LIB(e);
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
-
-        if (error_hash != NULL)
-                {
-                d.error=ERR_PACK(l,0,0);
-                p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
-
+        d.error=ERR_PACK(l,0,0);
+        p=ERRFN(err_get_item)(&d);
         return((p == NULL)?NULL:p->string);
         }
 
 const char *ERR_func_error_string(unsigned long e)
         {
-        ERR_STRING_DATA d,*p=NULL;
+        ERR_STRING_DATA d,*p;
         unsigned long l,f;
 
+        err_fns_check();
         l=ERR_GET_LIB(e);
         f=ERR_GET_FUNC(e);
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
-
-        if (error_hash != NULL)
-                {
-                d.error=ERR_PACK(l,f,0);
-                p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
-                }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
-
+        d.error=ERR_PACK(l,f,0);
+        p=ERRFN(err_get_item)(&d);
         return((p == NULL)?NULL:p->string);
         }
 
@@ -604,93 +872,73 @@ const char *ERR_reason_error_string(unsigned long e)
         ERR_STRING_DATA d,*p=NULL;
         unsigned long l,r;
 
+        err_fns_check();
         l=ERR_GET_LIB(e);
         r=ERR_GET_REASON(e);
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH);
-
-        if (error_hash != NULL)
+        d.error=ERR_PACK(l,0,r);
+        p=ERRFN(err_get_item)(&d);
+        if (!p)
                 {
-                d.error=ERR_PACK(l,0,r);
-                p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
-                if (p == NULL)
-                        {
-                        d.error=ERR_PACK(0,0,r);
-                        p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d);
-                        }
+                d.error=ERR_PACK(0,0,r);
+                p=ERRFN(err_get_item)(&d);
                 }
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH);
-
         return((p == NULL)?NULL:p->string);
         }
 
-static unsigned long err_hash(ERR_STRING_DATA *a)
+/* static unsigned long err_hash(ERR_STRING_DATA *a) */
+static unsigned long err_hash(const void *a_void)
         {
         unsigned long ret,l;
 
-        l=a->error;
+        l=((ERR_STRING_DATA *)a_void)->error;
         ret=l^ERR_GET_LIB(l)^ERR_GET_FUNC(l);
         return(ret^ret%19*13);
         }
 
-static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b)
+/* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b) */
+static int err_cmp(const void *a_void, const void *b_void)
         {
-        return((int)(a->error-b->error));
+        return((int)(((ERR_STRING_DATA *)a_void)->error -
+                        ((ERR_STRING_DATA *)b_void)->error));
         }
 
-static unsigned long pid_hash(ERR_STATE *a)
+/* static unsigned long pid_hash(ERR_STATE *a) */
+static unsigned long pid_hash(const void *a_void)
         {
-        return(a->pid*13);
+        return(((ERR_STATE *)a_void)->pid*13);
         }
 
-static int pid_cmp(ERR_STATE *a, ERR_STATE *b)
+/* static int pid_cmp(ERR_STATE *a, ERR_STATE *b) */
+static int pid_cmp(const void *a_void, const void *b_void)
         {
-        return((int)((long)a->pid - (long)b->pid));
+        return((int)((long)((ERR_STATE *)a_void)->pid -
+                        (long)((ERR_STATE *)b_void)->pid));
         }
 
 void ERR_remove_state(unsigned long pid)
         {
-        ERR_STATE *p = NULL,tmp;
+        ERR_STATE tmp;
 
-        if (thread_hash == NULL)
-                return;
+        err_fns_check();
         if (pid == 0)
                 pid=(unsigned long)CRYPTO_thread_id();
         tmp.pid=pid;
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (thread_hash)
-                {
-                p=(ERR_STATE *)lh_delete(thread_hash,&tmp);
-                if (lh_num_items(thread_hash) == 0)
-                        {
-                        /* make sure we don't leak memory */
-                        lh_free(thread_hash);
-                        thread_hash = NULL;
-                        }
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        if (p != NULL) ERR_STATE_free(p);
+        /* thread_del_item automatically destroys the LHASH if the number of
+         * items reaches zero. */
+        ERRFN(thread_del_item)(&tmp);
         }
 
 ERR_STATE *ERR_get_state(void)
         {
         static ERR_STATE fallback;
-        ERR_STATE *ret=NULL,tmp,*tmpp=NULL;
-        int thread_state_exists;
+        ERR_STATE *ret,tmp,*tmpp=NULL;
         int i;
         unsigned long pid;
 
+        err_fns_check();
         pid=(unsigned long)CRYPTO_thread_id();
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (thread_hash != NULL)
-                {
-                tmp.pid=pid;
-                ret=(ERR_STATE *)lh_retrieve(thread_hash,&tmp);
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+        tmp.pid=pid;
+        ret=ERRFN(thread_get_item)(&tmp);
 
         /* ret == the error state, if NULL, make a new one */
         if (ret == NULL)
@@ -705,42 +953,25 @@ ERR_STATE *ERR_get_state(void)
                         ret->err_data[i]=NULL;
                         ret->err_data_flags[i]=0;
                         }
-
-                CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-
-                /* no entry yet in thread_hash for current thread -
-                 * thus, it may have changed since we last looked at it */
-                if (thread_hash == NULL)
-                        thread_hash = lh_new(pid_hash, pid_cmp);
-                if (thread_hash == NULL)
-                        thread_state_exists = 0; /* allocation error */
-                else
-                        {
-                        tmpp=(ERR_STATE *)lh_insert(thread_hash,ret);
-                        thread_state_exists = 1;
-                        }
-
-                CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-                if (!thread_state_exists)
+                tmpp = ERRFN(thread_set_item)(ret);
+                /* To check if insertion failed, do a get. */
+                if (ERRFN(thread_get_item)(ret) != ret)
                         {
                         ERR_STATE_free(ret); /* could not insert it */
                         return(&fallback);
                         }
-                
-                if (tmpp != NULL) /* old entry - should not happen */
-                        {
+                /* If a race occured in this function and we came second, tmpp
+                 * is the first one that we just replaced. */
+                if (tmpp)
                         ERR_STATE_free(tmpp);
-                        }
                 }
-        return(ret);
+        return ret;
         }
 
 int ERR_get_next_error_library(void)
         {
-        static int value=ERR_LIB_USER;
-
-        return(value++);
+        err_fns_check();
+        return ERRFN(get_next_lib)();
         }
 
 void ERR_set_error_data(char *data, int flags)
@@ -786,7 +1017,7 @@ void ERR_add_error_data(int num, ...)
                                 if (p == NULL)
                                         {
                                         OPENSSL_free(str);
-                                        return;
+                                        goto err;
                                         }
                                 else
                                         str=p;
@@ -796,6 +1027,6 @@ void ERR_add_error_data(int num, ...)
                 }
         ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
 
+err:
         va_end(args);
         }
-
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 7388a4a937..cc9bb649ea 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -59,15 +59,15 @@
 #ifndef HEADER_ERR_H
 #define HEADER_ERR_H
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #include <stdlib.h>
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#ifndef NO_LHASH
+#ifndef OPENSSL_NO_LHASH
 #include <openssl/lhash.h>
 #endif
 
@@ -75,13 +75,7 @@
 extern "C" {
 #endif
 
-/* The following is a bit of a trick to help the object files only contain
- * the 'name of the file' string once.  Since 'err.h' is protected by the
- * HEADER_ERR_H stuff, this should be included only once per file. */
-
-#define ERR_file_name   __FILE__
-
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 #define ERR_PUT_error(a,b,c,d,e)        ERR_put_error(a,b,c,d,e)
 #else
 #define ERR_PUT_error(a,b,c,d,e)        ERR_put_error(a,b,c,NULL,0)
@@ -116,16 +110,17 @@ typedef struct err_state_st
 #define ERR_LIB_PEM             9
 #define ERR_LIB_DSA             10
 #define ERR_LIB_X509            11
-#define ERR_LIB_METH            12
+/* #define ERR_LIB_METH         12 */
 #define ERR_LIB_ASN1            13
 #define ERR_LIB_CONF            14
 #define ERR_LIB_CRYPTO          15
+#define ERR_LIB_EC              16
 #define ERR_LIB_SSL             20
-#define ERR_LIB_SSL23           21
-#define ERR_LIB_SSL2            22
-#define ERR_LIB_SSL3            23
-#define ERR_LIB_RSAREF          30
-#define ERR_LIB_PROXY           31
+/* #define ERR_LIB_SSL23        21 */
+/* #define ERR_LIB_SSL2         22 */
+/* #define ERR_LIB_SSL3         23 */
+/* #define ERR_LIB_RSAREF       30 */
+/* #define ERR_LIB_PROXY        31 */
 #define ERR_LIB_BIO             32
 #define ERR_LIB_PKCS7           33
 #define ERR_LIB_X509V3          34
@@ -133,36 +128,37 @@ typedef struct err_state_st
 #define ERR_LIB_RAND            36
 #define ERR_LIB_DSO             37
 #define ERR_LIB_ENGINE          38
+#define ERR_LIB_OCSP            39
+#define ERR_LIB_UI              40
+#define ERR_LIB_COMP            41
 
 #define ERR_LIB_USER            128
 
-#define SYSerr(f,r)  ERR_PUT_error(ERR_LIB_SYS,(f),(r),ERR_file_name,__LINE__)
-#define BNerr(f,r)   ERR_PUT_error(ERR_LIB_BN,(f),(r),ERR_file_name,__LINE__)
-#define RSAerr(f,r)  ERR_PUT_error(ERR_LIB_RSA,(f),(r),ERR_file_name,__LINE__)
-#define DHerr(f,r)   ERR_PUT_error(ERR_LIB_DH,(f),(r),ERR_file_name,__LINE__)
-#define EVPerr(f,r)  ERR_PUT_error(ERR_LIB_EVP,(f),(r),ERR_file_name,__LINE__)
-#define BUFerr(f,r)  ERR_PUT_error(ERR_LIB_BUF,(f),(r),ERR_file_name,__LINE__)
-#define BIOerr(f,r)  ERR_PUT_error(ERR_LIB_BIO,(f),(r),ERR_file_name,__LINE__)
-#define OBJerr(f,r)  ERR_PUT_error(ERR_LIB_OBJ,(f),(r),ERR_file_name,__LINE__)
-#define PEMerr(f,r)  ERR_PUT_error(ERR_LIB_PEM,(f),(r),ERR_file_name,__LINE__)
-#define DSAerr(f,r)  ERR_PUT_error(ERR_LIB_DSA,(f),(r),ERR_file_name,__LINE__)
-#define X509err(f,r) ERR_PUT_error(ERR_LIB_X509,(f),(r),ERR_file_name,__LINE__)
-#define METHerr(f,r) ERR_PUT_error(ERR_LIB_METH,(f),(r),ERR_file_name,__LINE__)
-#define ASN1err(f,r) ERR_PUT_error(ERR_LIB_ASN1,(f),(r),ERR_file_name,__LINE__)
-#define CONFerr(f,r) ERR_PUT_error(ERR_LIB_CONF,(f),(r),ERR_file_name,__LINE__)
-#define CRYPTOerr(f,r) ERR_PUT_error(ERR_LIB_CRYPTO,(f),(r),ERR_file_name,__LINE__)
-#define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),ERR_file_name,__LINE__)
-#define SSL23err(f,r) ERR_PUT_error(ERR_LIB_SSL23,(f),(r),ERR_file_name,__LINE__)
-#define SSL2err(f,r) ERR_PUT_error(ERR_LIB_SSL2,(f),(r),ERR_file_name,__LINE__)
-#define SSL3err(f,r) ERR_PUT_error(ERR_LIB_SSL3,(f),(r),ERR_file_name,__LINE__)
-#define RSAREFerr(f,r) ERR_PUT_error(ERR_LIB_RSAREF,(f),(r),ERR_file_name,__LINE__)
-#define PROXYerr(f,r) ERR_PUT_error(ERR_LIB_PROXY,(f),(r),ERR_file_name,__LINE__)
-#define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),ERR_file_name,__LINE__)
-#define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),ERR_file_name,__LINE__)
-#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),ERR_file_name,__LINE__)
-#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),ERR_file_name,__LINE__)
-#define DSOerr(f,r) ERR_PUT_error(ERR_LIB_DSO,(f),(r),ERR_file_name,__LINE__)
-#define ENGINEerr(f,r) ERR_PUT_error(ERR_LIB_ENGINE,(f),(r),ERR_file_name,__LINE__)
+#define SYSerr(f,r)  ERR_PUT_error(ERR_LIB_SYS,(f),(r),__FILE__,__LINE__)
+#define BNerr(f,r)   ERR_PUT_error(ERR_LIB_BN,(f),(r),__FILE__,__LINE__)
+#define RSAerr(f,r)  ERR_PUT_error(ERR_LIB_RSA,(f),(r),__FILE__,__LINE__)
+#define DHerr(f,r)   ERR_PUT_error(ERR_LIB_DH,(f),(r),__FILE__,__LINE__)
+#define EVPerr(f,r)  ERR_PUT_error(ERR_LIB_EVP,(f),(r),__FILE__,__LINE__)
+#define BUFerr(f,r)  ERR_PUT_error(ERR_LIB_BUF,(f),(r),__FILE__,__LINE__)
+#define OBJerr(f,r)  ERR_PUT_error(ERR_LIB_OBJ,(f),(r),__FILE__,__LINE__)
+#define PEMerr(f,r)  ERR_PUT_error(ERR_LIB_PEM,(f),(r),__FILE__,__LINE__)
+#define DSAerr(f,r)  ERR_PUT_error(ERR_LIB_DSA,(f),(r),__FILE__,__LINE__)
+#define X509err(f,r) ERR_PUT_error(ERR_LIB_X509,(f),(r),__FILE__,__LINE__)
+#define ASN1err(f,r) ERR_PUT_error(ERR_LIB_ASN1,(f),(r),__FILE__,__LINE__)
+#define CONFerr(f,r) ERR_PUT_error(ERR_LIB_CONF,(f),(r),__FILE__,__LINE__)
+#define CRYPTOerr(f,r) ERR_PUT_error(ERR_LIB_CRYPTO,(f),(r),__FILE__,__LINE__)
+#define ECerr(f,r)   ERR_PUT_error(ERR_LIB_EC,(f),(r),__FILE__,__LINE__)
+#define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),__FILE__,__LINE__)
+#define BIOerr(f,r)  ERR_PUT_error(ERR_LIB_BIO,(f),(r),__FILE__,__LINE__)
+#define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),__FILE__,__LINE__)
+#define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),__FILE__,__LINE__)
+#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),__FILE__,__LINE__)
+#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),__FILE__,__LINE__)
+#define DSOerr(f,r) ERR_PUT_error(ERR_LIB_DSO,(f),(r),__FILE__,__LINE__)
+#define ENGINEerr(f,r) ERR_PUT_error(ERR_LIB_ENGINE,(f),(r),__FILE__,__LINE__)
+#define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),__FILE__,__LINE__)
+#define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),__FILE__,__LINE__)
+#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
  * the pre-processor :-( */
@@ -174,6 +170,7 @@ typedef struct err_state_st
 #define ERR_GET_REASON(l)       (int)((l)&0xfffL)
 #define ERR_FATAL_ERROR(l)      (int)((l)&ERR_R_FATAL)
 
+
 /* OS functions */
 #define SYS_F_FOPEN             1
 #define SYS_F_CONNECT           2
@@ -186,44 +183,51 @@ typedef struct err_state_st
 #define SYS_F_WSASTARTUP        9 /* Winsock stuff */
 #define SYS_F_OPENDIR           10
 
-#define ERR_R_FATAL             32      
+
 /* reasons */
-#define ERR_R_SYS_LIB   ERR_LIB_SYS
-#define ERR_R_BN_LIB    ERR_LIB_BN
-#define ERR_R_RSA_LIB   ERR_LIB_RSA
-#define ERR_R_DSA_LIB   ERR_LIB_DSA
-#define ERR_R_DH_LIB    ERR_LIB_DH
-#define ERR_R_EVP_LIB   ERR_LIB_EVP
-#define ERR_R_BUF_LIB   ERR_LIB_BUF
-#define ERR_R_BIO_LIB   ERR_LIB_BIO
-#define ERR_R_OBJ_LIB   ERR_LIB_OBJ
-#define ERR_R_PEM_LIB   ERR_LIB_PEM
-#define ERR_R_X509_LIB  ERR_LIB_X509
-#define ERR_R_METH_LIB  ERR_LIB_METH
-#define ERR_R_ASN1_LIB  ERR_LIB_ASN1
-#define ERR_R_CONF_LIB  ERR_LIB_CONF
-#define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO
-#define ERR_R_SSL_LIB   ERR_LIB_SSL
-#define ERR_R_SSL23_LIB ERR_LIB_SSL23
-#define ERR_R_SSL2_LIB  ERR_LIB_SSL2
-#define ERR_R_SSL3_LIB  ERR_LIB_SSL3
-#define ERR_R_PROXY_LIB ERR_LIB_PROXY
-#define ERR_R_BIO_LIB   ERR_LIB_BIO
-#define ERR_R_PKCS7_LIB ERR_LIB_PKCS7
-#define ERR_R_PKCS12_LIB ERR_LIB_PKCS12
-#define ERR_R_DSO_LIB   ERR_LIB_DSO
-#define ERR_R_ENGINE_LIB ERR_LIB_ENGINE
+#define ERR_R_SYS_LIB   ERR_LIB_SYS       /* 2 */
+#define ERR_R_BN_LIB    ERR_LIB_BN        /* 3 */
+#define ERR_R_RSA_LIB   ERR_LIB_RSA       /* 4 */
+#define ERR_R_DH_LIB    ERR_LIB_DH        /* 5 */
+#define ERR_R_EVP_LIB   ERR_LIB_EVP       /* 6 */
+#define ERR_R_BUF_LIB   ERR_LIB_BUF       /* 7 */
+#define ERR_R_OBJ_LIB   ERR_LIB_OBJ       /* 8 */
+#define ERR_R_PEM_LIB   ERR_LIB_PEM       /* 9 */
+#define ERR_R_DSA_LIB   ERR_LIB_DSA      /* 10 */
+#define ERR_R_X509_LIB  ERR_LIB_X509     /* 11 */
+#define ERR_R_ASN1_LIB  ERR_LIB_ASN1     /* 13 */
+#define ERR_R_CONF_LIB  ERR_LIB_CONF     /* 14 */
+#define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO  /* 15 */
+#define ERR_R_EC_LIB    ERR_LIB_EC       /* 16 */
+#define ERR_R_SSL_LIB   ERR_LIB_SSL      /* 20 */
+#define ERR_R_BIO_LIB   ERR_LIB_BIO      /* 32 */
+#define ERR_R_PKCS7_LIB ERR_LIB_PKCS7    /* 33 */
+#define ERR_R_X509V3_LIB ERR_LIB_X509V3  /* 34 */
+#define ERR_R_PKCS12_LIB ERR_LIB_PKCS12  /* 35 */
+#define ERR_R_RAND_LIB  ERR_LIB_RAND     /* 36 */
+#define ERR_R_DSO_LIB   ERR_LIB_DSO      /* 37 */
+#define ERR_R_ENGINE_LIB ERR_LIB_ENGINE  /* 38 */
+#define ERR_R_OCSP_LIB  ERR_LIB_OCSP     /* 39 */
+#define ERR_R_UI_LIB    ERR_LIB_UI       /* 40 */
+#define ERR_R_COMP_LIB  ERR_LIB_COMP     /* 41 */
+
+#define ERR_R_NESTED_ASN1_ERROR                 58
+#define ERR_R_BAD_ASN1_OBJECT_HEADER            59
+#define ERR_R_BAD_GET_ASN1_OBJECT_CALL          60
+#define ERR_R_EXPECTING_AN_ASN1_SEQUENCE        61
+#define ERR_R_ASN1_LENGTH_MISMATCH              62
+#define ERR_R_MISSING_ASN1_EOS                  63
 
 /* fatal error */
+#define ERR_R_FATAL                             64
 #define ERR_R_MALLOC_FAILURE                    (1|ERR_R_FATAL)
 #define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED       (2|ERR_R_FATAL)
 #define ERR_R_PASSED_NULL_PARAMETER             (3|ERR_R_FATAL)
-#define ERR_R_NESTED_ASN1_ERROR                 (4)
-#define ERR_R_BAD_ASN1_OBJECT_HEADER            (5)
-#define ERR_R_BAD_GET_ASN1_OBJECT_CALL          (6)
-#define ERR_R_EXPECTING_AN_ASN1_SEQUENCE        (7)
-#define ERR_R_ASN1_LENGTH_MISMATCH              (8)
-#define ERR_R_MISSING_ASN1_EOS                  (9)
+#define ERR_R_INTERNAL_ERROR                    (4|ERR_R_FATAL)
+
+/* 99 is the maximum possible ERR_R_... code, higher values
+ * are reserved for the individual libraries */
+
 
 typedef struct ERR_string_data_st
         {
@@ -234,28 +238,35 @@ typedef struct ERR_string_data_st
 void ERR_put_error(int lib, int func,int reason,const char *file,int line);
 void ERR_set_error_data(char *data,int flags);
 
-unsigned long ERR_get_error(void );
+unsigned long ERR_get_error(void);
 unsigned long ERR_get_error_line(const char **file,int *line);
 unsigned long ERR_get_error_line_data(const char **file,int *line,
                                       const char **data, int *flags);
-unsigned long ERR_peek_error(void );
+unsigned long ERR_peek_error(void);
 unsigned long ERR_peek_error_line(const char **file,int *line);
 unsigned long ERR_peek_error_line_data(const char **file,int *line,
                                        const char **data,int *flags);
+unsigned long ERR_peek_last_error(void);
+unsigned long ERR_peek_last_error_line(const char **file,int *line);
+unsigned long ERR_peek_last_error_line_data(const char **file,int *line,
+                                       const char **data,int *flags);
 void ERR_clear_error(void );
 char *ERR_error_string(unsigned long e,char *buf);
 void ERR_error_string_n(unsigned long e, char *buf, size_t len);
 const char *ERR_lib_error_string(unsigned long e);
 const char *ERR_func_error_string(unsigned long e);
 const char *ERR_reason_error_string(unsigned long e);
-#ifndef NO_FP_API
+void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
+                         void *u);
+#ifndef OPENSSL_NO_FP_API
 void ERR_print_errors_fp(FILE *fp);
 #endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 void ERR_print_errors(BIO *bp);
 void ERR_add_error_data(int num, ...);
 #endif
 void ERR_load_strings(int lib,ERR_STRING_DATA str[]);
+void ERR_unload_strings(int lib,ERR_STRING_DATA str[]);
 void ERR_load_ERR_strings(void);
 void ERR_load_crypto_strings(void);
 void ERR_free_strings(void);
@@ -263,14 +274,22 @@ void ERR_free_strings(void);
 void ERR_remove_state(unsigned long pid); /* if zero we look it up */
 ERR_STATE *ERR_get_state(void);
 
-#ifndef NO_LHASH
+#ifndef OPENSSL_NO_LHASH
 LHASH *ERR_get_string_table(void);
-LHASH *ERR_get_err_state_table(void); /* even less thread-safe than
-                                       * ERR_get_string_table :-) */
+LHASH *ERR_get_err_state_table(void);
 #endif
 
 int ERR_get_next_error_library(void);
 
+/* This opaque type encapsulates the low-level error-state functions */
+typedef struct st_ERR_FNS ERR_FNS;
+/* An application can use this function and provide the return value to loaded
+ * modules that should use the application's ERR state/functionality */
+const ERR_FNS *ERR_get_implementation(void);
+/* A loaded module should call this function prior to any ERR operations using
+ * the application's "ERR_FNS". */
+int ERR_set_implementation(const ERR_FNS *fns);
+
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index b8315d8272..90029fd159 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -59,18 +59,18 @@
 #include <stdio.h>
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_EC
+#include <openssl/ec.h>
+#endif
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#ifdef RSAref
-#include <openssl/rsaref.h>
-#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 #include <openssl/evp.h>
@@ -83,6 +83,7 @@
 #include <openssl/rand.h>
 #include <openssl/dso.h>
 #include <openssl/engine.h>
+#include <openssl/ocsp.h>
 #include <openssl/err.h>
 
 void ERR_load_crypto_strings(void)
@@ -91,36 +92,38 @@ void ERR_load_crypto_strings(void)
 
         if (done) return;
         done=1;
-#ifndef NO_ERR
-        ERR_load_ASN1_strings();
+#ifndef OPENSSL_NO_ERR
+        ERR_load_ERR_strings(); /* include error strings for SYSerr */
         ERR_load_BN_strings();
-        ERR_load_BUF_strings();
-        ERR_load_BIO_strings();
-        ERR_load_CONF_strings();
-#ifndef NO_RSA
-#ifdef RSAref
-        ERR_load_RSAREF_strings();
-#else
+#ifndef OPENSSL_NO_RSA
         ERR_load_RSA_strings();
 #endif
-#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
         ERR_load_DH_strings();
 #endif
-#ifndef NO_DSA
-        ERR_load_DSA_strings();
-#endif
-        ERR_load_ERR_strings();
         ERR_load_EVP_strings();
+        ERR_load_BUF_strings();
         ERR_load_OBJ_strings();
         ERR_load_PEM_strings();
+#ifndef OPENSSL_NO_DSA
+        ERR_load_DSA_strings();
+#endif
         ERR_load_X509_strings();
-        ERR_load_X509V3_strings();
+        ERR_load_ASN1_strings();
+        ERR_load_CONF_strings();
         ERR_load_CRYPTO_strings();
-        ERR_load_PKCS7_strings();
+#ifndef OPENSSL_NO_EC
+        ERR_load_EC_strings();
+#endif
+        /* skip ERR_load_SSL_strings() because it is not in this library */
+        ERR_load_BIO_strings();
+        ERR_load_PKCS7_strings();       
+        ERR_load_X509V3_strings();
         ERR_load_PKCS12_strings();
         ERR_load_RAND_strings();
         ERR_load_DSO_strings();
         ERR_load_ENGINE_strings();
+        ERR_load_OCSP_strings();
+        ERR_load_UI_strings();
 #endif
         }
diff --git a/src/lib/libcrypto/err/err_prn.c b/src/lib/libcrypto/err/err_prn.c
index 6f60b016c3..c156663f0e 100644
--- a/src/lib/libcrypto/err/err_prn.c
+++ b/src/lib/libcrypto/err/err_prn.c
@@ -64,11 +64,12 @@
 #include <openssl/err.h>
 #include <openssl/crypto.h>
 
-#ifndef NO_FP_API
-void ERR_print_errors_fp(FILE *fp)
+void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
+                         void *u)
         {
         unsigned long l;
-        char buf[200];
+        char buf[256];
+        char buf2[4096];
         const char *file,*data;
         int line,flags;
         unsigned long es;
@@ -77,31 +78,30 @@ void ERR_print_errors_fp(FILE *fp)
         while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
                 {
                 ERR_error_string_n(l, buf, sizeof buf);
-                fprintf(fp,"%lu:%s:%s:%d:%s\n",es,buf,
-                        file,line,(flags&ERR_TXT_STRING)?data:"");
+                BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", es, buf,
+                        file, line, (flags & ERR_TXT_STRING) ? data : "");
+                cb(buf2, strlen(buf2), u);
                 }
         }
+
+#ifndef OPENSSL_NO_FP_API
+static int print_fp(const char *str, size_t len, void *fp)
+        {
+        return fprintf((FILE *)fp, "%s", str);
+        }
+void ERR_print_errors_fp(FILE *fp)
+        {
+        ERR_print_errors_cb(print_fp, fp);
+        }
 #endif
 
+static int print_bio(const char *str, size_t len, void *bp)
+        {
+        return BIO_write((BIO *)bp, str, len);
+        }
 void ERR_print_errors(BIO *bp)
         {
-        unsigned long l;
-        char buf[256];
-        char buf2[256];
-        const char *file,*data;
-        int line,flags;
-        unsigned long es;
-
-        es=CRYPTO_thread_id();
-        while ((l=ERR_get_error_line_data(&file,&line,&data,&flags)) != 0)
-                {
-                ERR_error_string_n(l, buf, sizeof buf);
-                sprintf(buf2,"%lu:%s:%s:%d:",es,buf,
-                        file,line);
-                BIO_write(bp,buf2,strlen(buf2));
-                if (flags & ERR_TXT_STRING)
-                        BIO_write(bp,data,strlen(data));
-                BIO_write(bp,"\n",1);
-                }
+        ERR_print_errors_cb(print_bio, bp);
         }
 
+        
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
index 861d680e07..29a69dfdd4 100644
--- a/src/lib/libcrypto/err/openssl.ec
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -1,29 +1,36 @@
+# crypto/err/openssl.ec
+
+# configuration file for util/mkerr.pl
+
+# files that may have to be rewritten by util/mkerr.pl
 L ERR           NONE                            NONE
-L CRYPTO        crypto/crypto.h                 crypto/cpt_err.c
 L BN            crypto/bn/bn.h                  crypto/bn/bn_err.c
 L RSA           crypto/rsa/rsa.h                crypto/rsa/rsa_err.c
-L DSA           crypto/dsa/dsa.h                crypto/dsa/dsa_err.c
-L DSO           crypto/dso/dso.h                crypto/dso/dso_err.c
 L DH            crypto/dh/dh.h                  crypto/dh/dh_err.c
 L EVP           crypto/evp/evp.h                crypto/evp/evp_err.c
 L BUF           crypto/buffer/buffer.h          crypto/buffer/buf_err.c
-L BIO           crypto/bio/bio.h                crypto/bio/bio_err.c
 L OBJ           crypto/objects/objects.h        crypto/objects/obj_err.c
 L PEM           crypto/pem/pem.h                crypto/pem/pem_err.c
+L DSA           crypto/dsa/dsa.h                crypto/dsa/dsa_err.c
 L X509          crypto/x509/x509.h              crypto/x509/x509_err.c
-L NONE          crypto/x509/x509_vfy.h          NONE
-L X509V3        crypto/x509v3/x509v3.h          crypto/x509v3/v3err.c
-#L METH         crypto/meth/meth.h              crypto/meth/meth_err.c
 L ASN1          crypto/asn1/asn1.h              crypto/asn1/asn1_err.c
 L CONF          crypto/conf/conf.h              crypto/conf/conf_err.c
-#L PROXY                crypto/proxy/proxy.h            crypto/proxy/proxy_err.c
+L CRYPTO        crypto/crypto.h                 crypto/cpt_err.c
+L EC            crypto/ec/ec.h                  crypto/ec/ec_err.c
+L SSL           ssl/ssl.h                       ssl/ssl_err.c
+L BIO           crypto/bio/bio.h                crypto/bio/bio_err.c
 L PKCS7         crypto/pkcs7/pkcs7.h            crypto/pkcs7/pkcs7err.c
+L X509V3        crypto/x509v3/x509v3.h          crypto/x509v3/v3err.c
 L PKCS12        crypto/pkcs12/pkcs12.h          crypto/pkcs12/pk12err.c
-L RSAREF        rsaref/rsaref.h                 rsaref/rsar_err.c
-L SSL           ssl/ssl.h                       ssl/ssl_err.c
-L COMP          crypto/comp/comp.h              crypto/comp/comp_err.c
 L RAND          crypto/rand/rand.h              crypto/rand/rand_err.c
-L ENGINE        crypto/engine/engine.h          crypto/engine/engine_err.c
+L DSO           crypto/dso/dso.h                crypto/dso/dso_err.c
+L ENGINE        crypto/engine/engine.h          crypto/engine/eng_err.c
+L OCSP          crypto/ocsp/ocsp.h              crypto/ocsp/ocsp_err.c
+L UI            crypto/ui/ui.h                  crypto/ui/ui_err.c
+
+# additional header files to be scanned for function names
+L NONE          crypto/x509/x509_vfy.h          NONE
+L NONE          crypto/ec/ec_lcl.h              NONE
 
 
 F RSAREF_F_RSA_BN2BIN
diff --git a/src/lib/libcrypto/evp/Makefile.ssl b/src/lib/libcrypto/evp/Makefile.ssl
index 624168031d..4abe93dafe 100644
--- a/src/lib/libcrypto/evp/Makefile.ssl
+++ b/src/lib/libcrypto/evp/Makefile.ssl
@@ -5,26 +5,28 @@
 DIR=    evp
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile
-TEST=
+TEST=evp_test.c
+TESTDATA=evptests.txt
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= encode.c digest.c evp_enc.c evp_key.c \
+LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
         e_des.c e_bf.c e_idea.c e_des3.c \
-        e_rc4.c names.c \
+        e_rc4.c e_aes.c names.c \
         e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
         m_null.c m_md2.c m_md4.c m_md5.c m_sha.c m_sha1.c \
         m_dss.c m_dss1.c m_mdc2.c m_ripemd.c \
@@ -33,9 +35,9 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c \
         c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
         evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
 
-LIBOBJ= encode.o digest.o evp_enc.o evp_key.o \
+LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
         e_des.o e_bf.o e_idea.o e_des3.o \
-        e_rc4.o names.o \
+        e_rc4.o e_aes.o names.o \
         e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
         m_null.o m_md2.o m_md4.o m_md5.o m_sha.o m_sha1.o \
         m_dss.o m_dss1.o m_mdc2.o m_ripemd.o \
@@ -58,8 +60,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -69,6 +70,7 @@ links:
         @$(SHELL) $(TOP)/util/point.sh Makefile.ssl Makefile
         @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
         @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TESTDATA)
         @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
@@ -98,820 +100,563 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-bio_b64.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_b64.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_b64.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bio_b64.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_b64.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_b64.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_b64.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_b64.o: ../../e_os.h ../../include/openssl/asn1.h
+bio_b64.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bio_b64.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bio_b64.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_b64.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 bio_b64.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 bio_b64.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_b64.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bio_b64.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bio_b64.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bio_b64.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bio_b64.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bio_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bio_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_enc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_enc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+bio_b64.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bio_b64.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_b64.o: ../cryptlib.h bio_b64.c
+bio_enc.o: ../../e_os.h ../../include/openssl/asn1.h
+bio_enc.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bio_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bio_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bio_enc.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 bio_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 bio_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bio_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bio_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bio_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bio_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bio_md.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_md.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_md.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_md.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_md.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bio_md.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bio_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_enc.o: ../cryptlib.h bio_enc.c
+bio_md.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_md.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+bio_md.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_md.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_md.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_md.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_md.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bio_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_md.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-bio_md.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-bio_md.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-bio_md.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-bio_md.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bio_ok.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-bio_ok.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-bio_ok.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-bio_ok.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-bio_ok.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-bio_ok.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_md.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_md.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_md.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_md.c
+bio_ok.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bio_ok.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+bio_ok.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_ok.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_ok.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-bio_ok.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-bio_ok.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-bio_ok.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_ok.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_ok.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-bio_ok.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-bio_ok.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+bio_ok.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_ok.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 bio_ok.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_ok.o: ../cryptlib.h
-c_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-c_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-c_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-c_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-c_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bio_ok.o: ../cryptlib.h bio_ok.c
+c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+c_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 c_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-c_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-c_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-c_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-c_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h
-c_allc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-c_allc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-c_allc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_allc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+c_all.o: ../../include/openssl/symhacks.h ../cryptlib.h c_all.c
+c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_allc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+c_allc.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+c_allc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_allc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-c_allc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-c_allc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-c_allc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_allc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_allc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 c_allc.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_allc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_allc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 c_allc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 c_allc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 c_allc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-c_alld.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-c_alld.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-c_alld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-c_alld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-c_alld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_allc.c
+c_alld.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+c_alld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+c_alld.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+c_alld.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_alld.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-c_alld.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-c_alld.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-c_alld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_alld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_alld.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 c_alld.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_alld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-c_alld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 c_alld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 c_alld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 c_alld.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-digest.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-digest.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-digest.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-digest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-digest.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-digest.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-digest.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-digest.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-digest.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_alld.c
+digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+digest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+digest.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+digest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-digest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-digest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 digest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-digest.o: ../../include/openssl/symhacks.h ../cryptlib.h
-e_bf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+digest.o: ../../include/openssl/ui.h ../cryptlib.h digest.c
+e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+e_aes.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+e_aes.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+e_aes.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+e_aes.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_aes.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_aes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_aes.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_aes.o: ../../include/openssl/symhacks.h e_aes.c evp_locl.h
+e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_bf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_bf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_bf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-e_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_bf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_bf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_bf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_bf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+e_bf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+e_bf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 e_bf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 e_bf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_bf.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_bf.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_bf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_bf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_bf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_cast.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_cast.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_cast.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_cast.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_cast.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_cast.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-e_cast.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_cast.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_cast.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_cast.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_bf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_bf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_bf.o: ../cryptlib.h e_bf.c evp_locl.h
+e_cast.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_cast.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_cast.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+e_cast.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+e_cast.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 e_cast.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 e_cast.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_cast.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_cast.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_cast.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_cast.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_des.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_des.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_des.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_cast.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_cast.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_cast.o: ../cryptlib.h e_cast.c evp_locl.h
+e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_des.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 e_des.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_des.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_des.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_des.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 e_des.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_des.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_des.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_des.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_des.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_des.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_des.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_des.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_des.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_des.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_des.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_des3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_des3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_des3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+e_des.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_des.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_des.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_des.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_des.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+e_des.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des.c evp_locl.h
+e_des3.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_des3.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 e_des3.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_des3.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_des3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_des3.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 e_des3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_des3.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_des3.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_des3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_des3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_des3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_des3.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_des3.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_des3.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_des3.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_des3.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_idea.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_idea.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_idea.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_idea.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_idea.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_des3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_des3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_des3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h
+e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_idea.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_idea.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_idea.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 e_idea.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_idea.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_idea.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
 e_idea.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 e_idea.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_idea.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_idea.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_idea.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_idea.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_idea.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_idea.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_idea.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_idea.o: ../cryptlib.h e_idea.c evp_locl.h
+e_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_null.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_null.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_null.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_null.o: ../../include/openssl/symhacks.h ../cryptlib.h
-e_rc2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_rc2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_rc2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_rc2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_rc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_rc2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_null.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_null.o: ../../include/openssl/symhacks.h ../cryptlib.h e_null.c
+e_rc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_rc2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_rc2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_rc2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_rc2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_rc2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_rc2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_rc2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_rc2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc2.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_rc4.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_rc4.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_rc4.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_rc4.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_rc4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_rc4.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_rc2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_rc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_rc2.o: ../../include/openssl/rc2.h ../../include/openssl/safestack.h
+e_rc2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_rc2.o: ../cryptlib.h e_rc2.c evp_locl.h
+e_rc4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_rc4.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_rc4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_rc4.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_rc4.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_rc4.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_rc4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_rc4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_rc4.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc4.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc4.o: ../../include/openssl/symhacks.h ../cryptlib.h
-e_rc5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_rc5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_rc5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_rc5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_rc5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_rc5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_rc4.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_rc4.o: ../../include/openssl/rc4.h ../../include/openssl/safestack.h
+e_rc4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_rc4.o: ../cryptlib.h e_rc4.c
+e_rc5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+e_rc5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+e_rc5.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_rc5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_rc5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_rc5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_rc5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-e_rc5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_rc5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_rc5.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-e_rc5.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-e_rc5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-e_rc5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-e_rc5.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
-e_xcbc_d.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-e_xcbc_d.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-e_xcbc_d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-e_xcbc_d.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_xcbc_d.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-e_xcbc_d.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-e_xcbc_d.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_rc5.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_rc5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_rc5.o: ../../include/openssl/rc5.h ../../include/openssl/safestack.h
+e_rc5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_rc5.o: ../cryptlib.h e_rc5.c evp_locl.h
+e_xcbc_d.o: ../../e_os.h ../../include/openssl/asn1.h
+e_xcbc_d.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+e_xcbc_d.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+e_xcbc_d.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+e_xcbc_d.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+e_xcbc_d.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 e_xcbc_d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 e_xcbc_d.o: ../../include/openssl/opensslconf.h
-e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
-e_xcbc_d.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-e_xcbc_d.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-e_xcbc_d.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-e_xcbc_d.o: ../cryptlib.h
-encode.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-encode.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-encode.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-encode.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-encode.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-encode.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_xcbc_d.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+e_xcbc_d.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_xcbc_d.c
+encode.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+encode.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+encode.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 encode.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-encode.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-encode.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-encode.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-encode.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-encode.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-encode.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-encode.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-encode.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-encode.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-encode.o: ../../include/openssl/symhacks.h ../cryptlib.h
-evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+encode.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+encode.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+encode.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+encode.o: ../../include/openssl/symhacks.h ../cryptlib.h encode.c
+evp_acnf.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_acnf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_acnf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+evp_acnf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+evp_acnf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+evp_acnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_acnf.o: ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_acnf.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_acnf.o: ../cryptlib.h evp_acnf.c
+evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
 evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_enc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_enc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h
+evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_err.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-evp_err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-evp_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_err.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_err.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_err.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+evp_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_err.o: ../../include/openssl/symhacks.h
-evp_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+evp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_err.o: evp_err.c
+evp_key.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-evp_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_key.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-evp_key.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_key.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+evp_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 evp_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_key.o: ../cryptlib.h
-evp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-evp_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_key.o: ../cryptlib.h evp_key.c
+evp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+evp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-evp_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-evp_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-evp_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-evp_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
-evp_pbe.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_pbe.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+evp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_lib.o: ../cryptlib.h evp_lib.c
+evp_pbe.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_pbe.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_pbe.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_pbe.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_pbe.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-evp_pbe.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_pbe.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_pbe.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_pbe.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pbe.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_pbe.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-evp_pbe.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_pbe.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_pbe.o: ../cryptlib.h
-evp_pkey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_pkey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+evp_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+evp_pbe.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pbe.c
+evp_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_pkey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-evp_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_pkey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-evp_pkey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-evp_pkey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+evp_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+evp_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 evp_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 evp_pkey.o: ../../include/openssl/opensslconf.h
-evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-evp_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-evp_pkey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_pkey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_pkey.o: ../cryptlib.h
-m_dss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_dss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_dss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_dss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_dss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+evp_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+evp_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+evp_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pkey.c
+m_dss.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_dss.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_dss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_dss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_dss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_dss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_dss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-m_dss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_dss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_dss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_dss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_dss.o: ../cryptlib.h
-m_dss1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_dss1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_dss1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_dss1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_dss1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss.o: ../cryptlib.h m_dss.c
+m_dss1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_dss1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_dss1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_dss1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_dss1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_dss1.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_dss1.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_dss1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-m_dss1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_dss1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_dss1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_dss1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_dss1.o: ../cryptlib.h
-m_md2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_md2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_md2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_md2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_md2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_dss1.o: ../cryptlib.h m_dss1.c
+m_md2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_md2.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_md2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_md2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_md2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_md2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 m_md2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_md2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md2.o: ../cryptlib.h
-m_md4.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_md4.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_md4.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_md4.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_md4.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md4.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md2.c
+m_md4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md4.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_md4.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_md4.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_md4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md4.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_md4.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_md4.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md4.o: ../../include/openssl/lhash.h ../../include/openssl/md4.h
 m_md4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_md4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md4.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md4.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md4.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md4.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md4.o: ../cryptlib.h
-m_md5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_md5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_md5.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_md5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_md5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_md4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md4.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md4.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md4.c
+m_md5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_md5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_md5.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_md5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_md5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_md5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_md5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_md5.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
 m_md5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_md5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_md5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_md5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_md5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_md5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_md5.o: ../cryptlib.h
-m_mdc2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_mdc2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+m_md5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md5.c
+m_mdc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_mdc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 m_mdc2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_mdc2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_mdc2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_mdc2.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+m_mdc2.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_mdc2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_mdc2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_mdc2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_mdc2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
 m_mdc2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_mdc2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_mdc2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_mdc2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_mdc2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_mdc2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_mdc2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_mdc2.o: ../cryptlib.h
-m_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_mdc2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_mdc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_mdc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+m_mdc2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+m_mdc2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_mdc2.c
+m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_null.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_null.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_null.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_null.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_null.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-m_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_null.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_null.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_null.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_null.o: ../cryptlib.h
-m_ripemd.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_ripemd.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+m_null.o: ../cryptlib.h m_null.c
+m_ripemd.o: ../../e_os.h ../../include/openssl/asn1.h
+m_ripemd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_ripemd.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_ripemd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-m_ripemd.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_ripemd.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_ripemd.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_ripemd.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+m_ripemd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+m_ripemd.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 m_ripemd.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 m_ripemd.o: ../../include/openssl/opensslconf.h
-m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-m_ripemd.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-m_ripemd.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/ripemd.h
 m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 m_ripemd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-m_sha.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_sha.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_sha.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_sha.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_sha.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_ripemd.c
+m_sha.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_sha.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_sha.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_sha.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_sha.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_sha.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_sha.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-m_sha.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_sha.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_sha.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_sha.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_sha.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_sha.o: ../cryptlib.h
-m_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-m_sha1.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-m_sha1.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-m_sha1.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-m_sha1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha.o: ../cryptlib.h m_sha.c
+m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+m_sha1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+m_sha1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+m_sha1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_sha1.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-m_sha1.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-m_sha1.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-m_sha1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_sha1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-m_sha1.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-m_sha1.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_sha1.o: ../cryptlib.h
-names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-names.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-names.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-names.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-names.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-names.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+m_sha1.o: ../cryptlib.h m_sha1.c
+names.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+names.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+names.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+names.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 names.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-names.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-names.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-names.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-names.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-names.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-names.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-names.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+names.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+names.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+names.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 names.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-names.o: ../cryptlib.h
-p5_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p5_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+names.o: ../cryptlib.h names.c
+p5_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_crpt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p5_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p5_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p5_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p5_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p5_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p5_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p5_crpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p5_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p5_crpt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p5_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p5_crpt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p5_crpt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p5_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p5_crpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_crpt.o: ../cryptlib.h
-p5_crpt2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p5_crpt2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p5_crpt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p5_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p5_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt.c
+p5_crpt2.o: ../../e_os.h ../../include/openssl/asn1.h
+p5_crpt2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p5_crpt2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p5_crpt2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p5_crpt2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p5_crpt2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
-p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p5_crpt2.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p5_crpt2.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p5_crpt2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p5_crpt2.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p5_crpt2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p5_crpt2.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p5_crpt2.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p5_crpt2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p5_crpt2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p5_crpt2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p_dec.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_dec.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_dec.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_dec.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_dec.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p5_crpt2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p5_crpt2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p5_crpt2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p5_crpt2.o: ../cryptlib.h p5_crpt2.c
+p_dec.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_dec.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_dec.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_dec.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_dec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_dec.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_dec.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_dec.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p_dec.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_dec.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_dec.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_dec.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_dec.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_dec.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_dec.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 p_dec.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_enc.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_enc.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_enc.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_dec.c
+p_enc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_enc.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_enc.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_enc.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_enc.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_enc.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_enc.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_enc.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_enc.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_enc.c
+p_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+p_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p_open.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_open.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_open.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_open.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_open.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_open.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_lib.o: ../cryptlib.h p_lib.c
+p_open.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_open.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_open.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_open.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_open.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_open.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_open.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_open.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p_open.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_open.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p_open.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p_open.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_open.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 p_open.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p_open.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p_open.o: ../cryptlib.h
-p_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_open.o: ../cryptlib.h p_open.c
+p_seal.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_seal.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_seal.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_seal.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_seal.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_seal.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p_seal.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_seal.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_seal.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_seal.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_seal.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 p_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 p_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 p_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_seal.c
+p_sign.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+p_sign.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p_sign.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-p_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_sign.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+p_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 p_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 p_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p_sign.o: ../cryptlib.h
-p_verify.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p_verify.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p_sign.o: ../cryptlib.h p_sign.c
+p_verify.o: ../../e_os.h ../../include/openssl/asn1.h
+p_verify.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p_verify.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_verify.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p_verify.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p_verify.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_verify.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p_verify.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p_verify.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p_verify.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p_verify.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p_verify.o: ../../include/openssl/opensslconf.h
-p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-p_verify.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p_verify.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p_verify.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_verify.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p_verify.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_verify.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_verify.o: ../cryptlib.h p_verify.c
diff --git a/src/lib/libcrypto/evp/bio_b64.c b/src/lib/libcrypto/evp/bio_b64.c
index af6fa2ae8f..f12eac1b55 100644
--- a/src/lib/libcrypto/evp/bio_b64.c
+++ b/src/lib/libcrypto/evp/bio_b64.c
@@ -465,7 +465,8 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
                 break;
         case BIO_CTRL_WPENDING: /* More to write in buffer */
                 ret=ctx->buf_len-ctx->buf_off;
-                if ((ret == 0) && (ctx->base64.num != 0))
+                if ((ret == 0) && (ctx->encode != B64_NONE)
+                        && (ctx->base64.num != 0))
                         ret=1;
                 else if (ret <= 0)
                         ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
@@ -500,7 +501,7 @@ again:
                                 goto again;
                                 }
                         }
-                else if (ctx->base64.num != 0)
+                else if (ctx->encode != B64_NONE && ctx->base64.num != 0)
                         {
                         ctx->buf_off=0;
                         EVP_EncodeFinal(&(ctx->base64),
diff --git a/src/lib/libcrypto/evp/bio_enc.c b/src/lib/libcrypto/evp/bio_enc.c
index 831c71a2b5..05f4249458 100644
--- a/src/lib/libcrypto/evp/bio_enc.c
+++ b/src/lib/libcrypto/evp/bio_enc.c
@@ -71,6 +71,7 @@ static int enc_new(BIO *h);
 static int enc_free(BIO *data);
 static long enc_callback_ctrl(BIO *h, int cmd, bio_info_cb *fps);
 #define ENC_BLOCK_SIZE  (1024*4)
+#define BUF_OFFSET      EVP_MAX_BLOCK_LENGTH
 
 typedef struct enc_struct
         {
@@ -80,7 +81,10 @@ typedef struct enc_struct
         int finished;
         int ok;                 /* bad decrypt */
         EVP_CIPHER_CTX cipher;
-        char buf[ENC_BLOCK_SIZE+10];
+        /* buf is larger than ENC_BLOCK_SIZE because EVP_DecryptUpdate
+         * can return up to a block more data than is presented to it
+         */
+        char buf[ENC_BLOCK_SIZE+BUF_OFFSET+2];
         } BIO_ENC_CTX;
 
 static BIO_METHOD methods_enc=
@@ -170,9 +174,9 @@ static int enc_read(BIO *b, char *out, int outl)
                 {
                 if (ctx->cont <= 0) break;
 
-                /* read in at offset 8, read the EVP_Cipher
+                /* read in at IV offset, read the EVP_Cipher
                  * documentation about why */
-                i=BIO_read(b->next_bio,&(ctx->buf[8]),ENC_BLOCK_SIZE);
+                i=BIO_read(b->next_bio,&(ctx->buf[BUF_OFFSET]),ENC_BLOCK_SIZE);
 
                 if (i <= 0)
                         {
@@ -180,7 +184,7 @@ static int enc_read(BIO *b, char *out, int outl)
                         if (!BIO_should_retry(b->next_bio))
                                 {
                                 ctx->cont=i;
-                                i=EVP_CipherFinal(&(ctx->cipher),
+                                i=EVP_CipherFinal_ex(&(ctx->cipher),
                                         (unsigned char *)ctx->buf,
                                         &(ctx->buf_len));
                                 ctx->ok=i;
@@ -196,7 +200,7 @@ static int enc_read(BIO *b, char *out, int outl)
                         {
                         EVP_CipherUpdate(&(ctx->cipher),
                                 (unsigned char *)ctx->buf,&ctx->buf_len,
-                                (unsigned char *)&(ctx->buf[8]),i);
+                                (unsigned char *)&(ctx->buf[BUF_OFFSET]),i);
                         ctx->cont=1;
                         /* Note: it is possible for EVP_CipherUpdate to
                          * decrypt zero bytes because this is or looks like
@@ -294,7 +298,7 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_CTRL_RESET:
                 ctx->ok=1;
                 ctx->finished=0;
-                EVP_CipherInit(&(ctx->cipher),NULL,NULL,NULL,
+                EVP_CipherInit_ex(&(ctx->cipher),NULL,NULL,NULL,NULL,
                         ctx->cipher.encrypt);
                 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
                 break;
@@ -331,7 +335,7 @@ again:
                         {
                         ctx->finished=1;
                         ctx->buf_off=0;
-                        ret=EVP_CipherFinal(&(ctx->cipher),
+                        ret=EVP_CipherFinal_ex(&(ctx->cipher),
                                 (unsigned char *)ctx->buf,
                                 &(ctx->buf_len));
                         ctx->ok=(int)ret;
@@ -417,7 +421,7 @@ void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, unsigned char *k,
 
         b->init=1;
         ctx=(BIO_ENC_CTX *)b->ptr;
-        EVP_CipherInit(&(ctx->cipher),c,k,i,e);
+        EVP_CipherInit_ex(&(ctx->cipher),c,NULL, k,i,e);
         
         if (b->callback != NULL)
                 b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,1L);
diff --git a/src/lib/libcrypto/evp/bio_md.c b/src/lib/libcrypto/evp/bio_md.c
index 2373c247d8..c632dfb202 100644
--- a/src/lib/libcrypto/evp/bio_md.c
+++ b/src/lib/libcrypto/evp/bio_md.c
@@ -96,7 +96,7 @@ static int md_new(BIO *bi)
         {
         EVP_MD_CTX *ctx;
 
-        ctx=(EVP_MD_CTX *)OPENSSL_malloc(sizeof(EVP_MD_CTX));
+        ctx=EVP_MD_CTX_create();
         if (ctx == NULL) return(0);
 
         bi->init=0;
@@ -108,7 +108,7 @@ static int md_new(BIO *bi)
 static int md_free(BIO *a)
         {
         if (a == NULL) return(0);
-        OPENSSL_free(a->ptr);
+        EVP_MD_CTX_destroy(a->ptr);
         a->ptr=NULL;
         a->init=0;
         a->flags=0;
@@ -121,7 +121,7 @@ static int md_read(BIO *b, char *out, int outl)
         EVP_MD_CTX *ctx;
 
         if (out == NULL) return(0);
-        ctx=(EVP_MD_CTX *)b->ptr;
+        ctx=b->ptr;
 
         if ((ctx == NULL) || (b->next_bio == NULL)) return(0);
 
@@ -145,7 +145,7 @@ static int md_write(BIO *b, const char *in, int inl)
         EVP_MD_CTX *ctx;
 
         if ((in == NULL) || (inl <= 0)) return(0);
-        ctx=(EVP_MD_CTX *)b->ptr;
+        ctx=b->ptr;
 
         if ((ctx != NULL) && (b->next_bio != NULL))
                 ret=BIO_write(b->next_bio,in,inl);
@@ -170,13 +170,13 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
         long ret=1;
         BIO *dbio;
 
-        ctx=(EVP_MD_CTX *)b->ptr;
+        ctx=b->ptr;
 
         switch (cmd)
                 {
         case BIO_CTRL_RESET:
                 if (b->init)
-                        EVP_DigestInit(ctx,ctx->digest);
+                        EVP_DigestInit_ex(ctx,ctx->digest, NULL);
                 else
                         ret=0;
                 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
@@ -184,7 +184,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_C_GET_MD:
                 if (b->init)
                         {
-                        ppmd=(const EVP_MD **)ptr;
+                        ppmd=ptr;
                         *ppmd=ctx->digest;
                         }
                 else
@@ -193,7 +193,7 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_C_GET_MD_CTX:
                 if (b->init)
                         {
-                        pctx=(EVP_MD_CTX **)ptr;
+                        pctx=ptr;
                         *pctx=ctx;
                         }
                 else
@@ -206,14 +206,14 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                 break;
 
         case BIO_C_SET_MD:
-                md=(EVP_MD *)ptr;
-                EVP_DigestInit(ctx,md);
+                md=ptr;
+                EVP_DigestInit_ex(ctx,md, NULL);
                 b->init=1;
                 break;
         case BIO_CTRL_DUP:
-                dbio=(BIO *)ptr;
-                dctx=(EVP_MD_CTX *)dbio->ptr;
-                memcpy(dctx,ctx,sizeof(ctx));
+                dbio=ptr;
+                dctx=dbio->ptr;
+                EVP_MD_CTX_copy_ex(dctx,ctx);
                 b->init=1;
                 break;
         default:
@@ -243,10 +243,10 @@ static int md_gets(BIO *bp, char *buf, int size)
         unsigned int ret;
 
 
-        ctx=(EVP_MD_CTX *)bp->ptr;
+        ctx=bp->ptr;
         if (size < ctx->digest->md_size)
                 return(0);
-        EVP_DigestFinal(ctx,(unsigned char *)buf,&ret);
+        EVP_DigestFinal_ex(ctx,(unsigned char *)buf,&ret);
         return((int)ret);
         }
 
diff --git a/src/lib/libcrypto/evp/bio_ok.c b/src/lib/libcrypto/evp/bio_ok.c
index e617ce1d43..3cbc6e7848 100644
--- a/src/lib/libcrypto/evp/bio_ok.c
+++ b/src/lib/libcrypto/evp/bio_ok.c
@@ -162,7 +162,7 @@ typedef struct ok_struct
         EVP_MD_CTX md;
         int blockout;           /* output block is ready */ 
         int sigio;              /* must process signature */
-        char buf[IOBS];
+        unsigned char buf[IOBS];
         } BIO_OK_CTX;
 
 static BIO_METHOD methods_ok=
@@ -199,6 +199,8 @@ static int ok_new(BIO *bi)
         ctx->blockout= 0;
         ctx->sigio=1;
 
+        EVP_MD_CTX_init(&ctx->md);
+
         bi->init=0;
         bi->ptr=(char *)ctx;
         bi->flags=0;
@@ -208,6 +210,7 @@ static int ok_new(BIO *bi)
 static int ok_free(BIO *a)
         {
         if (a == NULL) return(0);
+        EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md);
         memset(a->ptr,0,sizeof(BIO_OK_CTX));
         OPENSSL_free(a->ptr);
         a->ptr=NULL;
@@ -353,7 +356,7 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
         long ret=1;
         int i;
 
-        ctx=(BIO_OK_CTX *)b->ptr;
+        ctx=b->ptr;
 
         switch (cmd)
                 {
@@ -411,14 +414,14 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
                 ret=(long)ctx->cont;
                 break;
         case BIO_C_SET_MD:
-                md=(EVP_MD *)ptr;
-                EVP_DigestInit(&(ctx->md),md);
+                md=ptr;
+                EVP_DigestInit_ex(&ctx->md, md, NULL);
                 b->init=1;
                 break;
         case BIO_C_GET_MD:
                 if (b->init)
                         {
-                        ppmd=(const EVP_MD **)ptr;
+                        ppmd=ptr;
                         *ppmd=ctx->md.digest;
                         }
                 else
@@ -462,19 +465,22 @@ static void sig_out(BIO* b)
         BIO_OK_CTX *ctx;
         EVP_MD_CTX *md;
 
-        ctx=(BIO_OK_CTX *)b->ptr;
-        md= &(ctx->md);
+        ctx=b->ptr;
+        md=&ctx->md;
 
         if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
 
-        EVP_DigestInit(md, md->digest);
-        RAND_pseudo_bytes(&(md->md.base[0]), md->digest->md_size);
-        memcpy(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]), md->digest->md_size);
+        EVP_DigestInit_ex(md, md->digest, NULL);
+        /* FIXME: there's absolutely no guarantee this makes any sense at all,
+         * particularly now EVP_MD_CTX has been restructured.
+         */
+        RAND_pseudo_bytes(md->md_data, md->digest->md_size);
+        memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size);
         longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
         ctx->buf_len+= md->digest->md_size;
 
         EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
-        md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+        EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL);
         ctx->buf_len+= md->digest->md_size;
         ctx->blockout= 1;
         ctx->sigio= 0;
@@ -487,18 +493,18 @@ static void sig_in(BIO* b)
         unsigned char tmp[EVP_MAX_MD_SIZE];
         int ret= 0;
 
-        ctx=(BIO_OK_CTX *)b->ptr;
-        md= &(ctx->md);
+        ctx=b->ptr;
+        md=&ctx->md;
 
         if(ctx->buf_len- ctx->buf_off < 2* md->digest->md_size) return;
 
-        EVP_DigestInit(md, md->digest);
-        memcpy(&(md->md.base[0]), &(ctx->buf[ctx->buf_off]), md->digest->md_size);
-        longswap(&(md->md.base[0]), md->digest->md_size);
+        EVP_DigestInit_ex(md, md->digest, NULL);
+        memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size);
+        longswap(md->md_data, md->digest->md_size);
         ctx->buf_off+= md->digest->md_size;
 
         EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
-        md->digest->final(tmp, &(md->md.base[0]));
+        EVP_DigestFinal_ex(md, tmp, NULL);
         ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
         ctx->buf_off+= md->digest->md_size;
         if(ret == 1)
@@ -523,15 +529,15 @@ static void block_out(BIO* b)
         EVP_MD_CTX *md;
         unsigned long tl;
 
-        ctx=(BIO_OK_CTX *)b->ptr;
-        md= &(ctx->md);
+        ctx=b->ptr;
+        md=&ctx->md;
 
         tl= ctx->buf_len- OK_BLOCK_BLOCK;
         tl= swapem(tl);
         memcpy(ctx->buf, &tl, OK_BLOCK_BLOCK);
         tl= swapem(tl);
         EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
-        md->digest->final(&(ctx->buf[ctx->buf_len]), &(md->md.base[0]));
+        EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL);
         ctx->buf_len+= md->digest->md_size;
         ctx->blockout= 1;
         }
@@ -543,15 +549,15 @@ static void block_in(BIO* b)
         long tl= 0;
         unsigned char tmp[EVP_MAX_MD_SIZE];
 
-        ctx=(BIO_OK_CTX *)b->ptr;
-        md= &(ctx->md);
+        ctx=b->ptr;
+        md=&ctx->md;
 
         memcpy(&tl, ctx->buf, OK_BLOCK_BLOCK);
         tl= swapem(tl);
         if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return;
  
         EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
-        md->digest->final(tmp, &(md->md.base[0]));
+        EVP_DigestFinal_ex(md, tmp, NULL);
         if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0)
                 {
                 /* there might be parts from next block lurking around ! */
diff --git a/src/lib/libcrypto/evp/c_all.c b/src/lib/libcrypto/evp/c_all.c
index 1e185830a3..3d390dfbf1 100644
--- a/src/lib/libcrypto/evp/c_all.c
+++ b/src/lib/libcrypto/evp/c_all.c
@@ -60,8 +60,16 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 
+#undef OpenSSL_add_all_algorithms
+
 void OpenSSL_add_all_algorithms(void)
-{
+        {
+        OPENSSL_add_all_algorithms_noconf();
+        }
+
+void OPENSSL_add_all_algorithms_noconf(void)
+        {
         OpenSSL_add_all_ciphers();
         OpenSSL_add_all_digests();
-}
+        ENGINE_setup_openbsd();
+        }
diff --git a/src/lib/libcrypto/evp/c_allc.c b/src/lib/libcrypto/evp/c_allc.c
index f24d3756c9..37e6ab83a5 100644
--- a/src/lib/libcrypto/evp/c_allc.c
+++ b/src/lib/libcrypto/evp/c_allc.c
@@ -64,7 +64,8 @@
 
 void OpenSSL_add_all_ciphers(void)
         {
-#ifndef NO_DES
+
+#ifndef OPENSSL_NO_DES
         EVP_add_cipher(EVP_des_cfb());
         EVP_add_cipher(EVP_des_ede_cfb());
         EVP_add_cipher(EVP_des_ede3_cfb());
@@ -90,12 +91,12 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher(EVP_des_ede3());
 #endif
 
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
         EVP_add_cipher(EVP_rc4());
         EVP_add_cipher(EVP_rc4_40());
 #endif
 
-#ifndef NO_IDEA
+#ifndef OPENSSL_NO_IDEA
         EVP_add_cipher(EVP_idea_ecb());
         EVP_add_cipher(EVP_idea_cfb());
         EVP_add_cipher(EVP_idea_ofb());
@@ -104,7 +105,7 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher_alias(SN_idea_cbc,"idea");
 #endif
 
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
         EVP_add_cipher(EVP_rc2_ecb());
         EVP_add_cipher(EVP_rc2_cfb());
         EVP_add_cipher(EVP_rc2_ofb());
@@ -115,7 +116,7 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher_alias(SN_rc2_cbc,"rc2");
 #endif
 
-#ifndef NO_BF
+#ifndef OPENSSL_NO_BF
         EVP_add_cipher(EVP_bf_ecb());
         EVP_add_cipher(EVP_bf_cfb());
         EVP_add_cipher(EVP_bf_ofb());
@@ -125,7 +126,7 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher_alias(SN_bf_cbc,"blowfish");
 #endif
 
-#ifndef NO_CAST
+#ifndef OPENSSL_NO_CAST
         EVP_add_cipher(EVP_cast5_ecb());
         EVP_add_cipher(EVP_cast5_cfb());
         EVP_add_cipher(EVP_cast5_ofb());
@@ -136,7 +137,7 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher_alias(SN_cast5_cbc,"cast-cbc");
 #endif
 
-#ifndef NO_RC5
+#ifndef OPENSSL_NO_RC5
         EVP_add_cipher(EVP_rc5_32_12_16_ecb());
         EVP_add_cipher(EVP_rc5_32_12_16_cfb());
         EVP_add_cipher(EVP_rc5_32_12_16_ofb());
@@ -144,6 +145,21 @@ void OpenSSL_add_all_ciphers(void)
         EVP_add_cipher_alias(SN_rc5_cbc,"rc5");
         EVP_add_cipher_alias(SN_rc5_cbc,"RC5");
 #endif
+
+#ifndef OPENSSL_NO_AES
+        EVP_add_cipher(EVP_aes_128_ecb());
+        EVP_add_cipher(EVP_aes_128_cbc());
+        EVP_add_cipher_alias(SN_aes_128_cbc,"AES128");
+        EVP_add_cipher_alias(SN_aes_128_cbc,"aes128");
+        EVP_add_cipher(EVP_aes_192_ecb());
+        EVP_add_cipher(EVP_aes_192_cbc());
+        EVP_add_cipher_alias(SN_aes_192_cbc,"AES192");
+        EVP_add_cipher_alias(SN_aes_192_cbc,"aes192");
+        EVP_add_cipher(EVP_aes_256_ecb());
+        EVP_add_cipher(EVP_aes_256_cbc());
+        EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
+        EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
+#endif
         PKCS12_PBE_add();
         PKCS5_PBE_add();
         }
diff --git a/src/lib/libcrypto/evp/c_alld.c b/src/lib/libcrypto/evp/c_alld.c
index bbf059eb85..be91cdb037 100644
--- a/src/lib/libcrypto/evp/c_alld.c
+++ b/src/lib/libcrypto/evp/c_alld.c
@@ -64,38 +64,38 @@
 
 void OpenSSL_add_all_digests(void)
         {
-#ifndef NO_MD2
+#ifndef OPENSSL_NO_MD2
         EVP_add_digest(EVP_md2());
 #endif
-#ifndef NO_MD4
+#ifndef OPENSSL_NO_MD4
         EVP_add_digest(EVP_md4());
 #endif
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
         EVP_add_digest(EVP_md5());
         EVP_add_digest_alias(SN_md5,"ssl2-md5");
         EVP_add_digest_alias(SN_md5,"ssl3-md5");
 #endif
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         EVP_add_digest(EVP_sha());
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         EVP_add_digest(EVP_dss());
 #endif
 #endif
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         EVP_add_digest(EVP_sha1());
         EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
         EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         EVP_add_digest(EVP_dss1());
         EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
         EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
         EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
 #endif
 #endif
-#if !defined(NO_MDC2) && !defined(NO_DES)
+#if !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
         EVP_add_digest(EVP_mdc2());
 #endif
-#ifndef NO_RIPEMD
+#ifndef OPENSSL_NO_RIPEMD
         EVP_add_digest(EVP_ripemd160());
         EVP_add_digest_alias(SN_ripemd160,"ripemd");
         EVP_add_digest_alias(SN_ripemd160,"rmd160");
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index c560733568..a969ac69ed 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -55,38 +55,258 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/engine.h>
+
+void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
+        {
+        memset(ctx,'\0',sizeof *ctx);
+        }
+
+EVP_MD_CTX *EVP_MD_CTX_create(void)
+        {
+        EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
+
+        EVP_MD_CTX_init(ctx);
+
+        return ctx;
+        }
+
+int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
+        {
+        EVP_MD_CTX_init(ctx);
+        return EVP_DigestInit_ex(ctx, type, NULL);
+        }
 
-void EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
+int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         {
-        ctx->digest=type;
-        type->init(&(ctx->md));
+        EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+        /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
+         * so this context may already have an ENGINE! Try to avoid releasing
+         * the previous handle, re-querying for an ENGINE, and having a
+         * reinitialisation, when it may all be unecessary. */
+        if (ctx->engine && ctx->digest && (!type ||
+                        (type && (type->type == ctx->digest->type))))
+                goto skip_to_init;
+        if (type)
+                {
+                /* Ensure an ENGINE left lying around from last time is cleared
+                 * (the previous check attempted to avoid this if the same
+                 * ENGINE and EVP_MD could be used). */
+                if(ctx->engine)
+                        ENGINE_finish(ctx->engine);
+                if(impl)
+                        {
+                        if (!ENGINE_init(impl))
+                                {
+                                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR);
+                                return 0;
+                                }
+                        }
+                else
+                        /* Ask if an ENGINE is reserved for this job */
+                        impl = ENGINE_get_digest_engine(type->type);
+                if(impl)
+                        {
+                        /* There's an ENGINE for this job ... (apparently) */
+                        const EVP_MD *d = ENGINE_get_digest(impl, type->type);
+                        if(!d)
+                                {
+                                /* Same comment from evp_enc.c */
+                                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_INITIALIZATION_ERROR);
+                                return 0;
+                                }
+                        /* We'll use the ENGINE's private digest definition */
+                        type = d;
+                        /* Store the ENGINE functional reference so we know
+                         * 'type' came from an ENGINE and we need to release
+                         * it when done. */
+                        ctx->engine = impl;
+                        }
+                else
+                        ctx->engine = NULL;
+                }
+        else if(!ctx->digest)
+                {
+                EVPerr(EVP_F_EVP_DIGESTINIT, EVP_R_NO_DIGEST_SET);
+                return 0;
+                }
+        if (ctx->digest != type)
+                {
+                if (ctx->digest && ctx->digest->ctx_size)
+                        OPENSSL_free(ctx->md_data);
+                ctx->digest=type;
+                if (type->ctx_size)
+                        ctx->md_data=OPENSSL_malloc(type->ctx_size);
+                }
+skip_to_init:
+        return ctx->digest->init(ctx);
         }
 
-void EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
+int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
              unsigned int count)
         {
-        ctx->digest->update(&(ctx->md.base[0]),data,(unsigned long)count);
+        return ctx->digest->update(ctx,data,(unsigned long)count);
+        }
+
+/* The caller can assume that this removes any secret data from the context */
+int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+        {
+        int ret;
+        ret = EVP_DigestFinal_ex(ctx, md, size);
+        EVP_MD_CTX_cleanup(ctx);
+        return ret;
         }
 
-void EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
+/* The caller can assume that this removes any secret data from the context */
+int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
         {
-        ctx->digest->final(md,&(ctx->md.base[0]));
+        int ret;
+        ret=ctx->digest->final(ctx,md);
         if (size != NULL)
                 *size=ctx->digest->md_size;
-        memset(&(ctx->md),0,sizeof(ctx->md));
+        if (ctx->digest->cleanup)
+                {
+                ctx->digest->cleanup(ctx);
+                EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+                }
+        memset(ctx->md_data,0,ctx->digest->ctx_size);
+        return ret;
+        }
+
+int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
+        {
+        EVP_MD_CTX_init(out);
+        return EVP_MD_CTX_copy_ex(out, in);
+        }
+
+int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
+        {
+        if ((in == NULL) || (in->digest == NULL))
+                {
+                EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
+                return 0;
+                }
+        /* Make sure it's safe to copy a digest context using an ENGINE */
+        if (in->engine && !ENGINE_init(in->engine))
+                {
+                EVPerr(EVP_F_EVP_MD_CTX_COPY,ERR_R_ENGINE_LIB);
+                return 0;
+                }
+
+        EVP_MD_CTX_cleanup(out);
+        memcpy(out,in,sizeof *out);
+
+        if (out->digest->ctx_size)
+                {
+                out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+                memcpy(out->md_data,in->md_data,out->digest->ctx_size);
+                }
+        
+        if (out->digest->copy)
+                return out->digest->copy(out,in);
+        
+        return 1;
+        }
+
+int EVP_Digest(void *data, unsigned int count,
+                unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl)
+        {
+        EVP_MD_CTX ctx;
+        int ret;
+
+        EVP_MD_CTX_init(&ctx);
+        EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT);
+        ret=EVP_DigestInit_ex(&ctx, type, impl)
+          && EVP_DigestUpdate(&ctx, data, count)
+          && EVP_DigestFinal_ex(&ctx, md, size);
+        EVP_MD_CTX_cleanup(&ctx);
+
+        return ret;
         }
 
-int EVP_MD_CTX_copy(EVP_MD_CTX *out, EVP_MD_CTX *in)
-{
-    if ((in == NULL) || (in->digest == NULL)) {
-        EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED);
-        return 0;
-    }
-    memcpy((char *)out,(char *)in,in->digest->ctx_size);
-    return 1;
-}    
+void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
+        {
+        EVP_MD_CTX_cleanup(ctx);
+        OPENSSL_free(ctx);
+        }
+
+/* This call frees resources associated with the context */
+int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
+        {
+        /* Don't assume ctx->md_data was cleaned in EVP_Digest_Final,
+         * because sometimes only copies of the context are ever finalised.
+         */
+        if (ctx->digest && ctx->digest->cleanup
+            && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
+                ctx->digest->cleanup(ctx);
+        if (ctx->digest && ctx->digest->ctx_size && ctx->md_data)
+                {
+                memset(ctx->md_data,0,ctx->digest->ctx_size);
+                OPENSSL_free(ctx->md_data);
+                }
+        if(ctx->engine)
+                /* The EVP_MD we used belongs to an ENGINE, release the
+                 * functional reference we held for this reason. */
+                ENGINE_finish(ctx->engine);
+        memset(ctx,'\0',sizeof *ctx);
+
+        return 1;
+        }
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
new file mode 100644
index 0000000000..9d03a9602f
--- /dev/null
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -0,0 +1,99 @@
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+
+#ifndef OPENSSL_NO_AES
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <string.h>
+#include <assert.h>
+#include <openssl/aes.h>
+#include "evp_locl.h"
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                                        const unsigned char *iv, int enc);
+
+typedef struct
+        {
+        AES_KEY ks;
+        } EVP_AES_KEY;
+
+#define data(ctx)       EVP_C_DATA(EVP_AES_KEY,ctx)
+
+IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
+                       NID_aes_128, 16, 16, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
+                       NID_aes_192, 16, 24, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
+                       NID_aes_256, 16, 32, 16, 128,
+                       0, aes_init_key, NULL, 
+                       EVP_CIPHER_set_asn1_iv,
+                       EVP_CIPHER_get_asn1_iv,
+                       NULL)
+
+static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                   const unsigned char *iv, int enc) {
+
+        if (enc) 
+                AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+        else
+                AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data);
+
+        return 1;
+}
+
+#endif
diff --git a/src/lib/libcrypto/evp/e_bf.c b/src/lib/libcrypto/evp/e_bf.c
index 53559b0b65..e74337567b 100644
--- a/src/lib/libcrypto/evp/e_bf.c
+++ b/src/lib/libcrypto/evp/e_bf.c
@@ -56,24 +56,32 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_BF
+#ifndef OPENSSL_NO_BF
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include "evp_locl.h"
 #include <openssl/objects.h>
+#include <openssl/blowfish.h>
 
 static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                        const unsigned char *iv, int enc);
 
-IMPLEMENT_BLOCK_CIPHER(bf, bf_ks, BF, bf_ks, NID_bf, 8, 16, 8,
+typedef struct
+        {
+        BF_KEY ks;
+        } EVP_BF_KEY;
+
+#define data(ctx)       EVP_C_DATA(EVP_BF_KEY,ctx)
+
+IMPLEMENT_BLOCK_CIPHER(bf, ks, BF, EVP_BF_KEY, NID_bf, 8, 16, 8, 64,
                         EVP_CIPH_VARIABLE_LENGTH, bf_init_key, NULL, 
                         EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
         
 static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                        const unsigned char *iv, int enc)
         {
-        BF_set_key(&(ctx->c.bf_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        BF_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),key);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/e_cast.c b/src/lib/libcrypto/evp/e_cast.c
index e5af7fb4ed..3400fef187 100644
--- a/src/lib/libcrypto/evp/e_cast.c
+++ b/src/lib/libcrypto/evp/e_cast.c
@@ -56,26 +56,34 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_CAST
+#ifndef OPENSSL_NO_CAST
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/cast.h>
 
 static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv,int enc);
 
-IMPLEMENT_BLOCK_CIPHER(cast5, cast_ks, CAST, cast_ks, 
-                        NID_cast5, 8, EVP_CAST5_KEY_SIZE, 8,
+typedef struct
+        {
+        CAST_KEY ks;
+        } EVP_CAST_KEY;
+
+#define data(ctx)       EVP_C_DATA(EVP_CAST_KEY,ctx)
+
+IMPLEMENT_BLOCK_CIPHER(cast5, ks, CAST, EVP_CAST_KEY, 
+                        NID_cast5, 8, CAST_KEY_LENGTH, 8, 64,
                         EVP_CIPH_VARIABLE_LENGTH, cast_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
                         
 static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv, int enc)
         {
-        CAST_set_key(&(ctx->c.cast_ks),EVP_CIPHER_CTX_key_length(ctx),key);
+        CAST_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),key);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index f4e998b81c..105266a4b3 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -56,12 +56,13 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/des.h>
 
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc);
@@ -72,34 +73,34 @@ static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, unsigned int inl)
 {
         BLOCK_CIPHER_ecb_loop()
-                des_ecb_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), ctx->c.des_ks, ctx->encrypt);
+                DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), ctx->cipher_data, ctx->encrypt);
         return 1;
 }
 
 static int des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, unsigned int inl)
 {
-        des_ofb64_encrypt(in, out, (long)inl, ctx->c.des_ks, (des_cblock *)ctx->iv, &ctx->num);
+        DES_ofb64_encrypt(in, out, (long)inl, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num);
         return 1;
 }
 
 static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, unsigned int inl)
 {
-        des_ncbc_encrypt(in, out, (long)inl, ctx->c.des_ks,
-                         (des_cblock *)ctx->iv, ctx->encrypt);
+        DES_ncbc_encrypt(in, out, (long)inl, ctx->cipher_data,
+                         (DES_cblock *)ctx->iv, ctx->encrypt);
         return 1;
 }
 
 static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                           const unsigned char *in, unsigned int inl)
 {
-        des_cfb64_encrypt(in, out, (long)inl, ctx->c.des_ks,
-                          (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data,
+                          (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
         return 1;
 }
 
-BLOCK_CIPHER_defs(des, des_ks, NID_des, 8, 8, 8,
+BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
                         0, des_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
@@ -109,9 +110,9 @@ BLOCK_CIPHER_defs(des, des_ks, NID_des, 8, 8, 8,
 static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
         {
-        des_cblock *deskey = (des_cblock *)key;
+        DES_cblock *deskey = (DES_cblock *)key;
 
-        des_set_key_unchecked(deskey,ctx->c.des_ks);
+        DES_set_key_unchecked(deskey,ctx->cipher_data);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index a9aba4ae70..077860e7b6 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -56,12 +56,13 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/des.h>
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv,int enc);
@@ -69,60 +70,78 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv,int enc);
 
+typedef struct
+    {
+    DES_key_schedule ks1;/* key schedule */
+    DES_key_schedule ks2;/* key schedule (for ede) */
+    DES_key_schedule ks3;/* key schedule (for ede3) */
+    } DES_EDE_KEY;
+
+#define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data)
+
 /* Because of various casts and different args can't use IMPLEMENT_BLOCK_CIPHER */
 
 static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, unsigned int inl)
 {
         BLOCK_CIPHER_ecb_loop()
-                des_ecb3_encrypt((des_cblock *)(in + i), (des_cblock *)(out + i), 
-                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
-                         ctx->encrypt);
+                DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), 
+                                 &data(ctx)->ks1, &data(ctx)->ks2,
+                                 &data(ctx)->ks3,
+                                 ctx->encrypt);
         return 1;
 }
 
 static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, unsigned int inl)
 {
-        des_ede3_ofb64_encrypt(in, out, (long)inl,
-                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
-                                                                (des_cblock *)ctx->iv, &ctx->num);
+        DES_ede3_ofb64_encrypt(in, out, (long)inl,
+                               &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
+                               (DES_cblock *)ctx->iv, &ctx->num);
         return 1;
 }
 
 static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, unsigned int inl)
 {
-        des_ede3_cbc_encrypt(in, out, (long)inl,
-                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
-                                                                (des_cblock *)ctx->iv, ctx->encrypt);
+#ifdef KSSL_DEBUG
+        {
+        int i;
+        char *cp;
+        printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
+        printf("\t iv= ");
+        for(i=0;i<8;i++)
+                printf("%02X",ctx->iv[i]);
+        printf("\n");
+        }
+#endif    /* KSSL_DEBUG */
+        DES_ede3_cbc_encrypt(in, out, (long)inl,
+                             &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
+                             (DES_cblock *)ctx->iv, ctx->encrypt);
         return 1;
 }
 
 static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                               const unsigned char *in, unsigned int inl)
 {
-        des_ede3_cfb64_encrypt(in, out, (long)inl, 
-                        ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
-                                        (des_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
+        DES_ede3_cfb64_encrypt(in, out, (long)inl, 
+                               &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
+                               (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt);
         return 1;
 }
 
-#define NID_des_ede_ecb NID_des_ede
-
-BLOCK_CIPHER_defs(des_ede, des_ede, NID_des_ede, 8, 16, 8,
+BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
                         0, des_ede_init_key, NULL, 
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
                         NULL)
 
-#define NID_des_ede3_ecb NID_des_ede3
 #define des_ede3_cfb_cipher des_ede_cfb_cipher
 #define des_ede3_ofb_cipher des_ede_ofb_cipher
 #define des_ede3_cbc_cipher des_ede_cbc_cipher
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 
-BLOCK_CIPHER_defs(des_ede3, des_ede, NID_des_ede3, 8, 24, 8,
+BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
                         0, des_ede3_init_key, NULL, 
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
@@ -131,34 +150,43 @@ BLOCK_CIPHER_defs(des_ede3, des_ede, NID_des_ede3, 8, 24, 8,
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                             const unsigned char *iv, int enc)
         {
-        des_cblock *deskey = (des_cblock *)key;
+        DES_cblock *deskey = (DES_cblock *)key;
 
-        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
-        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
-        memcpy( (char *)ctx->c.des_ede.ks3,
-                        (char *)ctx->c.des_ede.ks1,
-                        sizeof(ctx->c.des_ede.ks1));
+        DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1);
+        DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2);
+        memcpy(&data(ctx)->ks3,&data(ctx)->ks1,
+               sizeof(data(ctx)->ks1));
         return 1;
         }
 
 static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv, int enc)
         {
-        des_cblock *deskey = (des_cblock *)key;
+        DES_cblock *deskey = (DES_cblock *)key;
+#ifdef KSSL_DEBUG
+        {
+        int i;
+        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
+        printf("\tKEY= ");
+        for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
+        printf("\t IV= ");
+        for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
+        }
+#endif  /* KSSL_DEBUG */
 
-        des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
-        des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
-        des_set_key_unchecked(&deskey[2],ctx->c.des_ede.ks3);
+        DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1);
+        DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2);
+        DES_set_key_unchecked(&deskey[2],&data(ctx)->ks3);
 
         return 1;
         }
 
-EVP_CIPHER *EVP_des_ede(void)
+const EVP_CIPHER *EVP_des_ede(void)
 {
         return &des_ede_ecb;
 }
 
-EVP_CIPHER *EVP_des_ede3(void)
+const EVP_CIPHER *EVP_des_ede3(void)
 {
         return &des_ede3_ecb;
 }
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
index 8d3c88deb7..ed838d3e62 100644
--- a/src/lib/libcrypto/evp/e_idea.c
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -56,13 +56,14 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_IDEA
+#ifndef OPENSSL_NO_IDEA
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/idea.h>
 
 static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                          const unsigned char *iv,int enc);
@@ -75,17 +76,22 @@ static int idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, unsigned int inl)
 {
         BLOCK_CIPHER_ecb_loop()
-                idea_ecb_encrypt(in + i, out + i, &ctx->c.idea_ks);
+                idea_ecb_encrypt(in + i, out + i, ctx->cipher_data);
         return 1;
 }
 
 /* Can't use IMPLEMENT_BLOCK_CIPHER because idea_ecb_encrypt is different */
 
-BLOCK_CIPHER_func_cbc(idea, idea, idea_ks)
-BLOCK_CIPHER_func_ofb(idea, idea, idea_ks)
-BLOCK_CIPHER_func_cfb(idea, idea, idea_ks)
+typedef struct
+        {
+        IDEA_KEY_SCHEDULE ks;
+        } EVP_IDEA_KEY;
+
+BLOCK_CIPHER_func_cbc(idea, idea, EVP_IDEA_KEY, ks)
+BLOCK_CIPHER_func_ofb(idea, idea, 64, EVP_IDEA_KEY, ks)
+BLOCK_CIPHER_func_cfb(idea, idea, 64, EVP_IDEA_KEY, ks)
 
-BLOCK_CIPHER_defs(idea, idea_ks, NID_idea, 8, 16, 8,
+BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64,
                         0, idea_init_key, NULL, 
                         EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL)
 
@@ -96,13 +102,13 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                 if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_OFB_MODE) enc = 1;
                 else if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_CFB_MODE) enc = 1;
         }
-        if (enc) idea_set_encrypt_key(key,&(ctx->c.idea_ks));
+        if (enc) idea_set_encrypt_key(key,ctx->cipher_data);
         else
                 {
                 IDEA_KEY_SCHEDULE tmp;
 
                 idea_set_encrypt_key(key,&tmp);
-                idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks));
+                idea_set_decrypt_key(&tmp,ctx->cipher_data);
                 memset((unsigned char *)&tmp,0,
                                 sizeof(IDEA_KEY_SCHEDULE));
                 }
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index e0702cf818..2420d7e5af 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -65,7 +65,7 @@ static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         const unsigned char *iv,int enc);
 static int null_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         const unsigned char *in, unsigned int inl);
-static EVP_CIPHER n_cipher=
+static const EVP_CIPHER n_cipher=
         {
         NID_undef,
         1,0,0,
@@ -79,7 +79,7 @@ static EVP_CIPHER n_cipher=
         NULL
         };
 
-EVP_CIPHER *EVP_enc_null(void)
+const EVP_CIPHER *EVP_enc_null(void)
         {
         return(&n_cipher);
         }
@@ -87,7 +87,7 @@ EVP_CIPHER *EVP_enc_null(void)
 static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
              const unsigned char *iv, int enc)
         {
-        memset(&(ctx->c),0,sizeof(ctx->c));
+        /*      memset(&(ctx->c),0,sizeof(ctx->c));*/
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
index 3955c3ef84..4685198e2e 100644
--- a/src/lib/libcrypto/evp/e_rc2.c
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -56,13 +56,14 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/rc2.h>
 
 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv,int enc);
@@ -72,9 +73,17 @@ static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
 static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
 static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
 
-IMPLEMENT_BLOCK_CIPHER(rc2, rc2.ks, RC2, rc2, NID_rc2,
+typedef struct
+        {
+        int key_bits;   /* effective key bits */
+        RC2_KEY ks;     /* key schedule */
+        } EVP_RC2_KEY;
+
+#define data(ctx)       ((EVP_RC2_KEY *)(ctx)->cipher_data)
+
+IMPLEMENT_BLOCK_CIPHER(rc2, ks, RC2, EVP_RC2_KEY, NID_rc2,
                         8,
-                        EVP_RC2_KEY_SIZE, 8,
+                        RC2_KEY_LENGTH, 8, 64,
                         EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
                         rc2_init_key, NULL,
                         rc2_set_asn1_type_and_iv, rc2_get_asn1_type_and_iv, 
@@ -84,7 +93,7 @@ IMPLEMENT_BLOCK_CIPHER(rc2, rc2.ks, RC2, rc2, NID_rc2,
 #define RC2_64_MAGIC    0x78
 #define RC2_128_MAGIC   0x3a
 
-static EVP_CIPHER r2_64_cbc_cipher=
+static const EVP_CIPHER r2_64_cbc_cipher=
         {
         NID_rc2_64_cbc,
         8,8 /* 64 bit */,8,
@@ -92,15 +101,14 @@ static EVP_CIPHER r2_64_cbc_cipher=
         rc2_init_key,
         rc2_cbc_cipher,
         NULL,
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        sizeof(EVP_RC2_KEY),
         rc2_set_asn1_type_and_iv,
         rc2_get_asn1_type_and_iv,
         rc2_ctrl,
         NULL
         };
 
-static EVP_CIPHER r2_40_cbc_cipher=
+static const EVP_CIPHER r2_40_cbc_cipher=
         {
         NID_rc2_40_cbc,
         8,5 /* 40 bit */,8,
@@ -108,20 +116,19 @@ static EVP_CIPHER r2_40_cbc_cipher=
         rc2_init_key,
         rc2_cbc_cipher,
         NULL,
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc2)),
+        sizeof(EVP_RC2_KEY),
         rc2_set_asn1_type_and_iv,
         rc2_get_asn1_type_and_iv,
         rc2_ctrl,
         NULL
         };
 
-EVP_CIPHER *EVP_rc2_64_cbc(void)
+const EVP_CIPHER *EVP_rc2_64_cbc(void)
         {
         return(&r2_64_cbc_cipher);
         }
 
-EVP_CIPHER *EVP_rc2_40_cbc(void)
+const EVP_CIPHER *EVP_rc2_40_cbc(void)
         {
         return(&r2_40_cbc_cipher);
         }
@@ -129,8 +136,8 @@ EVP_CIPHER *EVP_rc2_40_cbc(void)
 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
         {
-        RC2_set_key(&(ctx->c.rc2.ks),EVP_CIPHER_CTX_key_length(ctx),
-                        key,ctx->c.rc2.key_bits);
+        RC2_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                    key,data(ctx)->key_bits);
         return 1;
         }
 
@@ -173,7 +180,7 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
                 key_bits =rc2_magic_to_meth((int)num);
                 if (!key_bits)
                         return(-1);
-                if(i > 0) EVP_CipherInit(c, NULL, NULL, iv, -1);
+                if(i > 0) EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1);
                 EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
                 EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
                 }
@@ -196,26 +203,26 @@ static int rc2_set_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
 static int rc2_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         {
-                switch(type) {
-
-                        case EVP_CTRL_INIT:
-                        c->c.rc2.key_bits = EVP_CIPHER_CTX_key_length(c) * 8;
-                        return 1;
+        switch(type)
+                {
+        case EVP_CTRL_INIT:
+                data(c)->key_bits = EVP_CIPHER_CTX_key_length(c) * 8;
+                return 1;
 
-                        case EVP_CTRL_GET_RC2_KEY_BITS:
-                        *(int *)ptr = c->c.rc2.key_bits;
-                        return 1;
+        case EVP_CTRL_GET_RC2_KEY_BITS:
+                *(int *)ptr = data(c)->key_bits;
+                return 1;
                         
-                        
-                        case EVP_CTRL_SET_RC2_KEY_BITS:
-                        if(arg > 0) {
-                                c->c.rc2.key_bits = arg;
-                                return 1;
+        case EVP_CTRL_SET_RC2_KEY_BITS:
+                if(arg > 0)
+                        {
+                        data(c)->key_bits = arg;
+                        return 1;
                         }
-                        return 0;
+                return 0;
 
-                        default:
-                        return -1;
+        default:
+                return -1;
                 }
         }
 
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index 1c1e3b3857..4064cc5fa0 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -56,18 +56,31 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include <openssl/rc4.h>
+
+/* FIXME: surely this is available elsewhere? */
+#define EVP_RC4_KEY_SIZE                16
+
+typedef struct
+    {
+    /* FIXME: what is the key for? */
+    unsigned char key[EVP_RC4_KEY_SIZE];
+    RC4_KEY ks; /* working key */
+    } EVP_RC4_KEY;
+
+#define data(ctx) ((EVP_RC4_KEY *)(ctx)->cipher_data)
 
 static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv,int enc);
 static int rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                       const unsigned char *in, unsigned int inl);
-static EVP_CIPHER r4_cipher=
+static const EVP_CIPHER r4_cipher=
         {
         NID_rc4,
         1,EVP_RC4_KEY_SIZE,0,
@@ -75,14 +88,13 @@ static EVP_CIPHER r4_cipher=
         rc4_init_key,
         rc4_cipher,
         NULL,
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc4)),
+        sizeof(EVP_RC4_KEY),
         NULL,
         NULL,
         NULL
         };
 
-static EVP_CIPHER r4_40_cipher=
+static const EVP_CIPHER r4_40_cipher=
         {
         NID_rc4_40,
         1,5 /* 40 bit */,0,
@@ -90,19 +102,18 @@ static EVP_CIPHER r4_40_cipher=
         rc4_init_key,
         rc4_cipher,
         NULL,
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.rc4)),
+        sizeof(EVP_RC4_KEY),
         NULL, 
         NULL,
         NULL
         };
 
-EVP_CIPHER *EVP_rc4(void)
+const EVP_CIPHER *EVP_rc4(void)
         {
         return(&r4_cipher);
         }
 
-EVP_CIPHER *EVP_rc4_40(void)
+const EVP_CIPHER *EVP_rc4_40(void)
         {
         return(&r4_40_cipher);
         }
@@ -110,16 +121,16 @@ EVP_CIPHER *EVP_rc4_40(void)
 static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                         const unsigned char *iv, int enc)
         {
-        memcpy(&(ctx->c.rc4.key[0]),key,EVP_CIPHER_CTX_key_length(ctx));
-        RC4_set_key(&(ctx->c.rc4.ks),EVP_CIPHER_CTX_key_length(ctx),
-                ctx->c.rc4.key);
+        memcpy(&data(ctx)->key[0],key,EVP_CIPHER_CTX_key_length(ctx));
+        RC4_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                data(ctx)->key);
         return 1;
         }
 
 static int rc4_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                       const unsigned char *in, unsigned int inl)
         {
-        RC4(&(ctx->c.rc4.ks),inl,in,out);
+        RC4(&data(ctx)->ks,inl,in,out);
         return 1;
         }
 #endif
diff --git a/src/lib/libcrypto/evp/e_rc5.c b/src/lib/libcrypto/evp/e_rc5.c
index 5885f1826b..3c7713b181 100644
--- a/src/lib/libcrypto/evp/e_rc5.c
+++ b/src/lib/libcrypto/evp/e_rc5.c
@@ -56,62 +56,69 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RC5
+#ifndef OPENSSL_NO_RC5
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
+#include <openssl/rc5.h>
 
 static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv,int enc);
 static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
 
-IMPLEMENT_BLOCK_CIPHER(rc5_32_12_16, rc5.ks, RC5_32, rc5, NID_rc5,
-                        8, EVP_RC5_32_12_16_KEY_SIZE, 8, 
-                        EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
-                        r_32_12_16_init_key, NULL,
-                        NULL, NULL, rc5_ctrl)
+typedef struct
+        {
+        int rounds;     /* number of rounds */
+        RC5_32_KEY ks;  /* key schedule */
+        } EVP_RC5_KEY;
 
+#define data(ctx)       EVP_C_DATA(EVP_RC5_KEY,ctx)
 
+IMPLEMENT_BLOCK_CIPHER(rc5_32_12_16, ks, RC5_32, EVP_RC5_KEY, NID_rc5,
+                       8, RC5_32_KEY_LENGTH, 8, 64,
+                       EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,
+                       r_32_12_16_init_key, NULL,
+                       NULL, NULL, rc5_ctrl)
 
 static int rc5_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         {
-                switch(type) {
-
-                        case EVP_CTRL_INIT:
-                        c->c.rc5.rounds = RC5_12_ROUNDS;
-                        return 1;
+        switch(type)
+                {
+        case EVP_CTRL_INIT:
+                data(c)->rounds = RC5_12_ROUNDS;
+                return 1;
 
-                        case EVP_CTRL_GET_RC5_ROUNDS:
-                        *(int *)ptr = c->c.rc5.rounds;
-                        return 1;
-                        
+        case EVP_CTRL_GET_RC5_ROUNDS:
+                *(int *)ptr = data(c)->rounds;
+                return 1;
                         
-                        case EVP_CTRL_SET_RC5_ROUNDS:
-                        switch(arg) {
-                                case RC5_8_ROUNDS:
-                                case RC5_12_ROUNDS:
-                                case RC5_16_ROUNDS:
-                                c->c.rc5.rounds = arg;
-                                return 1;
+        case EVP_CTRL_SET_RC5_ROUNDS:
+                switch(arg)
+                        {
+                case RC5_8_ROUNDS:
+                case RC5_12_ROUNDS:
+                case RC5_16_ROUNDS:
+                        data(c)->rounds = arg;
+                        return 1;
 
-                                default:
-                                EVPerr(EVP_F_RC5_CTRL, EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
-                                return 0;
+                default:
+                        EVPerr(EVP_F_RC5_CTRL, EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS);
+                        return 0;
                         }
 
-                        default:
-                        return -1;
+        default:
+                return -1;
                 }
         }
 
 static int r_32_12_16_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                                const unsigned char *iv, int enc)
         {
-        RC5_32_set_key(&(ctx->c.rc5.ks),EVP_CIPHER_CTX_key_length(ctx),
-                        key,ctx->c.rc5.rounds);
+        RC5_32_set_key(&data(ctx)->ks,EVP_CIPHER_CTX_key_length(ctx),
+                       key,data(ctx)->rounds);
         return 1;
         }
 
diff --git a/src/lib/libcrypto/evp/e_xcbc_d.c b/src/lib/libcrypto/evp/e_xcbc_d.c
index e5b15acc7d..a6f849e93d 100644
--- a/src/lib/libcrypto/evp/e_xcbc_d.c
+++ b/src/lib/libcrypto/evp/e_xcbc_d.c
@@ -56,17 +56,29 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include <openssl/des.h>
 
 static int desx_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv,int enc);
 static int desx_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, unsigned int inl);
-static EVP_CIPHER d_xcbc_cipher=
+
+
+typedef struct
+    {
+    DES_key_schedule ks;/* key schedule */
+    DES_cblock inw;
+    DES_cblock outw;
+    } DESX_CBC_KEY;
+
+#define data(ctx) ((DESX_CBC_KEY *)(ctx)->cipher_data)
+
+static const EVP_CIPHER d_xcbc_cipher=
         {
         NID_desx_cbc,
         8,24,8,
@@ -74,14 +86,13 @@ static EVP_CIPHER d_xcbc_cipher=
         desx_cbc_init_key,
         desx_cbc_cipher,
         NULL,
-        sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+
-                sizeof((((EVP_CIPHER_CTX *)NULL)->c.desx_cbc)),
+        sizeof(DESX_CBC_KEY),
         EVP_CIPHER_set_asn1_iv,
         EVP_CIPHER_get_asn1_iv,
         NULL
         };
 
-EVP_CIPHER *EVP_desx_cbc(void)
+const EVP_CIPHER *EVP_desx_cbc(void)
         {
         return(&d_xcbc_cipher);
         }
@@ -89,11 +100,11 @@ EVP_CIPHER *EVP_desx_cbc(void)
 static int desx_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                              const unsigned char *iv, int enc)
         {
-        des_cblock *deskey = (des_cblock *)key;
+        DES_cblock *deskey = (DES_cblock *)key;
 
-        des_set_key_unchecked(deskey,ctx->c.desx_cbc.ks);
-        memcpy(&(ctx->c.desx_cbc.inw[0]),&(key[8]),8);
-        memcpy(&(ctx->c.desx_cbc.outw[0]),&(key[16]),8);
+        DES_set_key_unchecked(deskey,&data(ctx)->ks);
+        memcpy(&data(ctx)->inw[0],&key[8],8);
+        memcpy(&data(ctx)->outw[0],&key[16],8);
 
         return 1;
         }
@@ -101,11 +112,11 @@ static int desx_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 static int desx_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                            const unsigned char *in, unsigned int inl)
         {
-        des_xcbc_encrypt(in,out,inl,ctx->c.desx_cbc.ks,
-                (des_cblock *)&(ctx->iv[0]),
-                &ctx->c.desx_cbc.inw,
-                &ctx->c.desx_cbc.outw,
-                ctx->encrypt);
+        DES_xcbc_encrypt(in,out,inl,&data(ctx)->ks,
+                         (DES_cblock *)&(ctx->iv[0]),
+                         &data(ctx)->inw,
+                         &data(ctx)->outw,
+                         ctx->encrypt);
         return 1;
         }
 #endif
diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c
index 6ff9c1783c..12c6379df1 100644
--- a/src/lib/libcrypto/evp/encode.c
+++ b/src/lib/libcrypto/evp/encode.c
@@ -277,6 +277,13 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                         eof++;
                         }
 
+                if (v == B64_CR)
+                        {
+                        ln = 0;
+                        if (exp_nl)
+                                continue;
+                        }
+
                 /* eoln */
                 if (v == B64_EOLN)
                         {
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index fd43127092..915fe62341 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -67,74 +67,30 @@
 # undef OPENSSL_ALGORITHM_DEFINES
 #endif
 
-#ifndef NO_BIO
+#include <openssl/ossl_typ.h>
+
+#include <openssl/symhacks.h>
+
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#ifndef NO_MD2
-#include <openssl/md2.h>
-#endif
-#ifndef NO_MD4
-#include <openssl/md4.h>
-#endif
-#ifndef NO_MD5
-#include <openssl/md5.h>
-#endif
-#ifndef NO_SHA
-#include <openssl/sha.h>
-#endif
-#ifndef NO_RIPEMD
-#include <openssl/ripemd.h>
-#endif
-#ifndef NO_DES
-#include <openssl/des.h>
-#endif
-#ifndef NO_RC4
-#include <openssl/rc4.h>
-#endif
-#ifndef NO_RC2
-#include <openssl/rc2.h>
-#endif
-#ifndef NO_RC5
-#include <openssl/rc5.h>
-#endif
-#ifndef NO_BF
-#include <openssl/blowfish.h>
-#endif
-#ifndef NO_CAST
-#include <openssl/cast.h>
-#endif
-#ifndef NO_IDEA
-#include <openssl/idea.h>
-#endif
-#ifndef NO_MDC2
-#include <openssl/mdc2.h>
-#endif
 
+/*
 #define EVP_RC2_KEY_SIZE                16
 #define EVP_RC4_KEY_SIZE                16
 #define EVP_BLOWFISH_KEY_SIZE           16
 #define EVP_CAST5_KEY_SIZE              16
 #define EVP_RC5_32_12_16_KEY_SIZE       16
+*/
 #define EVP_MAX_MD_SIZE                 (16+20) /* The SSLv3 md5+sha1 type */
-#define EVP_MAX_KEY_LENGTH              24
-#define EVP_MAX_IV_LENGTH               8
+#define EVP_MAX_KEY_LENGTH              32
+#define EVP_MAX_IV_LENGTH               16
+#define EVP_MAX_BLOCK_LENGTH            32
 
 #define PKCS5_SALT_LEN                  8
 /* Default PKCS#5 iteration count */
 #define PKCS5_DEFAULT_ITER              2048
 
-#ifndef NO_RSA
-#include <openssl/rsa.h>
-#endif
-
-#ifndef NO_DSA
-#include <openssl/dsa.h>
-#endif
-
-#ifndef NO_DH
-#include <openssl/dh.h>
-#endif
-
 #include <openssl/objects.h>
 
 #define EVP_PK_RSA      0x0001
@@ -164,26 +120,26 @@ extern "C" {
 /* Type needs to be a bit field
  * Sub-type needs to be for variations on the method, as in, can it do
  * arbitrary encryption.... */
-typedef struct evp_pkey_st
+struct evp_pkey_st
         {
         int type;
         int save_type;
         int references;
         union   {
                 char *ptr;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 struct rsa_st *rsa;     /* RSA */
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 struct dsa_st *dsa;     /* DSA */
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
                 struct dh_st *dh;       /* DH */
 #endif
                 } pkey;
         int save_parameters;
         STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-        } EVP_PKEY;
+        } /* EVP_PKEY */;
 
 #define EVP_PKEY_MO_SIGN        0x0001
 #define EVP_PKEY_MO_VERIFY      0x0002
@@ -258,27 +214,32 @@ typedef struct evp_pkey_method_st
 #endif
 
 #ifndef EVP_MD
-typedef struct env_md_st
+struct env_md_st
         {
         int type;
         int pkey_type;
         int md_size;
-        void (*init)();
-        void (*update)();
-        void (*final)();
-
+        unsigned long flags;
+        int (*init)(EVP_MD_CTX *ctx);
+        int (*update)(EVP_MD_CTX *ctx,const void *data,unsigned long count);
+        int (*final)(EVP_MD_CTX *ctx,unsigned char *md);
+        int (*copy)(EVP_MD_CTX *to,const EVP_MD_CTX *from);
+        int (*cleanup)(EVP_MD_CTX *ctx);
+
+        /* FIXME: prototype these some day */
         int (*sign)();
         int (*verify)();
         int required_pkey_type[5]; /*EVP_PKEY_xxx */
         int block_size;
-        int ctx_size; /* how big does the ctx need to be */
-        } EVP_MD;
-
+        int ctx_size; /* how big does the ctx->md_data need to be */
+        } /* EVP_MD */;
 
+#define EVP_MD_FLAG_ONESHOT     0x0001 /* digest can only handle a single
+                                        * block */
 
 #define EVP_PKEY_NULL_method    NULL,NULL,{0,0,0,0}
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #define EVP_PKEY_DSA_method     DSA_sign,DSA_verify, \
                                 {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3, \
                                         EVP_PKEY_DSA4,0}
@@ -286,7 +247,7 @@ typedef struct env_md_st
 #define EVP_PKEY_DSA_method     EVP_PKEY_NULL_method
 #endif
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #define EVP_PKEY_RSA_method     RSA_sign,RSA_verify, \
                                 {EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
 #define EVP_PKEY_RSA_ASN1_OCTET_STRING_method \
@@ -300,34 +261,20 @@ typedef struct env_md_st
 
 #endif /* !EVP_MD */
 
-typedef struct env_md_ctx_st
+struct env_md_ctx_st
         {
         const EVP_MD *digest;
-        union   {
-                unsigned char base[4];
-#ifndef NO_MD2
-                MD2_CTX md2;
-#endif
-#ifndef NO_MD5
-                MD5_CTX md5;
-#endif
-#ifndef NO_MD4
-                MD4_CTX md4;
-#endif
-#ifndef NO_RIPEMD
-                RIPEMD160_CTX ripemd160;
-#endif
-#ifndef NO_SHA
-                SHA_CTX sha;
-#endif
-#ifndef NO_MDC2
-                MDC2_CTX mdc2;
-#endif
-                } md;
-        } EVP_MD_CTX;
+        ENGINE *engine; /* functional reference if 'digest' is ENGINE-provided */
+        unsigned long flags;
+        void *md_data;
+        } /* EVP_MD_CTX */;
+
+/* values for EVP_MD_CTX flags */
 
-typedef struct evp_cipher_st EVP_CIPHER;
-typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
+#define EVP_MD_CTX_FLAG_ONESHOT         0x0001 /* digest update will be called
+                                                * once only */
+#define EVP_MD_CTX_FLAG_CLEANED         0x0002 /* context has already been
+                                                * cleaned */
 
 struct evp_cipher_st
         {
@@ -341,12 +288,12 @@ struct evp_cipher_st
         int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
                          const unsigned char *in, unsigned int inl);/* encrypt/decrypt data */
         int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */
-        int ctx_size;           /* how big the ctx needs to be */
+        int ctx_size;           /* how big ctx->cipher_data needs to be */
         int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */
         int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */
         int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */
         void *app_data;         /* Application data */
-        };
+        } /* EVP_CIPHER */;
 
 /* Values for cipher flags */
 
@@ -368,6 +315,8 @@ struct evp_cipher_st
 #define         EVP_CIPH_CTRL_INIT              0x40
 /* Don't use standard key length function */
 #define         EVP_CIPH_CUSTOM_KEY_LENGTH      0x80
+/* Don't use standard block padding */
+#define         EVP_CIPH_NO_PADDING             0x100
 
 /* ctrl() values */
 
@@ -387,62 +336,23 @@ typedef struct evp_cipher_info_st
 struct evp_cipher_ctx_st
         {
         const EVP_CIPHER *cipher;
+        ENGINE *engine; /* functional reference if 'cipher' is ENGINE-provided */
         int encrypt;            /* encrypt or decrypt */
         int buf_len;            /* number we have left */
 
         unsigned char  oiv[EVP_MAX_IV_LENGTH];  /* original iv */
         unsigned char  iv[EVP_MAX_IV_LENGTH];   /* working iv */
-        unsigned char buf[EVP_MAX_IV_LENGTH];   /* saved partial block */
+        unsigned char buf[EVP_MAX_BLOCK_LENGTH];/* saved partial block */
         int num;                                /* used by cfb/ofb mode */
 
         void *app_data;         /* application stuff */
         int key_len;            /* May change for variable length cipher */
-        union   {
-#ifndef NO_RC4
-                struct
-                        {
-                        unsigned char key[EVP_RC4_KEY_SIZE];
-                        RC4_KEY ks;     /* working key */
-                        } rc4;
-#endif
-#ifndef NO_DES
-                des_key_schedule des_ks;/* key schedule */
-                struct
-                        {
-                        des_key_schedule ks;/* key schedule */
-                        des_cblock inw;
-                        des_cblock outw;
-                        } desx_cbc;
-                struct
-                        {
-                        des_key_schedule ks1;/* key schedule */
-                        des_key_schedule ks2;/* key schedule (for ede) */
-                        des_key_schedule ks3;/* key schedule (for ede3) */
-                        } des_ede;
-#endif
-#ifndef NO_IDEA
-                IDEA_KEY_SCHEDULE idea_ks;/* key schedule */
-#endif
-#ifndef NO_RC2
-                struct {
-                        int key_bits;   /* effective key bits */
-                        RC2_KEY ks;/* key schedule */
-                } rc2;
-#endif
-#ifndef NO_RC5
-                struct {
-                        int rounds;     /* number of rounds */
-                        RC5_32_KEY ks;/* key schedule */
-                } rc5;
-#endif
-#ifndef NO_BF
-                BF_KEY bf_ks;/* key schedule */
-#endif
-#ifndef NO_CAST
-                CAST_KEY cast_ks;/* key schedule */
-#endif
-                } c;
-        };
+        unsigned long flags;    /* Various flags */
+        void *cipher_data; /* per EVP data */
+        int final_used;
+        int block_mask;
+        unsigned char final[EVP_MAX_BLOCK_LENGTH];/* possible final block */
+        } /* EVP_CIPHER_CTX */;
 
 typedef struct evp_Encode_Ctx_st
         {
@@ -459,20 +369,20 @@ typedef struct evp_Encode_Ctx_st
 
 /* Password based encryption function */
 typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                ASN1_TYPE *param, EVP_CIPHER *cipher,
-                EVP_MD *md, int en_de);
+                ASN1_TYPE *param, const EVP_CIPHER *cipher,
+                const EVP_MD *md, int en_de);
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
                                         (char *)(rsa))
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\
                                         (char *)(dsa))
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\
                                         (char *)(dh))
 #endif
@@ -484,6 +394,8 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
 
 #define EVP_MD_type(e)                  ((e)->type)
+#define EVP_MD_nid(e)                   EVP_MD_type(e)
+#define EVP_MD_name(e)                  OBJ_nid2sn(EVP_MD_nid(e))
 #define EVP_MD_pkey_type(e)             ((e)->pkey_type)
 #define EVP_MD_size(e)                  ((e)->md_size)
 #define EVP_MD_block_size(e)            ((e)->block_size)
@@ -494,11 +406,12 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_MD_CTX_type(e)              EVP_MD_type((e)->digest)
 
 #define EVP_CIPHER_nid(e)               ((e)->nid)
+#define EVP_CIPHER_name(e)              OBJ_nid2sn(EVP_CIPHER_nid(e))
 #define EVP_CIPHER_block_size(e)        ((e)->block_size)
 #define EVP_CIPHER_key_length(e)        ((e)->key_len)
 #define EVP_CIPHER_iv_length(e)         ((e)->iv_len)
 #define EVP_CIPHER_flags(e)             ((e)->flags)
-#define EVP_CIPHER_mode(e)              ((e)->flags) & EVP_CIPH_MODE)
+#define EVP_CIPHER_mode(e)              (((e)->flags) & EVP_CIPH_MODE)
 
 #define EVP_CIPHER_CTX_cipher(e)        ((e)->cipher)
 #define EVP_CIPHER_CTX_nid(e)           ((e)->cipher->nid)
@@ -514,8 +427,10 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_ENCODE_LENGTH(l)    (((l+2)/3*4)+(l/48+1)*2+80)
 #define EVP_DECODE_LENGTH(l)    ((l+3)/4*3+80)
 
+#define EVP_SignInit_ex(a,b,c)          EVP_DigestInit_ex(a,b,c)
 #define EVP_SignInit(a,b)               EVP_DigestInit(a,b)
 #define EVP_SignUpdate(a,b,c)           EVP_DigestUpdate(a,b,c)
+#define EVP_VerifyInit_ex(a,b,c)        EVP_DigestInit_ex(a,b,c)
 #define EVP_VerifyInit(a,b)             EVP_DigestInit(a,b)
 #define EVP_VerifyUpdate(a,b,c)         EVP_DigestUpdate(a,b,c)
 #define EVP_OpenUpdate(a,b,c,d,e)       EVP_DecryptUpdate(a,b,c,d,e)
@@ -542,38 +457,61 @@ void BIO_set_md(BIO *,const EVP_MD *md);
 #define EVP_delete_digest_alias(alias) \
         OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS);
 
-
-int     EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
-void    EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-void    EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
+void    EVP_MD_CTX_init(EVP_MD_CTX *ctx);
+int     EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
+EVP_MD_CTX *EVP_MD_CTX_create(void);
+void    EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
+int     EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
+#define EVP_MD_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
+#define EVP_MD_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs))
+#define EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
+int     EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
+int     EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
                          unsigned int cnt);
-void    EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
+int     EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
+int     EVP_Digest(void *data, unsigned int count,
+                unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl);
+
+int     EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in);  
+int     EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
+int     EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
 
 int     EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
 void    EVP_set_pw_prompt(char *prompt);
 char *  EVP_get_pw_prompt(void);
 
-int     EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
-                const unsigned char *salt, const unsigned char *data, int datal,
-                int count, unsigned char *key, unsigned char *iv);
+int     EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
+                const unsigned char *salt, const unsigned char *data,
+                int datal, int count, unsigned char *key,unsigned char *iv);
 
-int     EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
-                unsigned char *key, unsigned char *iv);
+int     EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
+                const unsigned char *key, const unsigned char *iv);
+int     EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
+                const unsigned char *key, const unsigned char *iv);
 int     EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                int *outl, unsigned char *in, int inl);
+                int *outl, const unsigned char *in, int inl);
+int     EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 int     EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 
-int     EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
-                unsigned char *key, unsigned char *iv);
+int     EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
+                const unsigned char *key, const unsigned char *iv);
+int     EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
+                const unsigned char *key, const unsigned char *iv);
 int     EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                int *outl, unsigned char *in, int inl);
+                int *outl, const unsigned char *in, int inl);
 int     EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
-
-int     EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
-                       unsigned char *key,unsigned char *iv,int enc);
+int     EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+
+int     EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
+                       const unsigned char *key,const unsigned char *iv,
+                       int enc);
+int     EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
+                       const unsigned char *key,const unsigned char *iv,
+                       int enc);
 int     EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                int *outl, unsigned char *in, int inl);
+                int *outl, const unsigned char *in, int inl);
 int     EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
+int     EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
 
 int     EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
                 EVP_PKEY *pkey);
@@ -581,11 +519,11 @@ int	EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
 int     EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf,
                 unsigned int siglen,EVP_PKEY *pkey);
 
-int     EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek,
+int     EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,unsigned char *ek,
                 int ekl,unsigned char *iv,EVP_PKEY *priv);
 int     EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 
-int     EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+int     EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek,
                 int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
 void    EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
 
@@ -602,14 +540,13 @@ int	EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
                 char *out, int *outl);
 int     EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
 
-void    ERR_load_EVP_strings(void );
-
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
+int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_md(void);
 BIO_METHOD *BIO_f_base64(void);
 BIO_METHOD *BIO_f_cipher(void);
@@ -618,89 +555,117 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k,
         unsigned char *i, int enc);
 #endif
 
-EVP_MD *EVP_md_null(void);
-#ifndef NO_MD2
-EVP_MD *EVP_md2(void);
-#endif
-#ifndef NO_MD4
-EVP_MD *EVP_md4(void);
-#endif
-#ifndef NO_MD5
-EVP_MD *EVP_md5(void);
-#endif
-#ifndef NO_SHA
-EVP_MD *EVP_sha(void);
-EVP_MD *EVP_sha1(void);
-EVP_MD *EVP_dss(void);
-EVP_MD *EVP_dss1(void);
-#endif
-#ifndef NO_MDC2
-EVP_MD *EVP_mdc2(void);
-#endif
-#ifndef NO_RIPEMD
-EVP_MD *EVP_ripemd160(void);
-#endif
-EVP_CIPHER *EVP_enc_null(void);         /* does nothing :-) */
-#ifndef NO_DES
-EVP_CIPHER *EVP_des_ecb(void);
-EVP_CIPHER *EVP_des_ede(void);
-EVP_CIPHER *EVP_des_ede3(void);
-EVP_CIPHER *EVP_des_cfb(void);
-EVP_CIPHER *EVP_des_ede_cfb(void);
-EVP_CIPHER *EVP_des_ede3_cfb(void);
-EVP_CIPHER *EVP_des_ofb(void);
-EVP_CIPHER *EVP_des_ede_ofb(void);
-EVP_CIPHER *EVP_des_ede3_ofb(void);
-EVP_CIPHER *EVP_des_cbc(void);
-EVP_CIPHER *EVP_des_ede_cbc(void);
-EVP_CIPHER *EVP_des_ede3_cbc(void);
-EVP_CIPHER *EVP_desx_cbc(void);
-#endif
-#ifndef NO_RC4
-EVP_CIPHER *EVP_rc4(void);
-EVP_CIPHER *EVP_rc4_40(void);
-#endif
-#ifndef NO_IDEA
-EVP_CIPHER *EVP_idea_ecb(void);
-EVP_CIPHER *EVP_idea_cfb(void);
-EVP_CIPHER *EVP_idea_ofb(void);
-EVP_CIPHER *EVP_idea_cbc(void);
-#endif
-#ifndef NO_RC2
-EVP_CIPHER *EVP_rc2_ecb(void);
-EVP_CIPHER *EVP_rc2_cbc(void);
-EVP_CIPHER *EVP_rc2_40_cbc(void);
-EVP_CIPHER *EVP_rc2_64_cbc(void);
-EVP_CIPHER *EVP_rc2_cfb(void);
-EVP_CIPHER *EVP_rc2_ofb(void);
-#endif
-#ifndef NO_BF
-EVP_CIPHER *EVP_bf_ecb(void);
-EVP_CIPHER *EVP_bf_cbc(void);
-EVP_CIPHER *EVP_bf_cfb(void);
-EVP_CIPHER *EVP_bf_ofb(void);
-#endif
-#ifndef NO_CAST
-EVP_CIPHER *EVP_cast5_ecb(void);
-EVP_CIPHER *EVP_cast5_cbc(void);
-EVP_CIPHER *EVP_cast5_cfb(void);
-EVP_CIPHER *EVP_cast5_ofb(void);
-#endif
-#ifndef NO_RC5
-EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
-EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
-EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
-EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
-#endif
-void OpenSSL_add_all_algorithms(void);
+const EVP_MD *EVP_md_null(void);
+#ifndef OPENSSL_NO_MD2
+const EVP_MD *EVP_md2(void);
+#endif
+#ifndef OPENSSL_NO_MD4
+const EVP_MD *EVP_md4(void);
+#endif
+#ifndef OPENSSL_NO_MD5
+const EVP_MD *EVP_md5(void);
+#endif
+#ifndef OPENSSL_NO_SHA
+const EVP_MD *EVP_sha(void);
+const EVP_MD *EVP_sha1(void);
+const EVP_MD *EVP_dss(void);
+const EVP_MD *EVP_dss1(void);
+#endif
+#ifndef OPENSSL_NO_MDC2
+const EVP_MD *EVP_mdc2(void);
+#endif
+#ifndef OPENSSL_NO_RIPEMD
+const EVP_MD *EVP_ripemd160(void);
+#endif
+const EVP_CIPHER *EVP_enc_null(void);           /* does nothing :-) */
+#ifndef OPENSSL_NO_DES
+const EVP_CIPHER *EVP_des_ecb(void);
+const EVP_CIPHER *EVP_des_ede(void);
+const EVP_CIPHER *EVP_des_ede3(void);
+const EVP_CIPHER *EVP_des_cfb(void);
+const EVP_CIPHER *EVP_des_ede_cfb(void);
+const EVP_CIPHER *EVP_des_ede3_cfb(void);
+const EVP_CIPHER *EVP_des_ofb(void);
+const EVP_CIPHER *EVP_des_ede_ofb(void);
+const EVP_CIPHER *EVP_des_ede3_ofb(void);
+const EVP_CIPHER *EVP_des_cbc(void);
+const EVP_CIPHER *EVP_des_ede_cbc(void);
+const EVP_CIPHER *EVP_des_ede3_cbc(void);
+const EVP_CIPHER *EVP_desx_cbc(void);
+/* This should now be supported through the dev_crypto ENGINE. But also, why are
+ * rc4 and md5 declarations made here inside a "NO_DES" precompiler branch? */
+#if 0
+# ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+const EVP_CIPHER *EVP_dev_crypto_des_ede3_cbc(void);
+const EVP_CIPHER *EVP_dev_crypto_rc4(void);
+const EVP_MD *EVP_dev_crypto_md5(void);
+# endif
+#endif
+#endif
+#ifndef OPENSSL_NO_RC4
+const EVP_CIPHER *EVP_rc4(void);
+const EVP_CIPHER *EVP_rc4_40(void);
+#endif
+#ifndef OPENSSL_NO_IDEA
+const EVP_CIPHER *EVP_idea_ecb(void);
+const EVP_CIPHER *EVP_idea_cfb(void);
+const EVP_CIPHER *EVP_idea_ofb(void);
+const EVP_CIPHER *EVP_idea_cbc(void);
+#endif
+#ifndef OPENSSL_NO_RC2
+const EVP_CIPHER *EVP_rc2_ecb(void);
+const EVP_CIPHER *EVP_rc2_cbc(void);
+const EVP_CIPHER *EVP_rc2_40_cbc(void);
+const EVP_CIPHER *EVP_rc2_64_cbc(void);
+const EVP_CIPHER *EVP_rc2_cfb(void);
+const EVP_CIPHER *EVP_rc2_ofb(void);
+#endif
+#ifndef OPENSSL_NO_BF
+const EVP_CIPHER *EVP_bf_ecb(void);
+const EVP_CIPHER *EVP_bf_cbc(void);
+const EVP_CIPHER *EVP_bf_cfb(void);
+const EVP_CIPHER *EVP_bf_ofb(void);
+#endif
+#ifndef OPENSSL_NO_CAST
+const EVP_CIPHER *EVP_cast5_ecb(void);
+const EVP_CIPHER *EVP_cast5_cbc(void);
+const EVP_CIPHER *EVP_cast5_cfb(void);
+const EVP_CIPHER *EVP_cast5_ofb(void);
+#endif
+#ifndef OPENSSL_NO_RC5
+const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
+const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
+const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
+const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
+#endif
+#ifndef OPENSSL_NO_AES
+const EVP_CIPHER *EVP_aes_128_ecb(void);
+const EVP_CIPHER *EVP_aes_128_cbc(void);
+const EVP_CIPHER *EVP_aes_192_ecb(void);
+const EVP_CIPHER *EVP_aes_192_cbc(void);
+const EVP_CIPHER *EVP_aes_256_ecb(void);
+const EVP_CIPHER *EVP_aes_256_cbc(void);
+#endif
+
+void OPENSSL_add_all_algorithms_noconf(void);
+void OPENSSL_add_all_algorithms_conf(void);
+
+#ifdef OPENSSL_LOAD_CONF
+#define OpenSSL_add_all_algorithms() \
+                OPENSSL_add_all_algorithms_conf()
+#else
+#define OpenSSL_add_all_algorithms() \
+                OPENSSL_add_all_algorithms_noconf()
+#endif
+
 void OpenSSL_add_all_ciphers(void);
 void OpenSSL_add_all_digests(void);
 #define SSLeay_add_all_algorithms() OpenSSL_add_all_algorithms()
 #define SSLeay_add_all_ciphers() OpenSSL_add_all_ciphers()
 #define SSLeay_add_all_digests() OpenSSL_add_all_digests()
 
-int EVP_add_cipher(EVP_CIPHER *cipher);
-int EVP_add_digest(EVP_MD *digest);
+int EVP_add_cipher(const EVP_CIPHER *cipher);
+int EVP_add_digest(const EVP_MD *digest);
 
 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
 const EVP_MD *EVP_get_digestbyname(const char *name);
@@ -714,18 +679,24 @@ int		EVP_PKEY_type(int type);
 int             EVP_PKEY_bits(EVP_PKEY *pkey);
 int             EVP_PKEY_size(EVP_PKEY *pkey);
 int             EVP_PKEY_assign(EVP_PKEY *pkey,int type,char *key);
-#ifndef NO_RSA
-int             EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key);
-RSA *           EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+
+#ifndef OPENSSL_NO_RSA
+struct rsa_st;
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,struct rsa_st *key);
+struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
 #endif
-#ifndef NO_DSA
-int             EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key);
-DSA *           EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
+#ifndef OPENSSL_NO_DSA
+struct dsa_st;
+int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,struct dsa_st *key);
+struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
 #endif
-#ifndef NO_DH
-int             EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key);
-DH *            EVP_PKEY_get1_DH(EVP_PKEY *pkey);
+#ifndef OPENSSL_NO_DH
+struct dh_st;
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey,struct dh_st *key);
+struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
 #endif
+
+
 EVP_PKEY *      EVP_PKEY_new(void);
 void            EVP_PKEY_free(EVP_PKEY *pkey);
 EVP_PKEY *      d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp,
@@ -755,20 +726,20 @@ int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c,ASN1_TYPE *type);
 
 /* PKCS5 password based encryption */
 int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+                         ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
                          int en_de);
 int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
                            unsigned char *salt, int saltlen, int iter,
                            int keylen, unsigned char *out);
 int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+                         ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
                          int en_de);
 
 void PKCS5_PBE_add(void);
 
 int EVP_PBE_CipherInit (ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
              ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de);
-int EVP_PBE_alg_add(int nid, EVP_CIPHER *cipher, EVP_MD *md,
+int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
                     EVP_PBE_KEYGEN *keygen);
 void EVP_PBE_cleanup(void);
 
@@ -776,6 +747,7 @@ void EVP_PBE_cleanup(void);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_EVP_strings(void);
 
 /* Error codes for the EVP functions. */
 
@@ -785,6 +757,8 @@ void EVP_PBE_cleanup(void);
 #define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 #define EVP_F_EVP_DECRYPTFINAL                           101
+#define EVP_F_EVP_DIGESTINIT                             128
+#define EVP_F_EVP_ENCRYPTFINAL                           127
 #define EVP_F_EVP_MD_CTX_COPY                            110
 #define EVP_F_EVP_OPENINIT                               102
 #define EVP_F_EVP_PBE_ALG_ADD                            115
@@ -799,6 +773,7 @@ void EVP_PBE_cleanup(void);
 #define EVP_F_EVP_PKEY_GET1_DSA                          120
 #define EVP_F_EVP_PKEY_GET1_RSA                          121
 #define EVP_F_EVP_PKEY_NEW                               106
+#define EVP_F_EVP_RIJNDAEL                               126
 #define EVP_F_EVP_SIGNFINAL                              107
 #define EVP_F_EVP_VERIFYFINAL                            108
 #define EVP_F_PKCS5_PBE_KEYIVGEN                         117
@@ -807,12 +782,15 @@ void EVP_PBE_cleanup(void);
 #define EVP_F_RC5_CTRL                                   125
 
 /* Reason codes. */
+#define EVP_R_BAD_BLOCK_LENGTH                           136
 #define EVP_R_BAD_DECRYPT                                100
+#define EVP_R_BAD_KEY_LENGTH                             137
 #define EVP_R_BN_DECODE_ERROR                            112
 #define EVP_R_BN_PUBKEY_ERROR                            113
 #define EVP_R_CIPHER_PARAMETER_ERROR                     122
 #define EVP_R_CTRL_NOT_IMPLEMENTED                       132
 #define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED             133
+#define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
 #define EVP_R_DECODE_ERROR                               114
 #define EVP_R_DIFFERENT_KEY_TYPES                        101
 #define EVP_R_ENCODE_ERROR                               115
@@ -827,6 +805,7 @@ void EVP_PBE_cleanup(void);
 #define EVP_R_KEYGEN_FAILURE                             120
 #define EVP_R_MISSING_PARAMETERS                         103
 #define EVP_R_NO_CIPHER_SET                              131
+#define EVP_R_NO_DIGEST_SET                              139
 #define EVP_R_NO_DSA_PARAMETERS                          116
 #define EVP_R_NO_SIGN_FUNCTION_CONFIGURED                104
 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED              105
@@ -848,4 +827,3 @@ void EVP_PBE_cleanup(void);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/evp/evp_acnf.c b/src/lib/libcrypto/evp/evp_acnf.c
new file mode 100644
index 0000000000..a68b979bdb
--- /dev/null
+++ b/src/lib/libcrypto/evp/evp_acnf.c
@@ -0,0 +1,74 @@
+/* evp_acnf.c */
+/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+#include <openssl/engine.h>
+
+
+/* Load all algorithms and configure OpenSSL.
+ * This function is called automatically when
+ * OPENSSL_LOAD_CONF is set.
+ */
+
+void OPENSSL_add_all_algorithms_conf(void)
+        {
+        OPENSSL_add_all_algorithms_noconf();
+        OPENSSL_config(NULL);
+        }
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index e2687f9879..d28a7d266e 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -60,8 +60,11 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 #include "evp_locl.h"
 
+#include <assert.h>
+
 const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT;
 
 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
@@ -70,23 +73,97 @@ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
         /* ctx->cipher=NULL; */
         }
 
+
 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-             unsigned char *key, unsigned char *iv, int enc)
+             const unsigned char *key, const unsigned char *iv, int enc)
         {
-        if(enc && (enc != -1)) enc = 1;
-        if (cipher) {
+        if (cipher)
+                EVP_CIPHER_CTX_init(ctx);
+        return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
+        }
+
+int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
+             const unsigned char *key, const unsigned char *iv, int enc)
+        {
+        if (enc == -1)
+                enc = ctx->encrypt;
+        else
+                {
+                if (enc)
+                        enc = 1;
+                ctx->encrypt = enc;
+                }
+        /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
+         * so this context may already have an ENGINE! Try to avoid releasing
+         * the previous handle, re-querying for an ENGINE, and having a
+         * reinitialisation, when it may all be unecessary. */
+        if (ctx->engine && ctx->cipher && (!cipher ||
+                        (cipher && (cipher->nid == ctx->cipher->nid))))
+                goto skip_to_init;
+        if (cipher)
+                {
+                /* Ensure an ENGINE left lying around from last time is cleared
+                 * (the previous check attempted to avoid this if the same
+                 * ENGINE and EVP_CIPHER could be used). */
+                if(ctx->engine)
+                        ENGINE_finish(ctx->engine);
+                if(impl)
+                        {
+                        if (!ENGINE_init(impl))
+                                {
+                                EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
+                                return 0;
+                                }
+                        }
+                else
+                        /* Ask if an ENGINE is reserved for this job */
+                        impl = ENGINE_get_cipher_engine(cipher->nid);
+                if(impl)
+                        {
+                        /* There's an ENGINE for this job ... (apparently) */
+                        const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
+                        if(!c)
+                                {
+                                /* One positive side-effect of US's export
+                                 * control history, is that we should at least
+                                 * be able to avoid using US mispellings of
+                                 * "initialisation"? */
+                                EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
+                                return 0;
+                                }
+                        /* We'll use the ENGINE's private cipher definition */
+                        cipher = c;
+                        /* Store the ENGINE functional reference so we know
+                         * 'cipher' came from an ENGINE and we need to release
+                         * it when done. */
+                        ctx->engine = impl;
+                        }
+                else
+                        ctx->engine = NULL;
                 ctx->cipher=cipher;
+                ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
                 ctx->key_len = cipher->key_len;
-                if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
-                        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
+                ctx->flags = 0;
+                if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
+                        {
+                        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
+                                {
                                 EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_INITIALIZATION_ERROR);
                                 return 0;
+                                }
                         }
                 }
-        } else if(!ctx->cipher) {
+        else if(!ctx->cipher)
+                {
                 EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_NO_CIPHER_SET);
                 return 0;
-        }
+                }
+skip_to_init:
+        /* we assume block size is a power of 2 in *cryptUpdate */
+        assert(ctx->cipher->block_size == 1
+               || ctx->cipher->block_size == 8
+               || ctx->cipher->block_size == 16);
+
         if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
                 switch(EVP_CIPHER_CTX_mode(ctx)) {
 
@@ -114,68 +191,101 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
                 if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
         }
-        if(enc != -1) ctx->encrypt=enc;
         ctx->buf_len=0;
+        ctx->final_used=0;
+        ctx->block_mask=ctx->cipher->block_size-1;
         return 1;
         }
 
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
-             unsigned char *in, int inl)
+             const unsigned char *in, int inl)
         {
         if (ctx->encrypt)
                 return EVP_EncryptUpdate(ctx,out,outl,in,inl);
         else    return EVP_DecryptUpdate(ctx,out,outl,in,inl);
         }
 
+int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+        {
+        if (ctx->encrypt)
+                return EVP_EncryptFinal_ex(ctx,out,outl);
+        else    return EVP_DecryptFinal_ex(ctx,out,outl);
+        }
+
 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         {
         if (ctx->encrypt)
                 return EVP_EncryptFinal(ctx,out,outl);
-        else    return(EVP_DecryptFinal(ctx,out,outl));
+        else    return EVP_DecryptFinal(ctx,out,outl);
         }
 
 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-             unsigned char *key, unsigned char *iv)
+             const unsigned char *key, const unsigned char *iv)
         {
         return EVP_CipherInit(ctx, cipher, key, iv, 1);
         }
 
+int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
+                const unsigned char *key, const unsigned char *iv)
+        {
+        return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);
+        }
+
 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
-             unsigned char *key, unsigned char *iv)
+             const unsigned char *key, const unsigned char *iv)
         {
-        return EVP_CipherInit(ctx, cipher, key, iv, 0);
+        return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);
         }
 
+int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
+             const unsigned char *key, const unsigned char *iv)
+        {
+        return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);
+        }
 
 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
-             unsigned char *in, int inl)
+             const unsigned char *in, int inl)
         {
         int i,j,bl;
 
+        if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
+                {
+                if(ctx->cipher->do_cipher(ctx,out,in,inl))
+                        {
+                        *outl=inl;
+                        return 1;
+                        }
+                else
+                        {
+                        *outl=0;
+                        return 0;
+                        }
+                }
         i=ctx->buf_len;
         bl=ctx->cipher->block_size;
-        *outl=0;
-        if ((inl == 0) && (i != bl)) return 1;
         if (i != 0)
                 {
                 if (i+inl < bl)
                         {
                         memcpy(&(ctx->buf[i]),in,inl);
                         ctx->buf_len+=inl;
+                        *outl=0;
                         return 1;
                         }
                 else
                         {
                         j=bl-i;
-                        if (j != 0) memcpy(&(ctx->buf[i]),in,j);
+                        memcpy(&(ctx->buf[i]),in,j);
                         if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0;
                         inl-=j;
                         in+=j;
                         out+=bl;
-                        *outl+=bl;
+                        *outl=bl;
                         }
                 }
-        i=inl%bl; /* how much is left */
+        else
+                *outl = 0;
+        i=inl&(bl-1);
         inl-=i;
         if (inl > 0)
                 {
@@ -191,107 +301,153 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 
 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         {
-        int i,n,b,bl;
+        int ret;
+        ret = EVP_EncryptFinal_ex(ctx, out, outl);
+        EVP_CIPHER_CTX_cleanup(ctx);
+        return ret;
+        }
+
+int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+        {
+        int i,n,b,bl,ret;
 
         b=ctx->cipher->block_size;
         if (b == 1)
                 {
+                EVP_CIPHER_CTX_cleanup(ctx);
                 *outl=0;
                 return 1;
                 }
         bl=ctx->buf_len;
+        if (ctx->flags & EVP_CIPH_NO_PADDING)
+                {
+                EVP_CIPHER_CTX_cleanup(ctx);
+                if(bl)
+                        {
+                        EVPerr(EVP_F_EVP_ENCRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+                        return 0;
+                        }
+                *outl = 0;
+                return 1;
+                }
+
         n=b-bl;
         for (i=bl; i<b; i++)
                 ctx->buf[i]=n;
-        if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,b)) return 0;
-        *outl=b;
-        return 1;
+        ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b);
+
+        EVP_CIPHER_CTX_cleanup(ctx);
+
+        if(ret)
+                *outl=b;
+
+        return ret;
         }
 
 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
-             unsigned char *in, int inl)
+             const unsigned char *in, int inl)
         {
-        int b,bl,n;
-        int keep_last=0;
+        int b, fix_len;
 
-        *outl=0;
-        if (inl == 0) return 1;
+        if (inl == 0)
+                {
+                *outl=0;
+                return 1;
+                }
+
+        if (ctx->flags & EVP_CIPH_NO_PADDING)
+                return EVP_EncryptUpdate(ctx, out, outl, in, inl);
 
         b=ctx->cipher->block_size;
-        if (b > 1)
+
+        if(ctx->final_used)
                 {
-                /* Is the input a multiple of the block size? */
-                bl=ctx->buf_len;
-                n=inl+bl;
-                if (n%b == 0)
-                        {
-                        if (inl < b) /* must be 'just one' buff */
-                                {
-                                memcpy(&(ctx->buf[bl]),in,inl);
-                                ctx->buf_len=b;
-                                *outl=0;
-                                return 1;
-                                }
-                        keep_last=1;
-                        inl-=b; /* don't do the last block */
-                        }
+                memcpy(out,ctx->final,b);
+                out+=b;
+                fix_len = 1;
                 }
-        if(!EVP_EncryptUpdate(ctx,out,outl,in,inl)) return 0;
+        else
+                fix_len = 0;
+
+
+        if(!EVP_EncryptUpdate(ctx,out,outl,in,inl))
+                return 0;
 
         /* if we have 'decrypted' a multiple of block size, make sure
          * we have a copy of this last block */
-        if (keep_last)
+        if (b > 1 && !ctx->buf_len)
                 {
-                memcpy(&(ctx->buf[0]),&(in[inl]),b);
-#ifdef DEBUG
-                if (ctx->buf_len != 0)
-                        {
-                        abort();
-                        }
-#endif
-                ctx->buf_len=b;
+                *outl-=b;
+                ctx->final_used=1;
+                memcpy(ctx->final,&out[*outl],b);
                 }
+        else
+                ctx->final_used = 0;
+
+        if (fix_len)
+                *outl += b;
+                
         return 1;
         }
 
 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         {
+        int ret;
+        ret = EVP_DecryptFinal_ex(ctx, out, outl);
+        EVP_CIPHER_CTX_cleanup(ctx);
+        return ret;
+        }
+
+int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
+        {
         int i,b;
         int n;
 
         *outl=0;
         b=ctx->cipher->block_size;
+        if (ctx->flags & EVP_CIPH_NO_PADDING)
+                {
+                EVP_CIPHER_CTX_cleanup(ctx);
+                if(ctx->buf_len)
+                        {
+                        EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);
+                        return 0;
+                        }
+                *outl = 0;
+                return 1;
+                }
         if (b > 1)
                 {
-                if (ctx->buf_len != b)
+                if (ctx->buf_len || !ctx->final_used)
                         {
+                        EVP_CIPHER_CTX_cleanup(ctx);
                         EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
                         return(0);
                         }
-                if(!EVP_EncryptUpdate(ctx,ctx->buf,&n,ctx->buf,0)) return 0;
-                if (n != b)
-                        return(0);
-                n=ctx->buf[b-1];
+                n=ctx->final[b-1];
                 if (n > b)
                         {
+                        EVP_CIPHER_CTX_cleanup(ctx);
                         EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
                         return(0);
                         }
                 for (i=0; i<n; i++)
                         {
-                        if (ctx->buf[--b] != n)
+                        if (ctx->final[--b] != n)
                                 {
+                                EVP_CIPHER_CTX_cleanup(ctx);
                                 EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
                                 return(0);
                                 }
                         }
                 n=ctx->cipher->block_size-n;
                 for (i=0; i<n; i++)
-                        out[i]=ctx->buf[i];
+                        out[i]=ctx->final[i];
                 *outl=n;
                 }
         else
                 *outl=0;
+        EVP_CIPHER_CTX_cleanup(ctx);
         return(1);
         }
 
@@ -301,6 +457,11 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
                 {
                 if(!c->cipher->cleanup(c)) return 0;
                 }
+        OPENSSL_free(c->cipher_data);
+        if (c->engine)
+                /* The EVP_CIPHER we used belongs to an ENGINE, release the
+                 * functional reference we held for this reason. */
+                ENGINE_finish(c->engine);
         memset(c,0,sizeof(EVP_CIPHER_CTX));
         return 1;
         }
@@ -319,6 +480,13 @@ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
         return 0;
         }
 
+int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
+        {
+        if (pad) ctx->flags &= ~EVP_CIPH_NO_PADDING;
+        else ctx->flags |= EVP_CIPH_NO_PADDING;
+        return 1;
+        }
+
 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 {
         int ret;
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index a01412a07c..3a23d21c21 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -63,7 +63,7 @@
 #include <openssl/evp.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA EVP_str_functs[]=
         {
 {ERR_PACK(0,EVP_F_D2I_PKEY,0),  "D2I_PKEY"},
@@ -71,6 +71,8 @@ static ERR_STRING_DATA EVP_str_functs[]=
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_CTRL,0),       "EVP_CIPHER_CTX_ctrl"},
 {ERR_PACK(0,EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH,0),     "EVP_CIPHER_CTX_set_key_length"},
 {ERR_PACK(0,EVP_F_EVP_DECRYPTFINAL,0),  "EVP_DecryptFinal"},
+{ERR_PACK(0,EVP_F_EVP_DIGESTINIT,0),    "EVP_DigestInit"},
+{ERR_PACK(0,EVP_F_EVP_ENCRYPTFINAL,0),  "EVP_EncryptFinal"},
 {ERR_PACK(0,EVP_F_EVP_MD_CTX_COPY,0),   "EVP_MD_CTX_copy"},
 {ERR_PACK(0,EVP_F_EVP_OPENINIT,0),      "EVP_OpenInit"},
 {ERR_PACK(0,EVP_F_EVP_PBE_ALG_ADD,0),   "EVP_PBE_alg_add"},
@@ -85,6 +87,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
 {ERR_PACK(0,EVP_F_EVP_PKEY_GET1_DSA,0), "EVP_PKEY_get1_DSA"},
 {ERR_PACK(0,EVP_F_EVP_PKEY_GET1_RSA,0), "EVP_PKEY_get1_RSA"},
 {ERR_PACK(0,EVP_F_EVP_PKEY_NEW,0),      "EVP_PKEY_new"},
+{ERR_PACK(0,EVP_F_EVP_RIJNDAEL,0),      "EVP_RIJNDAEL"},
 {ERR_PACK(0,EVP_F_EVP_SIGNFINAL,0),     "EVP_SignFinal"},
 {ERR_PACK(0,EVP_F_EVP_VERIFYFINAL,0),   "EVP_VerifyFinal"},
 {ERR_PACK(0,EVP_F_PKCS5_PBE_KEYIVGEN,0),        "PKCS5_PBE_keyivgen"},
@@ -96,12 +99,15 @@ static ERR_STRING_DATA EVP_str_functs[]=
 
 static ERR_STRING_DATA EVP_str_reasons[]=
         {
+{EVP_R_BAD_BLOCK_LENGTH                  ,"bad block length"},
 {EVP_R_BAD_DECRYPT                       ,"bad decrypt"},
+{EVP_R_BAD_KEY_LENGTH                    ,"bad key length"},
 {EVP_R_BN_DECODE_ERROR                   ,"bn decode error"},
 {EVP_R_BN_PUBKEY_ERROR                   ,"bn pubkey error"},
 {EVP_R_CIPHER_PARAMETER_ERROR            ,"cipher parameter error"},
 {EVP_R_CTRL_NOT_IMPLEMENTED              ,"ctrl not implemented"},
 {EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED    ,"ctrl operation not implemented"},
+{EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH ,"data not multiple of block length"},
 {EVP_R_DECODE_ERROR                      ,"decode error"},
 {EVP_R_DIFFERENT_KEY_TYPES               ,"different key types"},
 {EVP_R_ENCODE_ERROR                      ,"encode error"},
@@ -116,6 +122,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {EVP_R_KEYGEN_FAILURE                    ,"keygen failure"},
 {EVP_R_MISSING_PARAMETERS                ,"missing parameters"},
 {EVP_R_NO_CIPHER_SET                     ,"no cipher set"},
+{EVP_R_NO_DIGEST_SET                     ,"no digest set"},
 {EVP_R_NO_DSA_PARAMETERS                 ,"no dsa parameters"},
 {EVP_R_NO_SIGN_FUNCTION_CONFIGURED       ,"no sign function configured"},
 {EVP_R_NO_VERIFY_FUNCTION_CONFIGURED     ,"no verify function configured"},
@@ -144,7 +151,7 @@ void ERR_load_EVP_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_EVP,EVP_str_functs);
                 ERR_load_strings(ERR_LIB_EVP,EVP_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index e7434ef9b2..4271393069 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -61,6 +61,7 @@
 #include <openssl/x509.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/ui.h>
 
 /* should be init to zeros. */
 static char prompt_string[80];
@@ -70,7 +71,10 @@ void EVP_set_pw_prompt(char *prompt)
         if (prompt == NULL)
                 prompt_string[0]='\0';
         else
+                {
                 strncpy(prompt_string,prompt,79);
+                prompt_string[79]='\0';
+                }
         }
 
 char *EVP_get_pw_prompt(void)
@@ -86,18 +90,26 @@ char *EVP_get_pw_prompt(void)
  * this function will fail */
 int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
         {
-#ifndef NO_DES
+        int ret;
+        char buff[BUFSIZ];
+        UI *ui;
+
         if ((prompt == NULL) && (prompt_string[0] != '\0'))
                 prompt=prompt_string;
-        return(des_read_pw_string(buf,len,prompt,verify));
-#else
-        return -1;
-#endif
+        ui = UI_new();
+        UI_add_input_string(ui,prompt,0,buf,0,(len>=BUFSIZ)?BUFSIZ-1:len);
+        if (verify)
+                UI_add_verify_string(ui,prompt,0,
+                        buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
+        ret = UI_process(ui);
+        UI_free(ui);
+        memset(buff,0,BUFSIZ);
+        return ret;
         }
 
-int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, 
-             const unsigned char *salt, const unsigned char *data, int datal, 
-             int count, unsigned char *key, unsigned char *iv)
+int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, 
+             const unsigned char *salt, const unsigned char *data, int datal,
+             int count, unsigned char *key, unsigned char *iv)
         {
         EVP_MD_CTX c;
         unsigned char md_buf[EVP_MAX_MD_SIZE];
@@ -109,21 +121,22 @@ int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
 
         if (data == NULL) return(nkey);
 
+        EVP_MD_CTX_init(&c);
         for (;;)
                 {
-                EVP_DigestInit(&c,md);
+                EVP_DigestInit_ex(&c,md, NULL);
                 if (addmd++)
                         EVP_DigestUpdate(&c,&(md_buf[0]),mds);
                 EVP_DigestUpdate(&c,data,datal);
                 if (salt != NULL)
                         EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN);
-                EVP_DigestFinal(&c,&(md_buf[0]),&mds);
+                EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds);
 
                 for (i=1; i<(unsigned int)count; i++)
                         {
-                        EVP_DigestInit(&c,md);
+                        EVP_DigestInit_ex(&c,md, NULL);
                         EVP_DigestUpdate(&c,&(md_buf[0]),mds);
-                        EVP_DigestFinal(&c,&(md_buf[0]),&mds);
+                        EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds);
                         }
                 i=0;
                 if (nkey)
@@ -152,7 +165,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md,
                         }
                 if ((nkey == 0) && (niv == 0)) break;
                 }
-        memset(&c,0,sizeof(c));
+        EVP_MD_CTX_cleanup(&c);
         memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE);
         return(type->key_len);
         }
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index ce49d5b7d8..7b088b4848 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -61,50 +61,107 @@
 /* Wrapper functions for each cipher mode */
 
 #define BLOCK_CIPHER_ecb_loop() \
-        unsigned int i; \
-        if(inl < 8) return 1;\
-        inl -= 8; \
-        for(i=0; i <= inl; i+=8) \
+        unsigned int i, bl; \
+        bl = ctx->cipher->block_size;\
+        if(inl < bl) return 1;\
+        inl -= bl; \
+        for(i=0; i <= inl; i+=bl) \
 
-#define BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
+#define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
 static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
         BLOCK_CIPHER_ecb_loop() \
-                cprefix##_ecb_encrypt(in + i, out + i, &ctx->c.kname, ctx->encrypt);\
+                cprefix##_ecb_encrypt(in + i, out + i, &((kstruct *)ctx->cipher_data)->ksched, ctx->encrypt);\
         return 1;\
 }
 
-#define BLOCK_CIPHER_func_ofb(cname, cprefix, kname) \
+#define BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched) \
 static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
-        cprefix##_ofb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num);\
+        cprefix##_ofb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num);\
         return 1;\
 }
 
-#define BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
+#define BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
 static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
-        cprefix##_cbc_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, ctx->encrypt);\
+        cprefix##_cbc_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, ctx->encrypt);\
         return 1;\
 }
 
-#define BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
+#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
 static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
-        cprefix##_cfb64_encrypt(in, out, (long)inl, &ctx->c.kname, ctx->iv, &ctx->num, ctx->encrypt);\
+        cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
         return 1;\
 }
 
-#define BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
-        BLOCK_CIPHER_func_cbc(cname, cprefix, kname) \
-        BLOCK_CIPHER_func_cfb(cname, cprefix, kname) \
-        BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
-        BLOCK_CIPHER_func_ofb(cname, cprefix, kname)
+#define BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \
+        BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched)
 
+#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
+                          key_len, iv_len, flags, init_key, cleanup, \
+                          set_asn1, get_asn1, ctrl) \
+static const EVP_CIPHER cname##_##mode = { \
+        nid##_##nmode, block_size, key_len, iv_len, \
+        flags | EVP_CIPH_##MODE##_MODE, \
+        init_key, \
+        cname##_##mode##_cipher, \
+        cleanup, \
+        sizeof(kstruct), \
+        set_asn1, get_asn1,\
+        ctrl, \
+        NULL \
+}; \
+const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
+
+#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
+                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, block_size, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, cbits, flags, init_key, cleanup, \
+                             set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, block_size, \
+                  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+                  get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
+                             iv_len, flags, init_key, cleanup, set_asn1, \
+                             get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
+                  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+                          nid, block_size, key_len, iv_len, cbits, flags, \
+                          init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, iv_len, cbits, \
+                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+                     init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+
+/*
 #define BLOCK_CIPHER_defs(cname, kstruct, \
                                 nid, block_size, key_len, iv_len, flags,\
                                  init_key, cleanup, set_asn1, get_asn1, ctrl)\
-static EVP_CIPHER cname##_cbc = {\
+static const EVP_CIPHER cname##_cbc = {\
         nid##_cbc, block_size, key_len, iv_len, \
         flags | EVP_CIPH_CBC_MODE,\
         init_key,\
@@ -116,8 +173,8 @@ static EVP_CIPHER cname##_cbc = {\
         ctrl, \
         NULL \
 };\
-EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
-static EVP_CIPHER cname##_cfb = {\
+const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\
+static const EVP_CIPHER cname##_cfb = {\
         nid##_cfb64, 1, key_len, iv_len, \
         flags | EVP_CIPH_CFB_MODE,\
         init_key,\
@@ -129,8 +186,8 @@ static EVP_CIPHER cname##_cfb = {\
         ctrl,\
         NULL \
 };\
-EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
-static EVP_CIPHER cname##_ofb = {\
+const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\
+static const EVP_CIPHER cname##_ofb = {\
         nid##_ofb64, 1, key_len, iv_len, \
         flags | EVP_CIPH_OFB_MODE,\
         init_key,\
@@ -142,8 +199,8 @@ static EVP_CIPHER cname##_ofb = {\
         ctrl,\
         NULL \
 };\
-EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
-static EVP_CIPHER cname##_ecb = {\
+const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\
+static const EVP_CIPHER cname##_ecb = {\
         nid##_ecb, block_size, key_len, iv_len, \
         flags | EVP_CIPH_ECB_MODE,\
         init_key,\
@@ -155,14 +212,16 @@ static EVP_CIPHER cname##_ecb = {\
         ctrl,\
         NULL \
 };\
-EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
-
-
+const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
+*/
 
-#define IMPLEMENT_BLOCK_CIPHER(cname, kname, cprefix, kstruct, \
-                                nid, block_size, key_len, iv_len, flags, \
-                                 init_key, cleanup, set_asn1, get_asn1, ctrl) \
-        BLOCK_CIPHER_all_funcs(cname, cprefix, kname) \
-        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, flags,\
-                 init_key, cleanup, set_asn1, get_asn1, ctrl) 
+#define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \
+                               block_size, key_len, iv_len, cbits, \
+                               flags, init_key, \
+                               cleanup, set_asn1, get_asn1, ctrl) \
+        BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \
+        BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \
+                          cbits, flags, init_key, cleanup, set_asn1, \
+                          get_asn1, ctrl)
 
+#define EVP_C_DATA(kstruct, ctx)        ((kstruct *)(ctx)->cipher_data)
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 224a422b12..06afb9d152 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -69,8 +69,8 @@ static STACK *pbe_algs;
 
 typedef struct {
 int pbe_nid;
-EVP_CIPHER *cipher;
-EVP_MD *md;
+const EVP_CIPHER *cipher;
+const EVP_MD *md;
 EVP_PBE_KEYGEN *keygen;
 } EVP_PBE_CTL;
 
@@ -112,7 +112,7 @@ static int pbe_cmp(const char * const *a, const char * const *b)
 
 /* Add a PBE algorithm */
 
-int EVP_PBE_alg_add (int nid, EVP_CIPHER *cipher, EVP_MD *md,
+int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
              EVP_PBE_KEYGEN *keygen)
 {
         EVP_PBE_CTL *pbe_tmp;
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index 8df2874f3c..34b5b1d21c 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -62,17 +62,19 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 
+#ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8inf, EVP_PKEY *pkey);
+#endif
 
 /* Extract a private key from a PKCS8 structure */
 
 EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 {
         EVP_PKEY *pkey = NULL;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         RSA *rsa = NULL;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         DSA *dsa = NULL;
         ASN1_INTEGER *privkey;
         ASN1_TYPE *t1, *t2, *param = NULL;
@@ -82,6 +84,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
 #endif
         X509_ALGOR *a;
         unsigned char *p;
+        const unsigned char *cp;
         int pkeylen;
         char obj_tmp[80];
 
@@ -101,16 +104,17 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
         a = p8->pkeyalg;
         switch (OBJ_obj2nid(a->algorithm))
         {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 case NID_rsaEncryption:
-                if (!(rsa = d2i_RSAPrivateKey (NULL, &p, pkeylen))) {
+                cp = p;
+                if (!(rsa = d2i_RSAPrivateKey (NULL,&cp, pkeylen))) {
                         EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
                         return NULL;
                 }
                 EVP_PKEY_assign_RSA (pkey, rsa);
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 case NID_dsa:
                 /* PKCS#8 DSA is weird: you just get a private key integer
                  * and parameters in the AlgorithmIdentifier the pubkey must
@@ -163,9 +167,9 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8)
                         EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
                         goto dsaerr;
                 }
-                p = param->value.sequence->data;
+                cp = p = param->value.sequence->data;
                 plen = param->value.sequence->length;
-                if (!(dsa = d2i_DSAparams (NULL, &p, plen))) {
+                if (!(dsa = d2i_DSAparams (NULL, &cp, plen))) {
                         EVPerr(EVP_F_EVP_PKCS82PKEY, EVP_R_DECODE_ERROR);
                         goto dsaerr;
                 }
@@ -239,7 +243,7 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
         }
         p8->pkey->type = V_ASN1_OCTET_STRING;
         switch (EVP_PKEY_type(pkey->type)) {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 case EVP_PKEY_RSA:
 
                 if(p8->broken == PKCS8_NO_OCTET) p8->pkey->type = V_ASN1_SEQUENCE;
@@ -254,7 +258,7 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken)
                 }
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 case EVP_PKEY_DSA:
                 if(!dsa_pkey2pkcs8(p8, pkey)) {
                         PKCS8_PRIV_KEY_INFO_free (p8);
@@ -296,7 +300,7 @@ PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken)
         }
 }
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 static int dsa_pkey2pkcs8(PKCS8_PRIV_KEY_INFO *p8, EVP_PKEY *pkey)
 {
         ASN1_STRING *params;
diff --git a/src/lib/libcrypto/evp/evp_test.c b/src/lib/libcrypto/evp/evp_test.c
new file mode 100644
index 0000000000..3607fe7776
--- /dev/null
+++ b/src/lib/libcrypto/evp/evp_test.c
@@ -0,0 +1,365 @@
+/* Written by Ben Laurie, 2001 */
+/*
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/engine.h>
+#include <openssl/conf.h>
+
+static void hexdump(FILE *f,const char *title,const unsigned char *s,int l)
+    {
+    int n=0;
+
+    fprintf(f,"%s",title);
+    for( ; n < l ; ++n)
+        {
+        if((n%16) == 0)
+            fprintf(f,"\n%04x",n);
+        fprintf(f," %02x",s[n]);
+        }
+    fprintf(f,"\n");
+    }
+
+static int convert(unsigned char *s)
+    {
+    unsigned char *d;
+
+    for(d=s ; *s ; s+=2,++d)
+        {
+        unsigned int n;
+
+        if(!s[1])
+            {
+            fprintf(stderr,"Odd number of hex digits!");
+            exit(4);
+            }
+        sscanf((char *)s,"%2x",&n);
+        *d=(unsigned char)n;
+        }
+    return s-d;
+    }
+
+static char *sstrsep(char **string, const char *delim)
+    {
+    char isdelim[256];
+    char *token = *string;
+
+    if (**string == 0)
+        return NULL;
+
+    memset(isdelim, 0, 256);
+    isdelim[0] = 1;
+
+    while (*delim)
+        {
+        isdelim[(unsigned char)(*delim)] = 1;
+        delim++;
+        }
+
+    while (!isdelim[(unsigned char)(**string)])
+        {
+        (*string)++;
+        }
+
+    if (**string)
+        {
+        **string = 0;
+        (*string)++;
+        }
+
+    return token;
+    }
+
+static unsigned char *ustrsep(char **p,const char *sep)
+    { return (unsigned char *)sstrsep((char **)p,sep); }
+
+static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
+                  const unsigned char *iv,int in,
+                  const unsigned char *plaintext,int pn,
+                  const unsigned char *ciphertext,int cn)
+    {
+    EVP_CIPHER_CTX ctx;
+    unsigned char out[4096];
+    int outl,outl2;
+
+    printf("Testing cipher %s\n",EVP_CIPHER_name(c));
+    hexdump(stdout,"Key",key,kn);
+    if(in)
+        hexdump(stdout,"IV",iv,in);
+    hexdump(stdout,"Plaintext",plaintext,pn);
+    hexdump(stdout,"Ciphertext",ciphertext,cn);
+    
+    if(kn != c->key_len)
+        {
+        fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn,
+                c->key_len);
+        exit(5);
+        }
+    EVP_CIPHER_CTX_init(&ctx);
+    if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
+        {
+        fprintf(stderr,"EncryptInit failed\n");
+        exit(10);
+        }
+    EVP_CIPHER_CTX_set_padding(&ctx,0);
+
+    if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn))
+        {
+        fprintf(stderr,"Encrypt failed\n");
+        exit(6);
+        }
+    if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
+        {
+        fprintf(stderr,"EncryptFinal failed\n");
+        exit(7);
+        }
+
+    if(outl+outl2 != cn)
+        {
+        fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n",
+                outl+outl2,cn);
+        exit(8);
+        }
+
+    if(memcmp(out,ciphertext,cn))
+        {
+        fprintf(stderr,"Ciphertext mismatch\n");
+        hexdump(stderr,"Got",out,cn);
+        hexdump(stderr,"Expected",ciphertext,cn);
+        exit(9);
+        }
+
+    if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
+        {
+        fprintf(stderr,"DecryptInit failed\n");
+        exit(11);
+        }
+    EVP_CIPHER_CTX_set_padding(&ctx,0);
+
+    if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,pn))
+        {
+        fprintf(stderr,"Decrypt failed\n");
+        exit(6);
+        }
+    if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
+        {
+        fprintf(stderr,"DecryptFinal failed\n");
+        exit(7);
+        }
+
+    if(outl+outl2 != cn)
+        {
+        fprintf(stderr,"Plaintext length mismatch got %d expected %d\n",
+                outl+outl2,cn);
+        exit(8);
+        }
+
+    if(memcmp(out,plaintext,cn))
+        {
+        fprintf(stderr,"Plaintext mismatch\n");
+        hexdump(stderr,"Got",out,cn);
+        hexdump(stderr,"Expected",plaintext,cn);
+        exit(9);
+        }
+
+    printf("\n");
+    }
+
+static int test_cipher(const char *cipher,const unsigned char *key,int kn,
+                       const unsigned char *iv,int in,
+                       const unsigned char *plaintext,int pn,
+                       const unsigned char *ciphertext,int cn)
+    {
+    const EVP_CIPHER *c;
+
+    c=EVP_get_cipherbyname(cipher);
+    if(!c)
+        return 0;
+
+    test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn);
+
+    return 1;
+    }
+
+static int test_digest(const char *digest,
+                       const unsigned char *plaintext,int pn,
+                       const unsigned char *ciphertext, unsigned int cn)
+    {
+    const EVP_MD *d;
+    EVP_MD_CTX ctx;
+    unsigned char md[EVP_MAX_MD_SIZE];
+    unsigned int mdn;
+
+    d=EVP_get_digestbyname(digest);
+    if(!d)
+        return 0;
+
+    printf("Testing digest %s\n",EVP_MD_name(d));
+    hexdump(stdout,"Plaintext",plaintext,pn);
+    hexdump(stdout,"Digest",ciphertext,cn);
+
+    EVP_MD_CTX_init(&ctx);
+    if(!EVP_DigestInit_ex(&ctx,d, NULL))
+        {
+        fprintf(stderr,"DigestInit failed\n");
+        exit(100);
+        }
+    if(!EVP_DigestUpdate(&ctx,plaintext,pn))
+        {
+        fprintf(stderr,"DigestUpdate failed\n");
+        exit(101);
+        }
+    if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
+        {
+        fprintf(stderr,"DigestFinal failed\n");
+        exit(101);
+        }
+    EVP_MD_CTX_cleanup(&ctx);
+
+    if(mdn != cn)
+        {
+        fprintf(stderr,"Digest length mismatch, got %d expected %d\n",mdn,cn);
+        exit(102);
+        }
+
+    if(memcmp(md,ciphertext,cn))
+        {
+        fprintf(stderr,"Digest mismatch\n");
+        hexdump(stderr,"Got",md,cn);
+        hexdump(stderr,"Expected",ciphertext,cn);
+        exit(103);
+        }
+
+    printf("\n");
+
+    return 1;
+    }
+
+int main(int argc,char **argv)
+    {
+    const char *szTestFile;
+    FILE *f;
+
+    if(argc != 2)
+        {
+        fprintf(stderr,"%s <test file>\n",argv[0]);
+        exit(1);
+        }
+    CRYPTO_malloc_debug_init();
+    CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+    szTestFile=argv[1];
+
+    f=fopen(szTestFile,"r");
+    if(!f)
+        {
+        perror(szTestFile);
+        exit(2);
+        }
+
+    /* Load up the software EVP_CIPHER and EVP_MD definitions */
+    OpenSSL_add_all_ciphers();
+    OpenSSL_add_all_digests();
+    /* Load all compiled-in ENGINEs */
+    ENGINE_load_builtin_engines();
+#if 0
+    OPENSSL_config();
+#endif
+    /* Register all available ENGINE implementations of ciphers and digests.
+     * This could perhaps be changed to "ENGINE_register_all_complete()"? */
+    ENGINE_register_all_ciphers();
+    ENGINE_register_all_digests();
+    /* If we add command-line options, this statement should be switchable.
+     * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if
+     * they weren't already initialised. */
+    /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */
+
+    for( ; ; )
+        {
+        char line[4096];
+        char *p;
+        char *cipher;
+        unsigned char *iv,*key,*plaintext,*ciphertext;
+        int kn,in,pn,cn;
+
+        if(!fgets((char *)line,sizeof line,f))
+            break;
+        if(line[0] == '#' || line[0] == '\n')
+            continue;
+        p=line;
+        cipher=sstrsep(&p,":"); 
+        key=ustrsep(&p,":");
+        iv=ustrsep(&p,":");
+        plaintext=ustrsep(&p,":");
+        ciphertext=ustrsep(&p,"\n");
+
+        kn=convert(key);
+        in=convert(iv);
+        pn=convert(plaintext);
+        cn=convert(ciphertext);
+
+        if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn)
+           && !test_digest(cipher,plaintext,pn,ciphertext,cn))
+            {
+            fprintf(stderr,"Can't find %s\n",cipher);
+            exit(3);
+            }
+        }
+
+    ENGINE_cleanup();
+    EVP_cleanup();
+    CRYPTO_cleanup_all_ex_data();
+    ERR_remove_state(0);
+    ERR_free_strings();
+    CRYPTO_mem_leaks_fp(stderr);
+
+    return 0;
+    }
diff --git a/src/lib/libcrypto/evp/evptests.txt b/src/lib/libcrypto/evp/evptests.txt
new file mode 100644
index 0000000000..6c1529db37
--- /dev/null
+++ b/src/lib/libcrypto/evp/evptests.txt
@@ -0,0 +1,82 @@
+#cipher:key:iv:input:output
+#digest:::input:output
+
+# SHA(1) tests (from shatest.c)
+SHA1:::616263:a9993e364706816aba3e25717850c26c9cd0d89d
+
+# MD5 tests (from md5test.c)
+MD5::::d41d8cd98f00b204e9800998ecf8427e
+MD5:::61:0cc175b9c0f1b6a831c399e269772661
+MD5:::616263:900150983cd24fb0d6963f7d28e17f72
+MD5:::6d65737361676520646967657374:f96b697d7cb7938d525a2f31aaf161d0
+MD5:::6162636465666768696a6b6c6d6e6f707172737475767778797a:c3fcd3d76192e4007dfb496cca67e13b
+MD5:::4142434445464748494a4b4c4d4e4f505152535455565758595a6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839:d174ab98d277d9f5a5611c2c9f419d9f
+MD5:::3132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930:57edf4a22be3c955ac49da2e2107b67a
+
+# AES 128 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-128-ECB:000102030405060708090A0B0C0D0E0F::00112233445566778899AABBCCDDEEFF:69C4E0D86A7B0430D8CDB78070B4C55A
+
+# AES 192 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191
+
+# AES 256 ECB tests (from FIPS-197 test vectors, encrypt)
+
+AES-256-ECB:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F::00112233445566778899AABBCCDDEEFF:8EA2B7CA516745BFEAFC49904B496089
+
+# AES 128 ECB tests (from NIST test vectors, encrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::00000000000000000000000000000000:C34C052CC0DA8D73451AFE5F03BE297F
+
+# AES 128 ECB tests (from NIST test vectors, decrypt)
+
+#AES-128-ECB:00000000000000000000000000000000::44416AC2D1F53C583303917E6BE9EBE0:00000000000000000000000000000000
+
+# AES 192 ECB tests (from NIST test vectors, decrypt)
+
+#AES-192-ECB:000000000000000000000000000000000000000000000000::48E31E9E256718F29229319C19F15BA4:00000000000000000000000000000000
+
+# AES 256 ECB tests (from NIST test vectors, decrypt)
+
+#AES-256-ECB:0000000000000000000000000000000000000000000000000000000000000000::058CCFFDBBCB382D1F6F56585D8A4ADE:00000000000000000000000000000000
+
+# AES 128 CBC tests (from NIST test vectors, encrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D
+
+# AES 192 CBC tests (from NIST test vectors, encrypt)
+
+#AES-192-CBC:000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:7BD966D53AD8C1BB85D2ADFAE87BB104
+
+# AES 256 CBC tests (from NIST test vectors, encrypt)
+
+#AES-256-CBC:0000000000000000000000000000000000000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:FE3C53653E2F45B56FCD88B2CC898FF0
+
+# AES 128 CBC tests (from NIST test vectors, decrypt)
+
+#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000
+
+# DES ECB tests (from destest)
+
+DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7
+DES-ECB:FFFFFFFFFFFFFFFF::FFFFFFFFFFFFFFFF:7359B2163E4EDC58
+DES-ECB:3000000000000000::1000000000000001:958E6E627A05557B
+DES-ECB:1111111111111111::1111111111111111:F40379AB9E0EC533
+DES-ECB:0123456789ABCDEF::1111111111111111:17668DFC7292532D
+DES-ECB:1111111111111111::0123456789ABCDEF:8A5AE1F81AB8F2DD
+DES-ECB:FEDCBA9876543210::0123456789ABCDEF:ED39D950FA74BCC4
+
+# DESX-CBC tests (from destest)
+DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:846B2914851E9A2954732F8AA0A611C115CDC2D7951B1053A63C5E03B21AA3C4
+
+# DES EDE3 CBC tests (from destest)
+DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
+
+# RC4 tests (from rc4test)
+RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
+RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879
+RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a
+RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858
+RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf
+RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index 8ea826868e..beb8d7fc5c 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -62,21 +62,33 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-#ifndef NO_SHA
-static EVP_MD dsa_md=
+#ifndef OPENSSL_NO_SHA
+static int init(EVP_MD_CTX *ctx)
+        { return SHA1_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return SHA1_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA1_Final(md,ctx->md_data); }
+
+static const EVP_MD dsa_md=
         {
         NID_dsaWithSHA,
         NID_dsaWithSHA,
         SHA_DIGEST_LENGTH,
-        SHA1_Init,
-        SHA1_Update,
-        SHA1_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_DSA_method,
         SHA_CBLOCK,
         sizeof(EVP_MD *)+sizeof(SHA_CTX),
         };
 
-EVP_MD *EVP_dss(void)
+const EVP_MD *EVP_dss(void)
         {
         return(&dsa_md);
         }
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index 9d8d1ce23e..f5668ebda0 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -56,27 +56,39 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-static EVP_MD dss1_md=
+static int init(EVP_MD_CTX *ctx)
+        { return SHA1_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return SHA1_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA1_Final(md,ctx->md_data); }
+
+static const EVP_MD dss1_md=
         {
         NID_dsa,
         NID_dsaWithSHA1,
         SHA_DIGEST_LENGTH,
-        SHA1_Init,
-        SHA1_Update,
-        SHA1_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_DSA_method,
         SHA_CBLOCK,
         sizeof(EVP_MD *)+sizeof(SHA_CTX),
         };
 
-EVP_MD *EVP_dss1(void)
+const EVP_MD *EVP_dss1(void)
         {
         return(&dss1_md);
         }
diff --git a/src/lib/libcrypto/evp/m_md2.c b/src/lib/libcrypto/evp/m_md2.c
index 3281e91809..50914c83b3 100644
--- a/src/lib/libcrypto/evp/m_md2.c
+++ b/src/lib/libcrypto/evp/m_md2.c
@@ -56,27 +56,40 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_MD2
+#ifndef OPENSSL_NO_MD2
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/md2.h>
 
-static EVP_MD md2_md=
+static int init(EVP_MD_CTX *ctx)
+        { return MD2_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return MD2_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return MD2_Final(md,ctx->md_data); }
+
+static const EVP_MD md2_md=
         {
         NID_md2,
         NID_md2WithRSAEncryption,
         MD2_DIGEST_LENGTH,
-        MD2_Init,
-        MD2_Update,
-        MD2_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         MD2_BLOCK,
         sizeof(EVP_MD *)+sizeof(MD2_CTX),
         };
 
-EVP_MD *EVP_md2(void)
+const EVP_MD *EVP_md2(void)
         {
         return(&md2_md);
         }
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
index 6a24ceb86d..e19b663754 100644
--- a/src/lib/libcrypto/evp/m_md4.c
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -56,27 +56,40 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_MD4
+#ifndef OPENSSL_NO_MD4
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/md4.h>
 
-static EVP_MD md4_md=
+static int init(EVP_MD_CTX *ctx)
+        { return MD4_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return MD4_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return MD4_Final(md,ctx->md_data); }
+
+static const EVP_MD md4_md=
         {
         NID_md4,
-        0,
+        NID_md4WithRSAEncryption,
         MD4_DIGEST_LENGTH,
-        MD4_Init,
-        MD4_Update,
-        MD4_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         MD4_CBLOCK,
         sizeof(EVP_MD *)+sizeof(MD4_CTX),
         };
 
-EVP_MD *EVP_md4(void)
+const EVP_MD *EVP_md4(void)
         {
         return(&md4_md);
         }
diff --git a/src/lib/libcrypto/evp/m_md5.c b/src/lib/libcrypto/evp/m_md5.c
index 9fc9530127..b00a03e048 100644
--- a/src/lib/libcrypto/evp/m_md5.c
+++ b/src/lib/libcrypto/evp/m_md5.c
@@ -56,27 +56,40 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/md5.h>
 
-static EVP_MD md5_md=
+static int init(EVP_MD_CTX *ctx)
+        { return MD5_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return MD5_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return MD5_Final(md,ctx->md_data); }
+
+static const EVP_MD md5_md=
         {
         NID_md5,
         NID_md5WithRSAEncryption,
         MD5_DIGEST_LENGTH,
-        MD5_Init,
-        MD5_Update,
-        MD5_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         MD5_CBLOCK,
         sizeof(EVP_MD *)+sizeof(MD5_CTX),
         };
 
-EVP_MD *EVP_md5(void)
+const EVP_MD *EVP_md5(void)
         {
         return(&md5_md);
         }
diff --git a/src/lib/libcrypto/evp/m_mdc2.c b/src/lib/libcrypto/evp/m_mdc2.c
index 2c7f1ae515..9f6467c931 100644
--- a/src/lib/libcrypto/evp/m_mdc2.c
+++ b/src/lib/libcrypto/evp/m_mdc2.c
@@ -56,27 +56,40 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_MDC2
+#ifndef OPENSSL_NO_MDC2
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/mdc2.h>
 
-static EVP_MD mdc2_md=
+static int init(EVP_MD_CTX *ctx)
+        { return MDC2_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return MDC2_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return MDC2_Final(md,ctx->md_data); }
+
+static const EVP_MD mdc2_md=
         {
         NID_mdc2,
         NID_mdc2WithRSA,
         MDC2_DIGEST_LENGTH,
-        MDC2_Init,
-        MDC2_Update,
-        MDC2_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_ASN1_OCTET_STRING_method,
         MDC2_BLOCK,
         sizeof(EVP_MD *)+sizeof(MDC2_CTX),
         };
 
-EVP_MD *EVP_mdc2(void)
+const EVP_MD *EVP_mdc2(void)
         {
         return(&mdc2_md);
         }
diff --git a/src/lib/libcrypto/evp/m_null.c b/src/lib/libcrypto/evp/m_null.c
index e2dadf3dab..f6f0a1d2c0 100644
--- a/src/lib/libcrypto/evp/m_null.c
+++ b/src/lib/libcrypto/evp/m_null.c
@@ -62,25 +62,32 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-static void function(void)
-        {
-        }
+static int init(EVP_MD_CTX *ctx)
+        { return 1; }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return 1; }
 
-static EVP_MD null_md=
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return 1; }
+
+static const EVP_MD null_md=
         {
         NID_undef,
         NID_undef,
         0,
-        function,
-        function,
-        function,
-        
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_NULL_method,
         0,
         sizeof(EVP_MD *),
         };
 
-EVP_MD *EVP_md_null(void)
+const EVP_MD *EVP_md_null(void)
         {
         return(&null_md);
         }
diff --git a/src/lib/libcrypto/evp/m_ripemd.c b/src/lib/libcrypto/evp/m_ripemd.c
index 3d781a4e8d..64725528dc 100644
--- a/src/lib/libcrypto/evp/m_ripemd.c
+++ b/src/lib/libcrypto/evp/m_ripemd.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RIPEMD
+#ifndef OPENSSL_NO_RIPEMD
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/ripemd.h>
@@ -64,20 +64,32 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-static EVP_MD ripemd160_md=
+static int init(EVP_MD_CTX *ctx)
+        { return RIPEMD160_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return RIPEMD160_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return RIPEMD160_Final(md,ctx->md_data); }
+
+static const EVP_MD ripemd160_md=
         {
         NID_ripemd160,
         NID_ripemd160WithRSA,
         RIPEMD160_DIGEST_LENGTH,
-        RIPEMD160_Init,
-        RIPEMD160_Update,
-        RIPEMD160_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         RIPEMD160_CBLOCK,
         sizeof(EVP_MD *)+sizeof(RIPEMD160_CTX),
         };
 
-EVP_MD *EVP_ripemd160(void)
+const EVP_MD *EVP_ripemd160(void)
         {
         return(&ripemd160_md);
         }
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index 6d35b71b85..10697c7ed3 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -56,27 +56,39 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-static EVP_MD sha_md=
+static int init(EVP_MD_CTX *ctx)
+        { return SHA_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return SHA_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA_Final(md,ctx->md_data); }
+
+static const EVP_MD sha_md=
         {
         NID_sha,
         NID_shaWithRSAEncryption,
         SHA_DIGEST_LENGTH,
-        SHA_Init,
-        SHA_Update,
-        SHA_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         SHA_CBLOCK,
         sizeof(EVP_MD *)+sizeof(SHA_CTX),
         };
 
-EVP_MD *EVP_sha(void)
+const EVP_MD *EVP_sha(void)
         {
         return(&sha_md);
         }
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index 57a1ab0cce..d6be3502f0 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -56,27 +56,39 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-static EVP_MD sha1_md=
+static int init(EVP_MD_CTX *ctx)
+        { return SHA1_Init(ctx->md_data); }
+
+static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+        { return SHA1_Update(ctx->md_data,data,count); }
+
+static int final(EVP_MD_CTX *ctx,unsigned char *md)
+        { return SHA1_Final(md,ctx->md_data); }
+
+static const EVP_MD sha1_md=
         {
         NID_sha1,
         NID_sha1WithRSAEncryption,
         SHA_DIGEST_LENGTH,
-        SHA1_Init,
-        SHA1_Update,
-        SHA1_Final,
+        0,
+        init,
+        update,
+        final,
+        NULL,
+        NULL,
         EVP_PKEY_RSA_method,
         SHA_CBLOCK,
         sizeof(EVP_MD *)+sizeof(SHA_CTX),
         };
 
-EVP_MD *EVP_sha1(void)
+const EVP_MD *EVP_sha1(void)
         {
         return(&sha1_md);
         }
diff --git a/src/lib/libcrypto/evp/names.c b/src/lib/libcrypto/evp/names.c
index 620f43feaa..eb9f4329cd 100644
--- a/src/lib/libcrypto/evp/names.c
+++ b/src/lib/libcrypto/evp/names.c
@@ -62,7 +62,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_add_cipher(EVP_CIPHER *c)
+int EVP_add_cipher(const EVP_CIPHER *c)
         {
         int r;
 
@@ -72,7 +72,7 @@ int EVP_add_cipher(EVP_CIPHER *c)
         return(r);
         }
 
-int EVP_add_digest(EVP_MD *md)
+int EVP_add_digest(const EVP_MD *md)
         {
         int r;
         const char *name;
diff --git a/src/lib/libcrypto/evp/openbsd_hw.c b/src/lib/libcrypto/evp/openbsd_hw.c
new file mode 100644
index 0000000000..3831a5731e
--- /dev/null
+++ b/src/lib/libcrypto/evp/openbsd_hw.c
@@ -0,0 +1,446 @@
+/* Written by Ben Laurie, 2001 */
+/*
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include "evp_locl.h"
+
+/* This stuff should now all be supported through
+ * crypto/engine/hw_openbsd_dev_crypto.c unless I botched it up */
+static void *dummy=&dummy;
+
+#if 0
+
+/* check flag after OpenSSL headers to ensure make depend works */
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+#include <crypto/cryptodev.h>
+#include <unistd.h>
+#include <assert.h>
+
+/* longest key supported in hardware */
+#define MAX_HW_KEY      24
+#define MAX_HW_IV       8
+
+#define MD5_DIGEST_LENGTH       16
+#define MD5_CBLOCK              64
+
+static int fd;
+static int dev_failed;
+
+typedef struct session_op session_op;
+
+#define CDATA(ctx) EVP_C_DATA(session_op,ctx)
+
+static void err(const char *str)
+    {
+    fprintf(stderr,"%s: errno %d\n",str,errno);
+    }
+
+static int dev_crypto_init(session_op *ses)
+    {
+    if(dev_failed)
+        return 0;
+    if(!fd)
+        {
+        int cryptodev_fd;
+
+        if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0)
+            {
+            err("/dev/crypto");
+            dev_failed=1;
+            return 0;
+            }
+        if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1)
+            {
+            err("CRIOGET failed");
+            close(cryptodev_fd);
+            dev_failed=1;
+            return 0;
+            }
+        close(cryptodev_fd);
+        }
+    assert(ses);
+    memset(ses,'\0',sizeof *ses);
+
+    return 1;
+    }
+
+static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx)
+    {
+    if(ioctl(fd,CIOCFSESSION,&CDATA(ctx)->ses) == -1)
+        err("CIOCFSESSION failed");
+
+    OPENSSL_free(CDATA(ctx)->key);
+
+    return 1;
+    }
+
+static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx,int cipher,
+                               const unsigned char *key,int klen)
+    {
+    if(!dev_crypto_init(CDATA(ctx)))
+        return 0;
+
+    CDATA(ctx)->key=OPENSSL_malloc(MAX_HW_KEY);
+
+    assert(ctx->cipher->iv_len <= MAX_HW_IV);
+
+    memcpy(CDATA(ctx)->key,key,klen);
+    
+    CDATA(ctx)->cipher=cipher;
+    CDATA(ctx)->keylen=klen;
+
+    if (ioctl(fd,CIOCGSESSION,CDATA(ctx)) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    return 1;
+    }
+
+static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out,
+                             const unsigned char *in,unsigned int inl)
+    {
+    struct crypt_op cryp;
+    unsigned char lb[MAX_HW_IV];
+
+    if(!inl)
+        return 1;
+
+    assert(CDATA(ctx));
+    assert(!dev_failed);
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=CDATA(ctx)->ses;
+    cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+    cryp.flags=0;
+    cryp.len=inl;
+    assert((inl&(ctx->cipher->block_size-1)) == 0);
+    cryp.src=(caddr_t)in;
+    cryp.dst=(caddr_t)out;
+    cryp.mac=0;
+    if(ctx->cipher->iv_len)
+        cryp.iv=(caddr_t)ctx->iv;
+
+    if(!ctx->encrypt)
+        memcpy(lb,&in[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL) /* buffers are misaligned */
+            {
+            unsigned int cinl=0;
+            char *cin=NULL;
+            char *cout=NULL;
+
+            /* NB: this can only make cinl != inl with stream ciphers */
+            cinl=(inl+3)/4*4;
+
+            if(((unsigned long)in&3) || cinl != inl)
+                {
+                cin=OPENSSL_malloc(cinl);
+                memcpy(cin,in,inl);
+                cryp.src=cin;
+                }
+
+            if(((unsigned long)out&3) || cinl != inl)
+                {
+                cout=OPENSSL_malloc(cinl);
+                cryp.dst=cout;
+                }
+
+            cryp.len=cinl;
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(2) failed");
+                printf("src=%p dst=%p\n",cryp.src,cryp.dst);
+                abort();
+                return 0;
+                }
+                
+            if(cout)
+                {
+                memcpy(out,cout,inl);
+                OPENSSL_free(cout);
+                }
+            if(cin)
+                OPENSSL_free(cin);
+            }
+        else 
+            {       
+            err("CIOCCRYPT failed");
+            abort();
+            return 0;
+            }
+        }
+
+    if(ctx->encrypt)
+        memcpy(ctx->iv,&out[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len);
+    else
+        memcpy(ctx->iv,lb,ctx->cipher->iv_len);
+
+    return 1;
+    }
+
+static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_3DES_CBC,key,24); }
+
+#define dev_crypto_des_ede3_cbc_cipher dev_crypto_cipher
+
+BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, session_op, NID_des_ede3, 8, 24, 8,
+                     0, dev_crypto_des_ede3_init_key,
+                     dev_crypto_cleanup, 
+                     EVP_CIPHER_set_asn1_iv,
+                     EVP_CIPHER_get_asn1_iv,
+                     NULL)
+
+static int dev_crypto_rc4_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
+    { return dev_crypto_init_key(ctx,CRYPTO_ARC4,key,16); }
+
+static const EVP_CIPHER r4_cipher=
+    {
+    NID_rc4,
+    1,16,0,     /* FIXME: key should be up to 256 bytes */
+    EVP_CIPH_VARIABLE_LENGTH,
+    dev_crypto_rc4_init_key,
+    dev_crypto_cipher,
+    dev_crypto_cleanup,
+    sizeof(session_op),
+    NULL,
+    NULL,
+    NULL
+    };
+
+const EVP_CIPHER *EVP_dev_crypto_rc4(void)
+    { return &r4_cipher; }
+
+typedef struct
+    {
+    session_op sess;
+    char *data;
+    int len;
+    unsigned char md[EVP_MAX_MD_SIZE];
+    } MD_DATA;
+
+static int dev_crypto_init_digest(MD_DATA *md_data,int mac)
+    {
+    if(!dev_crypto_init(&md_data->sess))
+        return 0;
+
+    md_data->len=0;
+    md_data->data=NULL;
+
+    md_data->sess.mac=mac;
+
+    if (ioctl(fd,CIOCGSESSION,&md_data->sess) == -1)
+        {
+        err("CIOCGSESSION failed");
+        return 0;
+        }
+    return 1;
+    }
+
+static int dev_crypto_cleanup_digest(MD_DATA *md_data)
+    {
+    if (ioctl(fd,CIOCFSESSION,&md_data->sess.ses) == -1)
+        {
+        err("CIOCFSESSION failed");
+        return 0;
+        }
+
+    return 1;
+    }
+
+/* FIXME: if device can do chained MACs, then don't accumulate */
+/* FIXME: move accumulation to the framework */
+static int dev_crypto_md5_init(EVP_MD_CTX *ctx)
+    { return dev_crypto_init_digest(ctx->md_data,CRYPTO_MD5); }
+
+static int do_digest(int ses,unsigned char *md,const void *data,int len)
+    {
+    struct crypt_op cryp;
+    static unsigned char md5zero[16]=
+        {
+        0xd4,0x1d,0x8c,0xd9,0x8f,0x00,0xb2,0x04,
+        0xe9,0x80,0x09,0x98,0xec,0xf8,0x42,0x7e
+        };
+
+    /* some cards can't do zero length */
+    if(!len)
+        {
+        memcpy(md,md5zero,16);
+        return 1;
+        }
+
+    memset(&cryp,'\0',sizeof cryp);
+    cryp.ses=ses;
+    cryp.op=COP_ENCRYPT;/* required to do the MAC rather than check it */
+    cryp.len=len;
+    cryp.src=(caddr_t)data;
+    cryp.dst=(caddr_t)data; // FIXME!!!
+    cryp.mac=(caddr_t)md;
+
+    if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+        {
+        if(errno == EINVAL) /* buffer is misaligned */
+            {
+            char *dcopy;
+
+            dcopy=OPENSSL_malloc(len);
+            memcpy(dcopy,data,len);
+            cryp.src=dcopy;
+            cryp.dst=cryp.src; // FIXME!!!
+
+            if(ioctl(fd, CIOCCRYPT, &cryp) == -1)
+                {
+                err("CIOCCRYPT(MAC2) failed");
+                abort();
+                return 0;
+                }
+            OPENSSL_free(dcopy);
+            }
+        else
+            {
+            err("CIOCCRYPT(MAC) failed");
+            abort();
+            return 0;
+            }
+        }
+    //    printf("done\n");
+
+    return 1;
+    }
+
+static int dev_crypto_md5_update(EVP_MD_CTX *ctx,const void *data,
+                                 unsigned long len)
+    {
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        return do_digest(md_data->sess.ses,md_data->md,data,len);
+
+    md_data->data=OPENSSL_realloc(md_data->data,md_data->len+len);
+    memcpy(md_data->data+md_data->len,data,len);
+    md_data->len+=len;
+
+    return 1;
+    }   
+
+static int dev_crypto_md5_final(EVP_MD_CTX *ctx,unsigned char *md)
+    {
+    int ret;
+    MD_DATA *md_data=ctx->md_data;
+
+    if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT)
+        {
+        memcpy(md,md_data->md,MD5_DIGEST_LENGTH);
+        ret=1;
+        }
+    else
+        {
+        ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len);
+        OPENSSL_free(md_data->data);
+        md_data->data=NULL;
+        md_data->len=0;
+        }
+
+    return ret;
+    }
+
+static int dev_crypto_md5_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+    {
+    const MD_DATA *from_md=from->md_data;
+    MD_DATA *to_md=to->md_data;
+
+    // How do we copy sessions?
+    assert(from->digest->flags&EVP_MD_FLAG_ONESHOT);
+
+    to_md->data=OPENSSL_malloc(from_md->len);
+    memcpy(to_md->data,from_md->data,from_md->len);
+
+    return 1;
+    }
+
+static int dev_crypto_md5_cleanup(EVP_MD_CTX *ctx)
+    {
+    return dev_crypto_cleanup_digest(ctx->md_data);
+    }
+
+static const EVP_MD md5_md=
+    {
+    NID_md5,
+    NID_md5WithRSAEncryption,
+    MD5_DIGEST_LENGTH,
+    EVP_MD_FLAG_ONESHOT,        // XXX: set according to device info...
+    dev_crypto_md5_init,
+    dev_crypto_md5_update,
+    dev_crypto_md5_final,
+    dev_crypto_md5_copy,
+    dev_crypto_md5_cleanup,
+    EVP_PKEY_RSA_method,
+    MD5_CBLOCK,
+    sizeof(MD_DATA),
+    };
+
+const EVP_MD *EVP_dev_crypto_md5(void)
+    { return &md5_md; }
+
+#endif
+#endif
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 6bfa2c5acb..113c60fedb 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -67,41 +67,41 @@
 
 void PKCS5_PBE_add(void)
 {
-#ifndef NO_DES
-#  ifndef NO_MD5
+#ifndef OPENSSL_NO_DES
+#  ifndef OPENSSL_NO_MD5
 EVP_PBE_alg_add(NID_pbeWithMD5AndDES_CBC, EVP_des_cbc(), EVP_md5(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
-#  ifndef NO_MD2
+#  ifndef OPENSSL_NO_MD2
 EVP_PBE_alg_add(NID_pbeWithMD2AndDES_CBC, EVP_des_cbc(), EVP_md2(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
-#  ifndef NO_SHA
+#  ifndef OPENSSL_NO_SHA
 EVP_PBE_alg_add(NID_pbeWithSHA1AndDES_CBC, EVP_des_cbc(), EVP_sha1(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
 #endif
-#ifndef NO_RC2
-#  ifndef NO_MD5
+#ifndef OPENSSL_NO_RC2
+#  ifndef OPENSSL_NO_MD5
 EVP_PBE_alg_add(NID_pbeWithMD5AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md5(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
-#  ifndef NO_MD2
+#  ifndef OPENSSL_NO_MD2
 EVP_PBE_alg_add(NID_pbeWithMD2AndRC2_CBC, EVP_rc2_64_cbc(), EVP_md2(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
-#  ifndef NO_SHA
+#  ifndef OPENSSL_NO_SHA
 EVP_PBE_alg_add(NID_pbeWithSHA1AndRC2_CBC, EVP_rc2_64_cbc(), EVP_sha1(),
                                                          PKCS5_PBE_keyivgen);
 #  endif
 #endif
-#ifndef NO_HMAC
+#ifndef OPENSSL_NO_HMAC
 EVP_PBE_alg_add(NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen);
 #endif
 }
 
 int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
-                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md,
+                         ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md,
                          int en_de)
 {
         EVP_MD_CTX ctx;
@@ -128,20 +128,22 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
         if(!pass) passlen = 0;
         else if(passlen == -1) passlen = strlen(pass);
 
-        EVP_DigestInit (&ctx, md);
-        EVP_DigestUpdate (&ctx, pass, passlen);
-        EVP_DigestUpdate (&ctx, salt, saltlen);
+        EVP_MD_CTX_init(&ctx);
+        EVP_DigestInit_ex(&ctx, md, NULL);
+        EVP_DigestUpdate(&ctx, pass, passlen);
+        EVP_DigestUpdate(&ctx, salt, saltlen);
         PBEPARAM_free(pbe);
-        EVP_DigestFinal (&ctx, md_tmp, NULL);
+        EVP_DigestFinal_ex(&ctx, md_tmp, NULL);
         for (i = 1; i < iter; i++) {
-                EVP_DigestInit(&ctx, md);
+                EVP_DigestInit_ex(&ctx, md, NULL);
                 EVP_DigestUpdate(&ctx, md_tmp, EVP_MD_size(md));
-                EVP_DigestFinal (&ctx, md_tmp, NULL);
+                EVP_DigestFinal_ex (&ctx, md_tmp, NULL);
         }
-        memcpy (key, md_tmp, EVP_CIPHER_key_length(cipher));
-        memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
+        EVP_MD_CTX_cleanup(&ctx);
+        memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
+        memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
                                                  EVP_CIPHER_iv_length(cipher));
-        EVP_CipherInit(cctx, cipher, key, iv, en_de);
+        EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de);
         memset(md_tmp, 0, EVP_MAX_MD_SIZE);
         memset(key, 0, EVP_MAX_KEY_LENGTH);
         memset(iv, 0, EVP_MAX_IV_LENGTH);
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 717fad68ca..7881860b53 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -55,7 +55,7 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
-#if !defined(NO_HMAC) && !defined(NO_SHA)
+#if !defined(OPENSSL_NO_HMAC) && !defined(OPENSSL_NO_SHA)
 #include <stdio.h>
 #include <stdlib.h>
 #include <openssl/x509.h>
@@ -84,6 +84,8 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
         int cplen, j, k, tkeylen;
         unsigned long i = 1;
         HMAC_CTX hctx;
+
+        HMAC_CTX_init(&hctx);
         p = out;
         tkeylen = keylen;
         if(!pass) passlen = 0;
@@ -98,7 +100,7 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
                 itmp[1] = (unsigned char)((i >> 16) & 0xff);
                 itmp[2] = (unsigned char)((i >> 8) & 0xff);
                 itmp[3] = (unsigned char)(i & 0xff);
-                HMAC_Init(&hctx, pass, passlen, EVP_sha1());
+                HMAC_Init_ex(&hctx, pass, passlen, EVP_sha1(), NULL);
                 HMAC_Update(&hctx, salt, saltlen);
                 HMAC_Update(&hctx, itmp, 4);
                 HMAC_Final(&hctx, digtmp, NULL);
@@ -112,7 +114,7 @@ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
                 i++;
                 p+= cplen;
         }
-        HMAC_cleanup(&hctx);
+        HMAC_CTX_cleanup(&hctx);
 #ifdef DEBUG_PKCS5V2
         fprintf(stderr, "Password:\n");
         h__dump (pass, passlen);
@@ -143,7 +145,7 @@ main()
  */
 
 int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                         ASN1_TYPE *param, EVP_CIPHER *c, EVP_MD *md,
+                         ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md,
                          int en_de)
 {
         unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH];
@@ -181,7 +183,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         }
 
         /* Fixup cipher based on AlgorithmIdentifier */
-        EVP_CipherInit(ctx, cipher, NULL, NULL, en_de);
+        EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, en_de);
         if(EVP_CIPHER_asn1_to_param(ctx, pbe2->encryption->parameter) < 0) {
                 EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,
                                         EVP_R_CIPHER_PARAMETER_ERROR);
@@ -227,7 +229,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
         saltlen = kdf->salt->value.octet_string->length;
         iter = ASN1_INTEGER_get(kdf->iter);
         PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key);
-        EVP_CipherInit(ctx, NULL, key, NULL, en_de);
+        EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, en_de);
         memset(key, 0, keylen);
         PBKDF2PARAM_free(kdf);
         return 1;
diff --git a/src/lib/libcrypto/evp/p_dec.c b/src/lib/libcrypto/evp/p_dec.c
index 57b5daa453..8af620400e 100644
--- a/src/lib/libcrypto/evp/p_dec.c
+++ b/src/lib/libcrypto/evp/p_dec.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
 #include <openssl/evp.h>
@@ -71,12 +71,12 @@ int EVP_PKEY_decrypt(unsigned char *key, unsigned char *ek, int ekl,
         {
         int ret= -1;
         
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (priv->type != EVP_PKEY_RSA)
                 {
 #endif
                 EVPerr(EVP_F_EVP_PKEY_DECRYPT,EVP_R_PUBLIC_KEY_NOT_RSA);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 goto err;
                 }
 
diff --git a/src/lib/libcrypto/evp/p_enc.c b/src/lib/libcrypto/evp/p_enc.c
index 4cf6acaf5d..656883b996 100644
--- a/src/lib/libcrypto/evp/p_enc.c
+++ b/src/lib/libcrypto/evp/p_enc.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
 #include <openssl/evp.h>
@@ -71,12 +71,12 @@ int EVP_PKEY_encrypt(unsigned char *ek, unsigned char *key, int key_len,
         {
         int ret=0;
         
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (pubk->type != EVP_PKEY_RSA)
                 {
 #endif
                 EVPerr(EVP_F_EVP_PKEY_ENCRYPT,EVP_R_PUBLIC_KEY_NOT_RSA);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                 goto err;
                 }
         ret=RSA_public_encrypt(key_len,key,ek,pubk->pkey.rsa,RSA_PKCS1_PADDING);
diff --git a/src/lib/libcrypto/evp/p_lib.c b/src/lib/libcrypto/evp/p_lib.c
index 62398ed74d..215b94292a 100644
--- a/src/lib/libcrypto/evp/p_lib.c
+++ b/src/lib/libcrypto/evp/p_lib.c
@@ -64,14 +64,15 @@
 #include <openssl/x509.h>
 
 static void EVP_PKEY_free_it(EVP_PKEY *x);
+
 int EVP_PKEY_bits(EVP_PKEY *pkey)
         {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (pkey->type == EVP_PKEY_RSA)
                 return(BN_num_bits(pkey->pkey.rsa->n));
         else
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 if (pkey->type == EVP_PKEY_DSA)
                 return(BN_num_bits(pkey->pkey.dsa->p));
 #endif
@@ -82,12 +83,12 @@ int EVP_PKEY_size(EVP_PKEY *pkey)
         {
         if (pkey == NULL)
                 return(0);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         if (pkey->type == EVP_PKEY_RSA)
                 return(RSA_size(pkey->pkey.rsa));
         else
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                 if (pkey->type == EVP_PKEY_DSA)
                 return(DSA_size(pkey->pkey.dsa));
 #endif
@@ -96,10 +97,10 @@ int EVP_PKEY_size(EVP_PKEY *pkey)
 
 int EVP_PKEY_save_parameters(EVP_PKEY *pkey, int mode)
         {
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (pkey->type == EVP_PKEY_DSA)
                 {
-                int ret=pkey->save_parameters=mode;
+                int ret=pkey->save_parameters;
 
                 if (mode >= 0)
                         pkey->save_parameters=mode;
@@ -122,7 +123,7 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, EVP_PKEY *from)
                 EVPerr(EVP_F_EVP_PKEY_COPY_PARAMETERS,EVP_R_MISSING_PARAMETERS);
                 goto err;
                 }
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (to->type == EVP_PKEY_DSA)
                 {
                 BIGNUM *a;
@@ -147,7 +148,7 @@ err:
 
 int EVP_PKEY_missing_parameters(EVP_PKEY *pkey)
         {
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (pkey->type == EVP_PKEY_DSA)
                 {
                 DSA *dsa;
@@ -162,7 +163,7 @@ int EVP_PKEY_missing_parameters(EVP_PKEY *pkey)
 
 int EVP_PKEY_cmp_parameters(EVP_PKEY *a, EVP_PKEY *b)
         {
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if ((a->type == EVP_PKEY_DSA) && (b->type == EVP_PKEY_DSA))
                 {
                 if (    BN_cmp(a->pkey.dsa->p,b->pkey.dsa->p) ||
@@ -205,11 +206,12 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key)
         return(key != NULL);
         }
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
 {
         int ret = EVP_PKEY_assign_RSA(pkey, key);
-        if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_RSA);
+        if(ret)
+                RSA_up_ref(key);
         return ret;
 }
 
@@ -219,16 +221,17 @@ RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
                 EVPerr(EVP_F_EVP_PKEY_GET1_RSA, EVP_R_EXPECTING_AN_RSA_KEY);
                 return NULL;
         }
-        CRYPTO_add(&pkey->pkey.rsa->references, 1, CRYPTO_LOCK_RSA);
+        RSA_up_ref(pkey->pkey.rsa);
         return pkey->pkey.rsa;
 }
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key)
 {
         int ret = EVP_PKEY_assign_DSA(pkey, key);
-        if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DSA);
+        if(ret)
+                DSA_up_ref(key);
         return ret;
 }
 
@@ -238,17 +241,18 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
                 EVPerr(EVP_F_EVP_PKEY_GET1_DSA, EVP_R_EXPECTING_A_DSA_KEY);
                 return NULL;
         }
-        CRYPTO_add(&pkey->pkey.dsa->references, 1, CRYPTO_LOCK_DSA);
+        DSA_up_ref(pkey->pkey.dsa);
         return pkey->pkey.dsa;
 }
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 
 int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
 {
         int ret = EVP_PKEY_assign_DH(pkey, key);
-        if(ret) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_DH);
+        if(ret)
+                DH_up_ref(key);
         return ret;
 }
 
@@ -258,7 +262,7 @@ DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey)
                 EVPerr(EVP_F_EVP_PKEY_GET1_DH, EVP_R_EXPECTING_A_DH_KEY);
                 return NULL;
         }
-        CRYPTO_add(&pkey->pkey.dh->references, 1, CRYPTO_LOCK_DH);
+        DH_up_ref(pkey->pkey.dh);
         return pkey->pkey.dh;
 }
 #endif
@@ -309,13 +313,13 @@ static void EVP_PKEY_free_it(EVP_PKEY *x)
         {
         switch (x->type)
                 {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         case EVP_PKEY_RSA:
         case EVP_PKEY_RSA2:
                 RSA_free(x->pkey.rsa);
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         case EVP_PKEY_DSA:
         case EVP_PKEY_DSA2:
         case EVP_PKEY_DSA3:
@@ -323,7 +327,7 @@ static void EVP_PKEY_free_it(EVP_PKEY *x)
                 DSA_free(x->pkey.dsa);
                 break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
         case EVP_PKEY_DH:
                 DH_free(x->pkey.dh);
                 break;
diff --git a/src/lib/libcrypto/evp/p_open.c b/src/lib/libcrypto/evp/p_open.c
index 2760c00fec..6976f2a867 100644
--- a/src/lib/libcrypto/evp/p_open.c
+++ b/src/lib/libcrypto/evp/p_open.c
@@ -56,14 +56,14 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
+int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek,
              int ekl, unsigned char *iv, EVP_PKEY *priv)
         {
         unsigned char *key=NULL;
@@ -71,7 +71,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
 
         if(type) {      
                 EVP_CIPHER_CTX_init(ctx);
-                if(!EVP_DecryptInit(ctx,type,NULL,NULL)) return 0;
+                if(!EVP_DecryptInit_ex(ctx,type,NULL, NULL,NULL)) return 0;
         }
 
         if(!priv) return 1;
@@ -97,7 +97,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
                 /* ERROR */
                 goto err;
                 }
-        if(!EVP_DecryptInit(ctx,NULL,key,iv)) goto err;
+        if(!EVP_DecryptInit_ex(ctx,NULL,NULL,key,iv)) goto err;
 
         ret=1;
 err:
@@ -110,11 +110,11 @@ int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         {
         int i;
 
-        i=EVP_DecryptFinal(ctx,out,outl);
-        EVP_DecryptInit(ctx,NULL,NULL,NULL);
+        i=EVP_DecryptFinal_ex(ctx,out,outl);
+        EVP_DecryptInit_ex(ctx,NULL,NULL,NULL,NULL);
         return(i);
         }
-#else /* !NO_RSA */
+#else /* !OPENSSL_NO_RSA */
 
 # ifdef PEDANTIC
 static void *dummy=&dummy;
diff --git a/src/lib/libcrypto/evp/p_seal.c b/src/lib/libcrypto/evp/p_seal.c
index 2fd1d7e0c2..5570ca3745 100644
--- a/src/lib/libcrypto/evp/p_seal.c
+++ b/src/lib/libcrypto/evp/p_seal.c
@@ -59,14 +59,14 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
+int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek,
              int *ekl, unsigned char *iv, EVP_PKEY **pubk, int npubk)
         {
         unsigned char key[EVP_MAX_KEY_LENGTH];
@@ -74,15 +74,16 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
         
         if(type) {
                 EVP_CIPHER_CTX_init(ctx);
-                if(!EVP_EncryptInit(ctx,type,NULL,NULL)) return 0;
+                if(!EVP_EncryptInit_ex(ctx,type,NULL,NULL,NULL)) return 0;
         }
-        if (npubk <= 0) return(0);
+        if ((npubk <= 0) || !pubk)
+                return 1;
         if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0)
-                return(0);
+                return 0;
         if (EVP_CIPHER_CTX_iv_length(ctx))
                 RAND_pseudo_bytes(iv,EVP_CIPHER_CTX_iv_length(ctx));
 
-        if(!EVP_EncryptInit(ctx,NULL,key,iv)) return 0;
+        if(!EVP_EncryptInit_ex(ctx,NULL,NULL,key,iv)) return 0;
 
         for (i=0; i<npubk; i++)
                 {
@@ -107,6 +108,6 @@ int inl;
 
 void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         {
-        EVP_EncryptFinal(ctx,out,outl);
-        EVP_EncryptInit(ctx,NULL,NULL,NULL);
+        EVP_EncryptFinal_ex(ctx,out,outl);
+        EVP_EncryptInit_ex(ctx,NULL,NULL,NULL,NULL);
         }
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index 1fa32ac17e..e4ae5906f5 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -65,7 +65,7 @@
 #ifdef undef
 void EVP_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
         {
-        EVP_DigestInit(ctx,type);
+        EVP_DigestInit_ex(ctx,type);
         }
 
 void EVP_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data,
@@ -84,8 +84,10 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
         MS_STATIC EVP_MD_CTX tmp_ctx;
 
         *siglen=0;
-        EVP_MD_CTX_copy(&tmp_ctx,ctx);   
-        EVP_DigestFinal(&tmp_ctx,&(m[0]),&m_len);
+        EVP_MD_CTX_init(&tmp_ctx);
+        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);   
+        EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
+        EVP_MD_CTX_cleanup(&tmp_ctx);
         for (i=0; i<4; i++)
                 {
                 v=ctx->digest->required_pkey_type[i];
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index dcb54f3abb..d854d743a5 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -85,8 +85,10 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf,
                 EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_WRONG_PUBLIC_KEY_TYPE);
                 return(-1);
                 }
-        EVP_MD_CTX_copy(&tmp_ctx,ctx);     
-        EVP_DigestFinal(&tmp_ctx,&(m[0]),&m_len);
+        EVP_MD_CTX_init(&tmp_ctx);
+        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);     
+        EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
+        EVP_MD_CTX_cleanup(&tmp_ctx);
         if (ctx->digest->verify == NULL)
                 {
                 EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_NO_VERIFY_FUNCTION_CONFIGURED);
diff --git a/src/lib/libcrypto/ex_data.c b/src/lib/libcrypto/ex_data.c
index 739e543d78..5b2e345c27 100644
--- a/src/lib/libcrypto/ex_data.c
+++ b/src/lib/libcrypto/ex_data.c
@@ -1,4 +1,33 @@
 /* crypto/ex_data.c */
+
+/*
+ * Overhaul notes;
+ *
+ * This code is now *mostly* thread-safe. It is now easier to understand in what
+ * ways it is safe and in what ways it is not, which is an improvement. Firstly,
+ * all per-class stacks and index-counters for ex_data are stored in the same
+ * global LHASH table (keyed by class). This hash table uses locking for all
+ * access with the exception of CRYPTO_cleanup_all_ex_data(), which must only be
+ * called when no other threads can possibly race against it (even if it was
+ * locked, the race would mean it's possible the hash table might have been
+ * recreated after the cleanup). As classes can only be added to the hash table,
+ * and within each class, the stack of methods can only be incremented, the
+ * locking mechanics are simpler than they would otherwise be. For example, the
+ * new/dup/free ex_data functions will lock the hash table, copy the method
+ * pointers it needs from the relevant class, then unlock the hash table before
+ * actually applying those method pointers to the task of the new/dup/free
+ * operations. As they can't be removed from the method-stack, only
+ * supplemented, there's no race conditions associated with using them outside
+ * the lock. The get/set_ex_data functions are not locked because they do not
+ * involve this global state at all - they operate directly with a previously
+ * obtained per-class method index and a particular "ex_data" variable. These
+ * variables are usually instantiated per-context (eg. each RSA structure has
+ * one) so locking on read/write access to that variable can be locked locally
+ * if required (eg. using the "RSA" lock to synchronise access to a
+ * per-RSA-structure ex_data variable if required).
+ * [Geoff]
+ */
+
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -55,6 +84,59 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -63,47 +145,455 @@
 #include <openssl/lhash.h>
 #include "cryptlib.h"
 
-int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long argl, void *argp,
-             CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+/* What an "implementation of ex_data functionality" looks like */
+struct st_CRYPTO_EX_DATA_IMPL
+        {
+        /*********************/
+        /* GLOBAL OPERATIONS */
+        /* Return a new class index */
+        int (*cb_new_class)(void);
+        /* Cleanup all state used by the implementation */
+        void (*cb_cleanup)(void);
+        /************************/
+        /* PER-CLASS OPERATIONS */
+        /* Get a new method index within a class */
+        int (*cb_get_new_index)(int class_index, long argl, void *argp,
+                        CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                        CRYPTO_EX_free *free_func);
+        /* Initialise a new CRYPTO_EX_DATA of a given class */
+        int (*cb_new_ex_data)(int class_index, void *obj,
+                        CRYPTO_EX_DATA *ad);
+        /* Duplicate a CRYPTO_EX_DATA of a given class onto a copy */
+        int (*cb_dup_ex_data)(int class_index, CRYPTO_EX_DATA *to,
+                        CRYPTO_EX_DATA *from);
+        /* Cleanup a CRYPTO_EX_DATA of a given class */
+        void (*cb_free_ex_data)(int class_index, void *obj,
+                        CRYPTO_EX_DATA *ad);
+        };
+
+/* The implementation we use at run-time */
+static const CRYPTO_EX_DATA_IMPL *impl = NULL;
+
+/* To call "impl" functions, use this macro rather than referring to 'impl' directly, eg.
+ * EX_IMPL(get_new_index)(...); */
+#define EX_IMPL(a) impl->cb_##a
+
+/* Predeclare the "default" ex_data implementation */
+static int int_new_class(void);
+static void int_cleanup(void);
+static int int_get_new_index(int class_index, long argl, void *argp,
+                CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func);
+static int int_new_ex_data(int class_index, void *obj,
+                CRYPTO_EX_DATA *ad);
+static int int_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                CRYPTO_EX_DATA *from);
+static void int_free_ex_data(int class_index, void *obj,
+                CRYPTO_EX_DATA *ad);
+static CRYPTO_EX_DATA_IMPL impl_default =
+        {
+        int_new_class,
+        int_cleanup,
+        int_get_new_index,
+        int_new_ex_data,
+        int_dup_ex_data,
+        int_free_ex_data
+        };
+
+/* Internal function that checks whether "impl" is set and if not, sets it to
+ * the default. */
+static void impl_check(void)
         {
-        int ret= -1;
-        CRYPTO_EX_DATA_FUNCS *a;
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        if(!impl)
+                impl = &impl_default;
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        }
+/* A macro wrapper for impl_check that first uses a non-locked test before
+ * invoking the function (which checks again inside a lock). */
+#define IMPL_CHECK if(!impl) impl_check();
 
-        MemCheck_off();
-        if (*skp == NULL)
-                *skp=sk_CRYPTO_EX_DATA_FUNCS_new_null();
-        if (*skp == NULL)
+/* API functions to get/set the "ex_data" implementation */
+const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void)
+        {
+        IMPL_CHECK
+        return impl;
+        }
+int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *i)
+        {
+        int toret = 0;
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        if(!impl)
                 {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
-                goto err;
+                impl = i;
+                toret = 1;
                 }
-        a=(CRYPTO_EX_DATA_FUNCS *)OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
-        if (a == NULL)
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        return toret;
+        }
+
+/****************************************************************************/
+/* Interal (default) implementation of "ex_data" support. API functions are
+ * further down. */
+
+/* The type that represents what each "class" used to implement locally. A STACK
+ * of CRYPTO_EX_DATA_FUNCS plus a index-counter. The 'class_index' is the global
+ * value representing the class that is used to distinguish these items. */
+typedef struct st_ex_class_item {
+        int class_index;
+        STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
+        int meth_num;
+} EX_CLASS_ITEM;
+
+/* When assigning new class indexes, this is our counter */
+static int ex_class = CRYPTO_EX_INDEX_USER;
+
+/* The global hash table of EX_CLASS_ITEM items */
+static LHASH *ex_data = NULL;
+
+/* The callbacks required in the "ex_data" hash table */
+static unsigned long ex_hash_cb(const void *a_void)
+        {
+        return ((const EX_CLASS_ITEM *)a_void)->class_index;
+        }
+static int ex_cmp_cb(const void *a_void, const void *b_void)
+        {
+        return (((const EX_CLASS_ITEM *)a_void)->class_index -
+                ((const EX_CLASS_ITEM *)b_void)->class_index);
+        }
+
+/* Internal functions used by the "impl_default" implementation to access the
+ * state */
+
+static int ex_data_check(void)
+        {
+        int toret = 1;
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        if(!ex_data && ((ex_data = lh_new(ex_hash_cb, ex_cmp_cb)) == NULL))
+                toret = 0;
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        return toret;
+        }
+/* This macros helps reduce the locking from repeated checks because the
+ * ex_data_check() function checks ex_data again inside a lock. */
+#define EX_DATA_CHECK(iffail) if(!ex_data && !ex_data_check()) {iffail}
+
+/* This "inner" callback is used by the callback function that follows it */
+static void def_cleanup_util_cb(CRYPTO_EX_DATA_FUNCS *funcs)
+        {
+        OPENSSL_free(funcs);
+        }
+
+/* This callback is used in lh_doall to destroy all EX_CLASS_ITEM values from
+ * "ex_data" prior to the ex_data hash table being itself destroyed. Doesn't do
+ * any locking. */
+static void def_cleanup_cb(const void *a_void)
+        {
+        EX_CLASS_ITEM *item = (EX_CLASS_ITEM *)a_void;
+        sk_CRYPTO_EX_DATA_FUNCS_pop_free(item->meth, def_cleanup_util_cb);
+        OPENSSL_free(item);
+        }
+
+/* Return the EX_CLASS_ITEM from the "ex_data" hash table that corresponds to a
+ * given class. Handles locking. */
+static EX_CLASS_ITEM *def_get_class(int class_index)
+        {
+        EX_CLASS_ITEM d, *p, *gen;
+        EX_DATA_CHECK(return NULL;)
+        d.class_index = class_index;
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        p = lh_retrieve(ex_data, &d);
+        if(!p)
                 {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
-                goto err;
+                gen = OPENSSL_malloc(sizeof(EX_CLASS_ITEM));
+                if(gen)
+                        {
+                        gen->class_index = class_index;
+                        gen->meth_num = 0;
+                        gen->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
+                        if(!gen->meth)
+                                OPENSSL_free(gen);
+                        else
+                                {
+                                /* Because we're inside the ex_data lock, the
+                                 * return value from the insert will be NULL */
+                                lh_insert(ex_data, gen);
+                                p = gen;
+                                }
+                        }
+                }
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        if(!p)
+                CRYPTOerr(CRYPTO_F_DEF_GET_CLASS,ERR_R_MALLOC_FAILURE);
+        return p;
+        }
+
+/* Add a new method to the given EX_CLASS_ITEM and return the corresponding
+ * index (or -1 for error). Handles locking. */
+static int def_add_index(EX_CLASS_ITEM *item, long argl, void *argp,
+                CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func)
+        {
+        int toret = -1;
+        CRYPTO_EX_DATA_FUNCS *a = (CRYPTO_EX_DATA_FUNCS *)OPENSSL_malloc(
+                                        sizeof(CRYPTO_EX_DATA_FUNCS));
+        if(!a)
+                {
+                CRYPTOerr(CRYPTO_F_DEF_ADD_INDEX,ERR_R_MALLOC_FAILURE);
+                return -1;
                 }
         a->argl=argl;
         a->argp=argp;
         a->new_func=new_func;
         a->dup_func=dup_func;
         a->free_func=free_func;
-        while (sk_CRYPTO_EX_DATA_FUNCS_num(*skp) <= idx)
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        while (sk_CRYPTO_EX_DATA_FUNCS_num(item->meth) <= item->meth_num)
                 {
-                if (!sk_CRYPTO_EX_DATA_FUNCS_push(*skp,NULL))
+                if (!sk_CRYPTO_EX_DATA_FUNCS_push(item->meth, NULL))
                         {
-                        CRYPTOerr(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX,ERR_R_MALLOC_FAILURE);
+                        CRYPTOerr(CRYPTO_F_DEF_ADD_INDEX,ERR_R_MALLOC_FAILURE);
                         OPENSSL_free(a);
                         goto err;
                         }
                 }
-        sk_CRYPTO_EX_DATA_FUNCS_set(*skp,idx, a);
-        ret=idx;
+        toret = item->meth_num++;
+        sk_CRYPTO_EX_DATA_FUNCS_set(item->meth, toret, a);
 err:
-        MemCheck_on();
-        return(ret);
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        return toret;
         }
 
+/**************************************************************/
+/* The functions in the default CRYPTO_EX_DATA_IMPL structure */
+
+static int int_new_class(void)
+        {
+        int toret;
+        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
+        toret = ex_class++;
+        CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+        return toret;
+        }
+
+static void int_cleanup(void)
+        {
+        EX_DATA_CHECK(return;)
+        lh_doall(ex_data, def_cleanup_cb);
+        lh_free(ex_data);
+        ex_data = NULL;
+        impl = NULL;
+        }
+
+static int int_get_new_index(int class_index, long argl, void *argp,
+                CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func)
+        {
+        EX_CLASS_ITEM *item = def_get_class(class_index);
+        if(!item)
+                return -1;
+        return def_add_index(item, argl, argp, new_func, dup_func, free_func);
+        }
+
+/* Thread-safe by copying a class's array of "CRYPTO_EX_DATA_FUNCS" entries in
+ * the lock, then using them outside the lock. NB: Thread-safety only applies to
+ * the global "ex_data" state (ie. class definitions), not thread-safe on 'ad'
+ * itself. */
+static int int_new_ex_data(int class_index, void *obj,
+                CRYPTO_EX_DATA *ad)
+        {
+        int mx,i;
+        void *ptr;
+        CRYPTO_EX_DATA_FUNCS **storage = NULL;
+        EX_CLASS_ITEM *item = def_get_class(class_index);
+        if(!item)
+                /* error is already set */
+                return 0;
+        ad->sk = NULL;
+        CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+        mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
+        if(mx > 0)
+                {
+                storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS*));
+                if(!storage)
+                        goto skip;
+                for(i = 0; i < mx; i++)
+                        storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth,i);
+                }
+skip:
+        CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+        if((mx > 0) && !storage)
+                {
+                CRYPTOerr(CRYPTO_F_INT_NEW_EX_DATA,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        for(i = 0; i < mx; i++)
+                {
+                if(storage[i] && storage[i]->new_func)
+                        {
+                        ptr = CRYPTO_get_ex_data(ad, i);
+                        storage[i]->new_func(obj,ptr,ad,i,
+                                storage[i]->argl,storage[i]->argp);
+                        }
+                }
+        if(storage)
+                OPENSSL_free(storage);
+        return 1;
+        }
+
+/* Same thread-safety notes as for "int_new_ex_data" */
+static int int_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+                CRYPTO_EX_DATA *from)
+        {
+        int mx, j, i;
+        char *ptr;
+        CRYPTO_EX_DATA_FUNCS **storage = NULL;
+        EX_CLASS_ITEM *item;
+        if(!from->sk)
+                /* 'to' should be "blank" which *is* just like 'from' */
+                return 1;
+        if((item = def_get_class(class_index)) == NULL)
+                return 0;
+        CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+        mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
+        j = sk_num(from->sk);
+        if(j < mx)
+                mx = j;
+        if(mx > 0)
+                {
+                storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS*));
+                if(!storage)
+                        goto skip;
+                for(i = 0; i < mx; i++)
+                        storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth,i);
+                }
+skip:
+        CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+        if((mx > 0) && !storage)
+                {
+                CRYPTOerr(CRYPTO_F_INT_DUP_EX_DATA,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        for(i = 0; i < mx; i++)
+                {
+                ptr = CRYPTO_get_ex_data(from, i);
+                if(storage[i] && storage[i]->dup_func)
+                        storage[i]->dup_func(to,from,&ptr,i,
+                                storage[i]->argl,storage[i]->argp);
+                CRYPTO_set_ex_data(to,i,ptr);
+                }
+        if(storage)
+                OPENSSL_free(storage);
+        return 1;
+        }
+
+/* Same thread-safety notes as for "int_new_ex_data" */
+static void int_free_ex_data(int class_index, void *obj,
+                CRYPTO_EX_DATA *ad)
+        {
+        int mx,i;
+        EX_CLASS_ITEM *item;
+        void *ptr;
+        CRYPTO_EX_DATA_FUNCS **storage = NULL;
+        if((item = def_get_class(class_index)) == NULL)
+                return;
+        CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
+        mx = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
+        if(mx > 0)
+                {
+                storage = OPENSSL_malloc(mx * sizeof(CRYPTO_EX_DATA_FUNCS*));
+                if(!storage)
+                        goto skip;
+                for(i = 0; i < mx; i++)
+                        storage[i] = sk_CRYPTO_EX_DATA_FUNCS_value(item->meth,i);
+                }
+skip:
+        CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
+        if((mx > 0) && !storage)
+                {
+                CRYPTOerr(CRYPTO_F_INT_FREE_EX_DATA,ERR_R_MALLOC_FAILURE);
+                return;
+                }
+        for(i = 0; i < mx; i++)
+                {
+                if(storage[i] && storage[i]->free_func)
+                        {
+                        ptr = CRYPTO_get_ex_data(ad,i);
+                        storage[i]->free_func(obj,ptr,ad,i,
+                                storage[i]->argl,storage[i]->argp);
+                        }
+                }
+        if(storage)
+                OPENSSL_free(storage);
+        if(ad->sk)
+                {
+                sk_free(ad->sk);
+                ad->sk=NULL;
+                }
+        }
+
+/********************************************************************/
+/* API functions that defer all "state" operations to the "ex_data"
+ * implementation we have set. */
+
+/* Obtain an index for a new class (not the same as getting a new index within
+ * an existing class - this is actually getting a new *class*) */
+int CRYPTO_ex_data_new_class(void)
+        {
+        IMPL_CHECK
+        return EX_IMPL(new_class)();
+        }
+
+/* Release all "ex_data" state to prevent memory leaks. This can't be made
+ * thread-safe without overhauling a lot of stuff, and shouldn't really be
+ * called under potential race-conditions anyway (it's for program shutdown
+ * after all). */
+void CRYPTO_cleanup_all_ex_data(void)
+        {
+        IMPL_CHECK
+        EX_IMPL(cleanup)();
+        }
+
+/* Inside an existing class, get/register a new index. */
+int CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
+                CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+                CRYPTO_EX_free *free_func)
+        {
+        int ret = -1;
+
+        IMPL_CHECK
+        ret = EX_IMPL(get_new_index)(class_index,
+                        argl, argp, new_func, dup_func, free_func);
+        return ret;
+        }
+
+/* Initialise a new CRYPTO_EX_DATA for use in a particular class - including
+ * calling new() callbacks for each index in the class used by this variable */
+int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+        {
+        IMPL_CHECK
+        return EX_IMPL(new_ex_data)(class_index, obj, ad);
+        }
+
+/* Duplicate a CRYPTO_EX_DATA variable - including calling dup() callbacks for
+ * each index in the class used by this variable */
+int CRYPTO_dup_ex_data(int class_index, CRYPTO_EX_DATA *to,
+             CRYPTO_EX_DATA *from)
+        {
+        IMPL_CHECK
+        return EX_IMPL(dup_ex_data)(class_index, to, from);
+        }
+
+/* Cleanup a CRYPTO_EX_DATA variable - including calling free() callbacks for
+ * each index in the class used by this variable */
+void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
+        {
+        IMPL_CHECK
+        EX_IMPL(free_ex_data)(class_index, obj, ad);
+        }
+
+/* For a given CRYPTO_EX_DATA variable, set the value corresponding to a
+ * particular index in the class used by this variable */
 int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
         {
         int i;
@@ -131,7 +621,9 @@ int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val)
         return(1);
         }
 
-void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
+/* For a given CRYPTO_EX_DATA_ variable, get the value corresponding to a
+ * particular index in the class used by this variable */
+void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx)
         {
         if (ad->sk == NULL)
                 return(0);
@@ -141,83 +633,4 @@ void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *ad, int idx)
                 return(sk_value(ad->sk,idx));
         }
 
-/* The callback is called with the 'object', which is the original data object
- * being duplicated, a pointer to the
- * 'new' object to be inserted, the index, and the argi/argp
- */
-int CRYPTO_dup_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, CRYPTO_EX_DATA *to,
-             CRYPTO_EX_DATA *from)
-        {
-        int i,j,m,r;
-        CRYPTO_EX_DATA_FUNCS *mm;
-        char *from_d;
-
-        if (meth == NULL) return(1);
-        if (from->sk == NULL) return(1);
-        m=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
-        j=sk_num(from->sk);
-        for (i=0; i<j; i++)
-                {
-                from_d=CRYPTO_get_ex_data(from,i);
-                if (i < m)
-                        {
-                        mm=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
-                        if (mm->dup_func != NULL)
-                                r=mm->dup_func(to,from,(char **)&from_d,i,
-                                        mm->argl,mm->argp);
-                        }
-                CRYPTO_set_ex_data(to,i,from_d);
-                }
-        return(1);
-        }
-
-/* Call each free callback */
-void CRYPTO_free_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
-        {
-        CRYPTO_EX_DATA_FUNCS *m;
-        void *ptr;
-        int i,max;
-
-        if (meth != NULL)
-                {
-                max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
-                for (i=0; i<max; i++)
-                        {
-                        m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
-                        if ((m != NULL) && (m->free_func != NULL))
-                                {
-                                ptr=CRYPTO_get_ex_data(ad,i);
-                                m->free_func(obj,ptr,ad,i,m->argl,m->argp);
-                                }
-                        }
-                }
-        if (ad->sk != NULL)
-                {
-                sk_free(ad->sk);
-                ad->sk=NULL;
-                }
-        }
-
-void CRYPTO_new_ex_data(STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth, void *obj, CRYPTO_EX_DATA *ad)
-        {
-        CRYPTO_EX_DATA_FUNCS *m;
-        void *ptr;
-        int i,max;
-
-        ad->sk=NULL;
-        if (meth != NULL)
-                {
-                max=sk_CRYPTO_EX_DATA_FUNCS_num(meth);
-                for (i=0; i<max; i++)
-                        {
-                        m=sk_CRYPTO_EX_DATA_FUNCS_value(meth,i);
-                        if ((m != NULL) && (m->new_func != NULL))
-                                {
-                                ptr=CRYPTO_get_ex_data(ad,i);
-                                m->new_func(obj,ptr,ad,i,m->argl,m->argp);
-                                }
-                        }
-                }
-        }
-
 IMPLEMENT_STACK_OF(CRYPTO_EX_DATA_FUNCS)
diff --git a/src/lib/libcrypto/hmac/Makefile.ssl b/src/lib/libcrypto/hmac/Makefile.ssl
index 326339a90d..899d67c43b 100644
--- a/src/lib/libcrypto/hmac/Makefile.ssl
+++ b/src/lib/libcrypto/hmac/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,17 +80,10 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 hmac.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-hmac.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-hmac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-hmac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-hmac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-hmac.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
-hmac.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-hmac.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-hmac.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+hmac.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+hmac.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h
+hmac.o: ../../include/openssl/hmac.h ../../include/openssl/obj_mac.h
 hmac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/rc2.h
-hmac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-hmac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-hmac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-hmac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+hmac.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+hmac.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+hmac.o: ../../include/openssl/symhacks.h hmac.c
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index e1ec79e093..026dbe8f66 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -60,8 +60,8 @@
 #include <string.h>
 #include <openssl/hmac.h>
 
-void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
-               const EVP_MD *md)
+void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+                  const EVP_MD *md, ENGINE *impl)
         {
         int i,j,reset=0;
         unsigned char pad[HMAC_MAX_MD_CBLOCK];
@@ -70,8 +70,9 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
                 {
                 reset=1;
                 ctx->md=md;
+                EVP_MD_CTX_init(&ctx->md_ctx);
                 }
-        else
+        else 
                 md=ctx->md;
 
         if (key != NULL)
@@ -80,9 +81,9 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
                 j=EVP_MD_block_size(md);
                 if (j < len)
                         {
-                        EVP_DigestInit(&ctx->md_ctx,md);
+                        EVP_DigestInit_ex(&ctx->md_ctx,md, impl);
                         EVP_DigestUpdate(&ctx->md_ctx,key,len);
-                        EVP_DigestFinal(&(ctx->md_ctx),ctx->key,
+                        EVP_DigestFinal_ex(&(ctx->md_ctx),ctx->key,
                                 &ctx->key_length);
                         }
                 else
@@ -99,21 +100,28 @@ void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
                 {
                 for (i=0; i<HMAC_MAX_MD_CBLOCK; i++)
                         pad[i]=0x36^ctx->key[i];
-                EVP_DigestInit(&ctx->i_ctx,md);
+                EVP_DigestInit_ex(&ctx->i_ctx,md, impl);
                 EVP_DigestUpdate(&ctx->i_ctx,pad,EVP_MD_block_size(md));
 
                 for (i=0; i<HMAC_MAX_MD_CBLOCK; i++)
                         pad[i]=0x5c^ctx->key[i];
-                EVP_DigestInit(&ctx->o_ctx,md);
+                EVP_DigestInit_ex(&ctx->o_ctx,md, impl);
                 EVP_DigestUpdate(&ctx->o_ctx,pad,EVP_MD_block_size(md));
                 }
+        EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->i_ctx);
+        }
 
-        memcpy(&ctx->md_ctx,&ctx->i_ctx,sizeof(ctx->i_ctx));
+void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
+               const EVP_MD *md)
+        {
+        if(key && md)
+            HMAC_CTX_init(ctx);
+        HMAC_Init_ex(ctx,key,len,md, NULL);
         }
 
 void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len)
         {
-        EVP_DigestUpdate(&(ctx->md_ctx),data,len);
+        EVP_DigestUpdate(&ctx->md_ctx,data,len);
         }
 
 void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
@@ -124,15 +132,25 @@ void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
 
         j=EVP_MD_block_size(ctx->md);
 
-        EVP_DigestFinal(&(ctx->md_ctx),buf,&i);
-        memcpy(&(ctx->md_ctx),&(ctx->o_ctx),sizeof(ctx->o_ctx));
-        EVP_DigestUpdate(&(ctx->md_ctx),buf,i);
-        EVP_DigestFinal(&(ctx->md_ctx),md,len);
+        EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i);
+        EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx);
+        EVP_DigestUpdate(&ctx->md_ctx,buf,i);
+        EVP_DigestFinal_ex(&ctx->md_ctx,md,len);
+        }
+
+void HMAC_CTX_init(HMAC_CTX *ctx)
+        {
+        EVP_MD_CTX_init(&ctx->i_ctx);
+        EVP_MD_CTX_init(&ctx->o_ctx);
+        EVP_MD_CTX_init(&ctx->md_ctx);
         }
 
-void HMAC_cleanup(HMAC_CTX *ctx)
+void HMAC_CTX_cleanup(HMAC_CTX *ctx)
         {
-        memset(ctx,0,sizeof(HMAC_CTX));
+        EVP_MD_CTX_cleanup(&ctx->i_ctx);
+        EVP_MD_CTX_cleanup(&ctx->o_ctx);
+        EVP_MD_CTX_cleanup(&ctx->md_ctx);
+        memset(ctx,0,sizeof *ctx);
         }
 
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
@@ -143,10 +161,11 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
         static unsigned char m[EVP_MAX_MD_SIZE];
 
         if (md == NULL) md=m;
+        HMAC_CTX_init(&c);
         HMAC_Init(&c,key,key_len,evp_md);
         HMAC_Update(&c,d,n);
         HMAC_Final(&c,md,md_len);
-        HMAC_cleanup(&c);
+        HMAC_CTX_cleanup(&c);
         return(md);
         }
 
diff --git a/src/lib/libcrypto/hmac/hmac.h b/src/lib/libcrypto/hmac/hmac.h
index 328bad2608..0364a1fcbd 100644
--- a/src/lib/libcrypto/hmac/hmac.h
+++ b/src/lib/libcrypto/hmac/hmac.h
@@ -58,7 +58,7 @@
 #ifndef HEADER_HMAC_H
 #define HEADER_HMAC_H
 
-#ifdef NO_HMAC
+#ifdef OPENSSL_NO_HMAC
 #error HMAC is disabled.
 #endif
 
@@ -83,11 +83,17 @@ typedef struct hmac_ctx_st
 #define HMAC_size(e)    (EVP_MD_size((e)->md))
 
 
+void HMAC_CTX_init(HMAC_CTX *ctx);
+void HMAC_CTX_cleanup(HMAC_CTX *ctx);
+
+#define HMAC_cleanup(ctx) HMAC_CTX_cleanup(ctx) /* deprecated */
+
 void HMAC_Init(HMAC_CTX *ctx, const void *key, int len,
-               const EVP_MD *md);
+               const EVP_MD *md); /* deprecated */
+void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+                  const EVP_MD *md, ENGINE *impl);
 void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
 void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
-void HMAC_cleanup(HMAC_CTX *ctx);
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                     const unsigned char *d, int n, unsigned char *md,
                     unsigned int *md_len);
diff --git a/src/lib/libcrypto/hmac/hmactest.c b/src/lib/libcrypto/hmac/hmactest.c
index 4b56b8ee13..96d3beb8e6 100644
--- a/src/lib/libcrypto/hmac/hmactest.c
+++ b/src/lib/libcrypto/hmac/hmactest.c
@@ -60,7 +60,7 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_HMAC
+#ifdef OPENSSL_NO_HMAC
 int main(int argc, char *argv[])
 {
     printf("No HMAC support\n");
@@ -68,6 +68,7 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/hmac.h>
+#include <openssl/md5.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
diff --git a/src/lib/libcrypto/idea/Makefile.ssl b/src/lib/libcrypto/idea/Makefile.ssl
index 30302e0b9f..217e6e0136 100644
--- a/src/lib/libcrypto/idea/Makefile.ssl
+++ b/src/lib/libcrypto/idea/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,12 +80,12 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 i_cbc.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_cbc.o: idea_lcl.h
+i_cbc.o: i_cbc.c idea_lcl.h
 i_cfb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_cfb64.o: idea_lcl.h
+i_cfb64.o: i_cfb64.c idea_lcl.h
 i_ecb.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_ecb.o: ../../include/openssl/opensslv.h idea_lcl.h
+i_ecb.o: ../../include/openssl/opensslv.h i_ecb.c idea_lcl.h
 i_ofb64.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_ofb64.o: idea_lcl.h
+i_ofb64.o: i_ofb64.c idea_lcl.h
 i_skey.o: ../../include/openssl/idea.h ../../include/openssl/opensslconf.h
-i_skey.o: idea_lcl.h
+i_skey.o: i_skey.c idea_lcl.h
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index f14adf8398..67132414ee 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_IDEA_H
 #define HEADER_IDEA_H
 
-#ifdef NO_IDEA
+#ifdef OPENSSL_NO_IDEA
 #error IDEA is disabled.
 #endif
 
diff --git a/src/lib/libcrypto/install.com b/src/lib/libcrypto/install.com
index ea97665471..b3d155e964 100644
--- a/src/lib/libcrypto/install.com
+++ b/src/lib/libcrypto/install.com
@@ -34,10 +34,12 @@ $	IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
 $
 $       SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,-
                  DES,RC2,RC4,RC5,IDEA,BF,CAST,-
-                 BN,RSA,DSA,DH,DSO,ENGINE,-
+                 BN,EC,RSA,DSA,DH,DSO,ENGINE,AES,-
                  BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,-
-                 EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP
-$       EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h
+                 EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,-
+                 UI,KRB5
+$       EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,-
+                symhacks.h,ossl_typ.h
 $       EXHEADER_MD2 := md2.h
 $       EXHEADER_MD4 := md4.h
 $       EXHEADER_MD5 := md5.h
@@ -45,7 +47,7 @@ $	EXHEADER_SHA := sha.h
 $       EXHEADER_MDC2 := mdc2.h
 $       EXHEADER_HMAC := hmac.h
 $       EXHEADER_RIPEMD := ripemd.h
-$       EXHEADER_DES := des.h
+$       EXHEADER_DES := des.h,des_old.h
 $       EXHEADER_RC2 := rc2.h
 $       EXHEADER_RC4 := rc4.h
 $       EXHEADER_RC5 := rc5.h
@@ -53,11 +55,13 @@ $	EXHEADER_IDEA := idea.h
 $       EXHEADER_BF := blowfish.h
 $       EXHEADER_CAST := cast.h
 $       EXHEADER_BN := bn.h
+$       EXHEADER_EC := ec.h
 $       EXHEADER_RSA := rsa.h
 $       EXHEADER_DSA := dsa.h
 $       EXHEADER_DH := dh.h
 $       EXHEADER_DSO := dso.h
 $       EXHEADER_ENGINE := engine.h
+$       EXHEADER_AES := aes.h
 $       EXHEADER_BUFFER := buffer.h
 $       EXHEADER_BIO := bio.h
 $       EXHEADER_STACK := stack.h,safestack.h
@@ -66,7 +70,7 @@ $	EXHEADER_RAND := rand.h
 $       EXHEADER_ERR := err.h
 $       EXHEADER_OBJECTS := objects.h,obj_mac.h
 $       EXHEADER_EVP := evp.h
-$       EXHEADER_ASN1 := asn1.h,asn1_mac.h
+$       EXHEADER_ASN1 := asn1.h,asn1_mac.h,asn1t.h
 $       EXHEADER_PEM := pem.h,pem2.h
 $       EXHEADER_X509 := x509.h,x509_vfy.h
 $       EXHEADER_X509V3 := x509v3.h
@@ -75,6 +79,9 @@ $	EXHEADER_TXT_DB := txt_db.h
 $       EXHEADER_PKCS7 := pkcs7.h
 $       EXHEADER_PKCS12 := pkcs12.h
 $       EXHEADER_COMP := comp.h
+$       EXHEADER_OCSP := ocsp.h
+$       EXHEADER_UI := ui.h,ui_compat.h
+$       EXHEADER_KRB5 := krb5_asn.h
 $       LIBS := LIBCRYPTO
 $
 $       VEXE_DIR := [-.VAX.EXE.CRYPTO]
diff --git a/src/lib/libcrypto/krb5/Makefile.ssl b/src/lib/libcrypto/krb5/Makefile.ssl
new file mode 100644
index 0000000000..6dd4449e1e
--- /dev/null
+++ b/src/lib/libcrypto/krb5/Makefile.ssl
@@ -0,0 +1,90 @@
+#
+# OpenSSL/krb5/Makefile.ssl
+#
+
+DIR=    krb5
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= krb5_asn.c
+
+LIBOBJ= krb5_asn.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= krb5_asn.h
+HEADER= $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB)
+        @touch lib
+
+files:
+        perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        $(TOP)/util/point.sh Makefile.ssl Makefile ;
+        $(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        $(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        $(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+krb5_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+krb5_asn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+krb5_asn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+krb5_asn.o: ../../include/openssl/krb5_asn.h
+krb5_asn.o: ../../include/openssl/opensslconf.h
+krb5_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+krb5_asn.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+krb5_asn.o: ../../include/openssl/symhacks.h krb5_asn.c
diff --git a/src/lib/libcrypto/krb5/krb5_asn.c b/src/lib/libcrypto/krb5/krb5_asn.c
new file mode 100644
index 0000000000..1fb741d2a0
--- /dev/null
+++ b/src/lib/libcrypto/krb5/krb5_asn.c
@@ -0,0 +1,167 @@
+/* krb5_asn.c */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/krb5_asn.h>
+
+
+ASN1_SEQUENCE(KRB5_ENCDATA) = {
+        ASN1_EXP(KRB5_ENCDATA, etype,           ASN1_INTEGER,     0),
+        ASN1_EXP_OPT(KRB5_ENCDATA, kvno,        ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_ENCDATA, cipher,          ASN1_OCTET_STRING,2)
+} ASN1_SEQUENCE_END(KRB5_ENCDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCDATA)
+
+
+ASN1_SEQUENCE(KRB5_PRINCNAME) = {
+        ASN1_EXP(KRB5_PRINCNAME, nametype,      ASN1_INTEGER,     0),
+        ASN1_EXP_SEQUENCE_OF(KRB5_PRINCNAME, namestring, ASN1_GENERALSTRING, 1)
+} ASN1_SEQUENCE_END(KRB5_PRINCNAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+
+
+/* [APPLICATION 1] = 0x61 */
+ASN1_SEQUENCE(KRB5_TKTBODY) = {
+        ASN1_EXP(KRB5_TKTBODY, tktvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_TKTBODY, realm,           ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_TKTBODY, sname,           KRB5_PRINCNAME,   2),
+        ASN1_EXP(KRB5_TKTBODY, encdata,         KRB5_ENCDATA,     3)
+} ASN1_SEQUENCE_END(KRB5_TKTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TKTBODY)
+
+
+ASN1_ITEM_TEMPLATE(KRB5_TICKET) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 1,
+                        KRB5_TICKET, KRB5_TKTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_TICKET)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_TICKET)
+
+
+/* [APPLICATION 14] = 0x6e */
+ASN1_SEQUENCE(KRB5_APREQBODY) = {
+        ASN1_EXP(KRB5_APREQBODY, pvno,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_APREQBODY, msgtype,       ASN1_INTEGER,     1),
+        ASN1_EXP(KRB5_APREQBODY, apoptions,     ASN1_BIT_STRING,  2),
+        ASN1_EXP(KRB5_APREQBODY, ticket,        KRB5_TICKET,      3),
+        ASN1_EXP(KRB5_APREQBODY, authenticator, KRB5_ENCDATA,     4),
+} ASN1_SEQUENCE_END(KRB5_APREQBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_APREQ) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 14,
+                        KRB5_APREQ, KRB5_APREQBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_APREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_APREQ)
+
+
+/*  Authenticator stuff         */
+
+ASN1_SEQUENCE(KRB5_CHECKSUM) = {
+        ASN1_EXP(KRB5_CHECKSUM, ctype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_CHECKSUM, checksum,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_CHECKSUM)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+
+
+ASN1_SEQUENCE(KRB5_ENCKEY) = {
+        ASN1_EXP(KRB5_ENCKEY,   ktype,          ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_ENCKEY,   keyvalue,       ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_ENCKEY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_ENCKEY)
+
+
+/* SEQ OF SEQ; see ASN1_EXP_SEQUENCE_OF_OPT() below */
+ASN1_SEQUENCE(KRB5_AUTHDATA) = {
+        ASN1_EXP(KRB5_AUTHDATA, adtype,         ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHDATA, addata,         ASN1_OCTET_STRING,1)
+} ASN1_SEQUENCE_END(KRB5_AUTHDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+
+
+/* [APPLICATION 2] = 0x62 */
+ASN1_SEQUENCE(KRB5_AUTHENTBODY) = {
+        ASN1_EXP(KRB5_AUTHENTBODY,      avno,   ASN1_INTEGER,     0),
+        ASN1_EXP(KRB5_AUTHENTBODY,      crealm, ASN1_GENERALSTRING, 1),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cname,  KRB5_PRINCNAME,   2),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  cksum,  KRB5_CHECKSUM,    3),
+        ASN1_EXP(KRB5_AUTHENTBODY,      cusec,  ASN1_INTEGER,     4),
+        ASN1_EXP(KRB5_AUTHENTBODY,      ctime,  ASN1_GENERALIZEDTIME, 5),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  subkey, KRB5_ENCKEY,      6),
+        ASN1_EXP_OPT(KRB5_AUTHENTBODY,  seqnum, ASN1_INTEGER,     7),
+        ASN1_EXP_SEQUENCE_OF_OPT
+                    (KRB5_AUTHENTBODY,  authorization,  KRB5_AUTHDATA, 8),
+} ASN1_SEQUENCE_END(KRB5_AUTHENTBODY)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+
+ASN1_ITEM_TEMPLATE(KRB5_AUTHENT) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_EXPTAG|ASN1_TFLG_APPLICATION, 2,
+                        KRB5_AUTHENT, KRB5_AUTHENTBODY)
+ASN1_ITEM_TEMPLATE_END(KRB5_AUTHENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
diff --git a/src/lib/libcrypto/krb5/krb5_asn.h b/src/lib/libcrypto/krb5/krb5_asn.h
new file mode 100644
index 0000000000..3329477b07
--- /dev/null
+++ b/src/lib/libcrypto/krb5/krb5_asn.h
@@ -0,0 +1,256 @@
+/* krb5_asn.h */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project,
+** using ocsp/{*.h,*asn*.c} as a starting point
+*/
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_KRB5_ASN_H
+#define HEADER_KRB5_ASN_H
+
+/*
+#include <krb5.h>
+*/
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+
+/*      ASN.1 from Kerberos RFC 1510
+*/
+
+/*      EncryptedData ::=   SEQUENCE {
+**              etype[0]                      INTEGER, -- EncryptionType
+**              kvno[1]                       INTEGER OPTIONAL,
+**              cipher[2]                     OCTET STRING -- ciphertext
+**      }
+*/
+typedef struct  krb5_encdata_st
+        {
+        ASN1_INTEGER                    *etype;
+        ASN1_INTEGER                    *kvno;
+        ASN1_OCTET_STRING               *cipher;
+        }       KRB5_ENCDATA;
+
+DECLARE_STACK_OF(KRB5_ENCDATA)
+
+/*      PrincipalName ::=   SEQUENCE {
+**              name-type[0]                  INTEGER,
+**              name-string[1]                SEQUENCE OF GeneralString
+**      }
+*/
+typedef struct  krb5_princname_st
+        {
+        ASN1_INTEGER                    *nametype;
+        STACK_OF(ASN1_GENERALSTRING)    *namestring;
+        }       KRB5_PRINCNAME;
+
+DECLARE_STACK_OF(KRB5_PRINCNAME)
+
+
+/*      Ticket ::=      [APPLICATION 1] SEQUENCE {
+**              tkt-vno[0]                    INTEGER,
+**              realm[1]                      Realm,
+**              sname[2]                      PrincipalName,
+**              enc-part[3]                   EncryptedData
+**      }
+*/
+typedef struct  krb5_tktbody_st
+        {
+        ASN1_INTEGER                    *tktvno;
+        ASN1_GENERALSTRING              *realm;
+        KRB5_PRINCNAME                  *sname;
+        KRB5_ENCDATA                    *encdata;
+        }       KRB5_TKTBODY;
+
+typedef STACK_OF(KRB5_TKTBODY) KRB5_TICKET;
+DECLARE_STACK_OF(KRB5_TKTBODY)
+
+
+/*      AP-REQ ::=      [APPLICATION 14] SEQUENCE {
+**              pvno[0]                       INTEGER,
+**              msg-type[1]                   INTEGER,
+**              ap-options[2]                 APOptions,
+**              ticket[3]                     Ticket,
+**              authenticator[4]              EncryptedData
+**      }
+**
+**      APOptions ::=   BIT STRING {
+**              reserved(0), use-session-key(1), mutual-required(2) }
+*/
+typedef struct  krb5_ap_req_st
+        {
+        ASN1_INTEGER                    *pvno;
+        ASN1_INTEGER                    *msgtype;
+        ASN1_BIT_STRING                 *apoptions;
+        KRB5_TICKET                     *ticket;
+        KRB5_ENCDATA                    *authenticator;
+        }       KRB5_APREQBODY;
+
+typedef STACK_OF(KRB5_APREQBODY) KRB5_APREQ;
+DECLARE_STACK_OF(KRB5_APREQBODY)
+
+
+/*      Authenticator Stuff     */
+
+
+/*      Checksum ::=   SEQUENCE {
+**              cksumtype[0]                  INTEGER,
+**              checksum[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_checksum_st
+        {
+        ASN1_INTEGER                    *ctype;
+        ASN1_OCTET_STRING               *checksum;
+        }       KRB5_CHECKSUM;
+
+DECLARE_STACK_OF(KRB5_CHECKSUM)
+
+
+/*      EncryptionKey ::=   SEQUENCE {
+**              keytype[0]                    INTEGER,
+**              keyvalue[1]                   OCTET STRING
+**      }
+*/
+typedef struct  krb5_encryptionkey_st
+        {
+        ASN1_INTEGER                    *ktype;
+        ASN1_OCTET_STRING               *keyvalue;
+        }       KRB5_ENCKEY;
+
+DECLARE_STACK_OF(KRB5_ENCKEY)
+
+
+/*      AuthorizationData ::=   SEQUENCE OF SEQUENCE {
+**              ad-type[0]                    INTEGER,
+**              ad-data[1]                    OCTET STRING
+**      }
+*/
+typedef struct  krb5_authorization_st
+        {
+        ASN1_INTEGER                    *adtype;
+        ASN1_OCTET_STRING               *addata;
+        }       KRB5_AUTHDATA;
+
+DECLARE_STACK_OF(KRB5_AUTHDATA)
+
+                        
+/*      -- Unencrypted authenticator
+**      Authenticator ::=    [APPLICATION 2] SEQUENCE    {
+**              authenticator-vno[0]          INTEGER,
+**              crealm[1]                     Realm,
+**              cname[2]                      PrincipalName,
+**              cksum[3]                      Checksum OPTIONAL,
+**              cusec[4]                      INTEGER,
+**              ctime[5]                      KerberosTime,
+**              subkey[6]                     EncryptionKey OPTIONAL,
+**              seq-number[7]                 INTEGER OPTIONAL,
+**              authorization-data[8]         AuthorizationData OPTIONAL
+**      }
+*/
+typedef struct  krb5_authenticator_st
+        {
+        ASN1_INTEGER                    *avno;
+        ASN1_GENERALSTRING              *crealm;
+        KRB5_PRINCNAME                  *cname;
+        KRB5_CHECKSUM                   *cksum;
+        ASN1_INTEGER                    *cusec;
+        ASN1_GENERALIZEDTIME            *ctime;
+        KRB5_ENCKEY                     *subkey;
+        ASN1_INTEGER                    *seqnum;
+        KRB5_AUTHDATA                   *authorization;
+        }       KRB5_AUTHENTBODY;
+
+typedef STACK_OF(KRB5_AUTHENTBODY) KRB5_AUTHENT;
+DECLARE_STACK_OF(KRB5_AUTHENTBODY)
+
+
+/*  DECLARE_ASN1_FUNCTIONS(type) = DECLARE_ASN1_FUNCTIONS_name(type, type) =
+**      type *name##_new(void);
+**      void name##_free(type *a);
+**      DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) =
+**       DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) =
+**        type *d2i_##name(type **a, unsigned char **in, long len);
+**        int i2d_##name(type *a, unsigned char **out);
+**        DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it
+*/
+
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_PRINCNAME)
+DECLARE_ASN1_FUNCTIONS(KRB5_TKTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_TICKET)
+DECLARE_ASN1_FUNCTIONS(KRB5_APREQ)
+
+DECLARE_ASN1_FUNCTIONS(KRB5_CHECKSUM)
+DECLARE_ASN1_FUNCTIONS(KRB5_ENCKEY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHDATA)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENTBODY)
+DECLARE_ASN1_FUNCTIONS(KRB5_AUTHENT)
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
+
diff --git a/src/lib/libcrypto/lhash/Makefile.ssl b/src/lib/libcrypto/lhash/Makefile.ssl
index 79849d7d6e..1eef09f3fa 100644
--- a/src/lib/libcrypto/lhash/Makefile.ssl
+++ b/src/lib/libcrypto/lhash/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,14 +79,15 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-lh_stats.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-lh_stats.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+lh_stats.o: ../../e_os.h ../../include/openssl/bio.h
+lh_stats.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 lh_stats.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 lh_stats.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 lh_stats.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 lh_stats.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-lh_stats.o: ../cryptlib.h
+lh_stats.o: ../cryptlib.h lh_stats.c
 lhash.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-lhash.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
+lhash.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h
+lhash.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 lhash.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-lhash.o: ../../include/openssl/symhacks.h
+lhash.o: ../../include/openssl/symhacks.h lhash.c
diff --git a/src/lib/libcrypto/lhash/lh_stats.c b/src/lib/libcrypto/lhash/lh_stats.c
index ee0600060e..39ea2885f4 100644
--- a/src/lib/libcrypto/lhash/lh_stats.c
+++ b/src/lib/libcrypto/lhash/lh_stats.c
@@ -63,12 +63,12 @@
  * and things should work as expected */
 #include "cryptlib.h"
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/lhash.h>
 
-#ifdef NO_BIO
+#ifdef OPENSSL_NO_BIO
 
 void lh_stats(LHASH *lh, FILE *out)
         {
@@ -88,7 +88,7 @@ void lh_stats(LHASH *lh, FILE *out)
         fprintf(out,"num_retrieve          = %lu\n",lh->num_retrieve);
         fprintf(out,"num_retrieve_miss     = %lu\n",lh->num_retrieve_miss);
         fprintf(out,"num_hash_comps        = %lu\n",lh->num_hash_comps);
-#ifdef DEBUG
+#if 0
         fprintf(out,"p                     = %u\n",lh->p);
         fprintf(out,"pmax                  = %u\n",lh->pmax);
         fprintf(out,"up_load               = %lu\n",lh->up_load);
@@ -138,8 +138,8 @@ void lh_node_usage_stats(LHASH *lh, FILE *out)
 
 #else
 
-#ifndef NO_FP_API
-void lh_stats(LHASH *lh, FILE *fp)
+#ifndef OPENSSL_NO_FP_API
+void lh_stats(const LHASH *lh, FILE *fp)
         {
         BIO *bp;
 
@@ -151,7 +151,7 @@ void lh_stats(LHASH *lh, FILE *fp)
 end:;
         }
 
-void lh_node_stats(LHASH *lh, FILE *fp)
+void lh_node_stats(const LHASH *lh, FILE *fp)
         {
         BIO *bp;
 
@@ -163,7 +163,7 @@ void lh_node_stats(LHASH *lh, FILE *fp)
 end:;
         }
 
-void lh_node_usage_stats(LHASH *lh, FILE *fp)
+void lh_node_usage_stats(const LHASH *lh, FILE *fp)
         {
         BIO *bp;
 
@@ -177,7 +177,7 @@ end:;
 
 #endif
 
-void lh_stats_bio(LHASH *lh, BIO *out)
+void lh_stats_bio(const LHASH *lh, BIO *out)
         {
         char buf[128];
 
@@ -213,7 +213,7 @@ void lh_stats_bio(LHASH *lh, BIO *out)
         BIO_puts(out,buf);
         sprintf(buf,"num_hash_comps        = %lu\n",lh->num_hash_comps);
         BIO_puts(out,buf);
-#ifdef DEBUG
+#if 0
         sprintf(buf,"p                     = %u\n",lh->p);
         BIO_puts(out,buf);
         sprintf(buf,"pmax                  = %u\n",lh->pmax);
@@ -225,7 +225,7 @@ void lh_stats_bio(LHASH *lh, BIO *out)
 #endif
         }
 
-void lh_node_stats_bio(LHASH *lh, BIO *out)
+void lh_node_stats_bio(const LHASH *lh, BIO *out)
         {
         LHASH_NODE *n;
         unsigned int i,num;
@@ -240,7 +240,7 @@ void lh_node_stats_bio(LHASH *lh, BIO *out)
                 }
         }
 
-void lh_node_usage_stats_bio(LHASH *lh, BIO *out)
+void lh_node_usage_stats_bio(const LHASH *lh, BIO *out)
         {
         LHASH_NODE *n;
         unsigned long num;
diff --git a/src/lib/libcrypto/lhash/lh_test.c b/src/lib/libcrypto/lhash/lh_test.c
index 6008781e57..85700c859b 100644
--- a/src/lib/libcrypto/lhash/lh_test.c
+++ b/src/lib/libcrypto/lhash/lh_test.c
@@ -75,7 +75,6 @@ main()
                 buf[0]='\0';
                 fgets(buf,256,stdin);
                 if (buf[0] == '\0') break;
-                buf[256]='\0';
                 i=strlen(buf);
                 p=OPENSSL_malloc(i+1);
                 memcpy(p,buf,i+1);
diff --git a/src/lib/libcrypto/lhash/lhash.c b/src/lib/libcrypto/lhash/lhash.c
index 7da14620a4..0a16fcf27d 100644
--- a/src/lib/libcrypto/lhash/lhash.c
+++ b/src/lib/libcrypto/lhash/lhash.c
@@ -109,9 +109,9 @@ const char *lh_version="lhash" OPENSSL_VERSION_PTEXT;
 
 static void expand(LHASH *lh);
 static void contract(LHASH *lh);
-static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash);
+static LHASH_NODE **getrn(LHASH *lh, const void *data, unsigned long *rhash);
 
-LHASH *lh_new(unsigned long (*h)(), int (*c)())
+LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c)
         {
         LHASH *ret;
         int i;
@@ -122,8 +122,8 @@ LHASH *lh_new(unsigned long (*h)(), int (*c)())
                 goto err1;
         for (i=0; i<MIN_NODES; i++)
                 ret->b[i]=NULL;
-        ret->comp=((c == NULL)?(int (*)())strcmp:c);
-        ret->hash=((h == NULL)?(unsigned long (*)())lh_strhash:h);
+        ret->comp=((c == NULL)?(LHASH_COMP_FN_TYPE)strcmp:c);
+        ret->hash=((h == NULL)?(LHASH_HASH_FN_TYPE)lh_strhash:h);
         ret->num_nodes=MIN_NODES/2;
         ret->num_alloc_nodes=MIN_NODES;
         ret->p=0;
@@ -176,11 +176,11 @@ void lh_free(LHASH *lh)
         OPENSSL_free(lh);
         }
 
-void *lh_insert(LHASH *lh, void *data)
+void *lh_insert(LHASH *lh, const void *data)
         {
         unsigned long hash;
         LHASH_NODE *nn,**rn;
-        void *ret;
+        const void *ret;
 
         lh->error=0;
         if (lh->up_load <= (lh->num_items*LH_LOAD_MULT/lh->num_nodes))
@@ -197,7 +197,7 @@ void *lh_insert(LHASH *lh, void *data)
                         }
                 nn->data=data;
                 nn->next=NULL;
-#ifndef NO_HASH_COMP
+#ifndef OPENSSL_NO_HASH_COMP
                 nn->hash=hash;
 #endif
                 *rn=nn;
@@ -211,14 +211,14 @@ void *lh_insert(LHASH *lh, void *data)
                 (*rn)->data=data;
                 lh->num_replace++;
                 }
-        return(ret);
+        return((void *)ret);
         }
 
-void *lh_delete(LHASH *lh, void *data)
+void *lh_delete(LHASH *lh, const void *data)
         {
         unsigned long hash;
         LHASH_NODE *nn,**rn;
-        void *ret;
+        const void *ret;
 
         lh->error=0;
         rn=getrn(lh,data,&hash);
@@ -242,14 +242,14 @@ void *lh_delete(LHASH *lh, void *data)
                 (lh->down_load >= (lh->num_items*LH_LOAD_MULT/lh->num_nodes)))
                 contract(lh);
 
-        return(ret);
+        return((void *)ret);
         }
 
-void *lh_retrieve(LHASH *lh, void *data)
+void *lh_retrieve(LHASH *lh, const void *data)
         {
         unsigned long hash;
         LHASH_NODE **rn;
-        void *ret;
+        const void *ret;
 
         lh->error=0;
         rn=getrn(lh,data,&hash);
@@ -264,15 +264,11 @@ void *lh_retrieve(LHASH *lh, void *data)
                 ret= (*rn)->data;
                 lh->num_retrieve++;
                 }
-        return(ret);
-        }
-
-void lh_doall(LHASH *lh, void (*func)())
-        {
-        lh_doall_arg(lh,func,NULL);
+        return((void *)ret);
         }
 
-void lh_doall_arg(LHASH *lh, void (*func)(), void *arg)
+static void doall_util_fn(LHASH *lh, int use_arg, LHASH_DOALL_FN_TYPE func,
+                          LHASH_DOALL_ARG_FN_TYPE func_arg, void *arg)
         {
         int i;
         LHASH_NODE *a,*n;
@@ -287,12 +283,25 @@ void lh_doall_arg(LHASH *lh, void (*func)(), void *arg)
                         /* 28/05/91 - eay - n added so items can be deleted
                          * via lh_doall */
                         n=a->next;
-                        func(a->data,arg);
+                        if(use_arg)
+                                func_arg(a->data,arg);
+                        else
+                                func(a->data);
                         a=n;
                         }
                 }
         }
 
+void lh_doall(LHASH *lh, LHASH_DOALL_FN_TYPE func)
+        {
+        doall_util_fn(lh, 0, func, (LHASH_DOALL_ARG_FN_TYPE)0, NULL);
+        }
+
+void lh_doall_arg(LHASH *lh, LHASH_DOALL_ARG_FN_TYPE func, void *arg)
+        {
+        doall_util_fn(lh, 1, (LHASH_DOALL_FN_TYPE)0, func, arg);
+        }
+
 static void expand(LHASH *lh)
         {
         LHASH_NODE **n,**n1,**n2,*np;
@@ -309,10 +318,10 @@ static void expand(LHASH *lh)
         
         for (np= *n1; np != NULL; )
                 {
-#ifndef NO_HASH_COMP
+#ifndef OPENSSL_NO_HASH_COMP
                 hash=np->hash;
 #else
-                hash=(*(lh->hash))(np->data);
+                hash=lh->hash(np->data);
                 lh->num_hash_calls++;
 #endif
                 if ((hash%nni) != p)
@@ -388,7 +397,7 @@ static void contract(LHASH *lh)
                 }
         }
 
-static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
+static LHASH_NODE **getrn(LHASH *lh, const void *data, unsigned long *rhash)
         {
         LHASH_NODE **ret,*n1;
         unsigned long hash,nn;
@@ -406,7 +415,7 @@ static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
         ret= &(lh->b[(int)nn]);
         for (n1= *ret; n1 != NULL; n1=n1->next)
                 {
-#ifndef NO_HASH_COMP
+#ifndef OPENSSL_NO_HASH_COMP
                 lh->num_hash_comps++;
                 if (n1->hash != hash)
                         {
@@ -415,7 +424,7 @@ static LHASH_NODE **getrn(LHASH *lh, void *data, unsigned long *rhash)
                         }
 #endif
                 lh->num_comp_calls++;
-                if ((*cf)(n1->data,data) == 0)
+                if(cf(n1->data,data) == 0)
                         break;
                 ret= &(n1->next);
                 }
@@ -455,7 +464,7 @@ unsigned long lh_strhash(const char *c)
         return((ret>>16)^ret);
         }
 
-unsigned long lh_num_items(LHASH *lh)
+unsigned long lh_num_items(const LHASH *lh)
         {
         return lh ? lh->num_items : 0;
         }
diff --git a/src/lib/libcrypto/lhash/lhash.h b/src/lib/libcrypto/lhash/lhash.h
index b8ff021906..dee8207333 100644
--- a/src/lib/libcrypto/lhash/lhash.h
+++ b/src/lib/libcrypto/lhash/lhash.h
@@ -63,11 +63,11 @@
 #ifndef HEADER_LHASH_H
 #define HEADER_LHASH_H
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 #include <stdio.h>
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 
@@ -77,18 +77,68 @@ extern "C" {
 
 typedef struct lhash_node_st
         {
-        void *data;
+        const void *data;
         struct lhash_node_st *next;
-#ifndef NO_HASH_COMP
+#ifndef OPENSSL_NO_HASH_COMP
         unsigned long hash;
 #endif
         } LHASH_NODE;
 
+typedef int (*LHASH_COMP_FN_TYPE)(const void *, const void *);
+typedef unsigned long (*LHASH_HASH_FN_TYPE)(const void *);
+typedef void (*LHASH_DOALL_FN_TYPE)(const void *);
+typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, void *);
+
+/* Macros for declaring and implementing type-safe wrappers for LHASH callbacks.
+ * This way, callbacks can be provided to LHASH structures without function
+ * pointer casting and the macro-defined callbacks provide per-variable casting
+ * before deferring to the underlying type-specific callbacks. NB: It is
+ * possible to place a "static" in front of both the DECLARE and IMPLEMENT
+ * macros if the functions are strictly internal. */
+
+/* First: "hash" functions */
+#define DECLARE_LHASH_HASH_FN(f_name,o_type) \
+        unsigned long f_name##_LHASH_HASH(const void *);
+#define IMPLEMENT_LHASH_HASH_FN(f_name,o_type) \
+        unsigned long f_name##_LHASH_HASH(const void *arg) { \
+                o_type a = (o_type)arg; \
+                return f_name(a); }
+#define LHASH_HASH_FN(f_name) f_name##_LHASH_HASH
+
+/* Second: "compare" functions */
+#define DECLARE_LHASH_COMP_FN(f_name,o_type) \
+        int f_name##_LHASH_COMP(const void *, const void *);
+#define IMPLEMENT_LHASH_COMP_FN(f_name,o_type) \
+        int f_name##_LHASH_COMP(const void *arg1, const void *arg2) { \
+                o_type a = (o_type)arg1; \
+                o_type b = (o_type)arg2; \
+                return f_name(a,b); }
+#define LHASH_COMP_FN(f_name) f_name##_LHASH_COMP
+
+/* Third: "doall" functions */
+#define DECLARE_LHASH_DOALL_FN(f_name,o_type) \
+        void f_name##_LHASH_DOALL(const void *);
+#define IMPLEMENT_LHASH_DOALL_FN(f_name,o_type) \
+        void f_name##_LHASH_DOALL(const void *arg) { \
+                o_type a = (o_type)arg; \
+                f_name(a); }
+#define LHASH_DOALL_FN(f_name) f_name##_LHASH_DOALL
+
+/* Fourth: "doall_arg" functions */
+#define DECLARE_LHASH_DOALL_ARG_FN(f_name,o_type,a_type) \
+        void f_name##_LHASH_DOALL_ARG(const void *, void *);
+#define IMPLEMENT_LHASH_DOALL_ARG_FN(f_name,o_type,a_type) \
+        void f_name##_LHASH_DOALL_ARG(const void *arg1, void *arg2) { \
+                o_type a = (o_type)arg1; \
+                a_type b = (a_type)arg2; \
+                f_name(a,b); }
+#define LHASH_DOALL_ARG_FN(f_name) f_name##_LHASH_DOALL_ARG
+
 typedef struct lhash_st
         {
         LHASH_NODE **b;
-        int (*comp)();
-        unsigned long (*hash)();
+        LHASH_COMP_FN_TYPE comp;
+        LHASH_HASH_FN_TYPE hash;
         unsigned int num_nodes;
         unsigned int num_alloc_nodes;
         unsigned int p;
@@ -120,26 +170,26 @@ typedef struct lhash_st
  * in lh_insert(). */
 #define lh_error(lh)    ((lh)->error)
 
-LHASH *lh_new(unsigned long (*h)(/* void *a */), int (*c)(/* void *a,void *b */));
+LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c);
 void lh_free(LHASH *lh);
-void *lh_insert(LHASH *lh, void *data);
-void *lh_delete(LHASH *lh, void *data);
-void *lh_retrieve(LHASH *lh, void *data);
-    void lh_doall(LHASH *lh, void (*func)(/*void *b*/));
-void lh_doall_arg(LHASH *lh, void (*func)(/*void *a,void *b*/),void *arg);
+void *lh_insert(LHASH *lh, const void *data);
+void *lh_delete(LHASH *lh, const void *data);
+void *lh_retrieve(LHASH *lh, const void *data);
+void lh_doall(LHASH *lh, LHASH_DOALL_FN_TYPE func);
+void lh_doall_arg(LHASH *lh, LHASH_DOALL_ARG_FN_TYPE func, void *arg);
 unsigned long lh_strhash(const char *c);
-unsigned long lh_num_items(LHASH *lh);
+unsigned long lh_num_items(const LHASH *lh);
 
-#ifndef NO_FP_API
-void lh_stats(LHASH *lh, FILE *out);
-void lh_node_stats(LHASH *lh, FILE *out);
-void lh_node_usage_stats(LHASH *lh, FILE *out);
+#ifndef OPENSSL_NO_FP_API
+void lh_stats(const LHASH *lh, FILE *out);
+void lh_node_stats(const LHASH *lh, FILE *out);
+void lh_node_usage_stats(const LHASH *lh, FILE *out);
 #endif
 
-#ifndef NO_BIO
-void lh_stats_bio(LHASH *lh, BIO *out);
-void lh_node_stats_bio(LHASH *lh, BIO *out);
-void lh_node_usage_stats_bio(LHASH *lh, BIO *out);
+#ifndef OPENSSL_NO_BIO
+void lh_stats_bio(const LHASH *lh, BIO *out);
+void lh_node_stats_bio(const LHASH *lh, BIO *out);
+void lh_node_usage_stats_bio(const LHASH *lh, BIO *out);
 #endif
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/md2/Makefile.ssl b/src/lib/libcrypto/md2/Makefile.ssl
index 269628d739..05a77ae4a5 100644
--- a/src/lib/libcrypto/md2/Makefile.ssl
+++ b/src/lib/libcrypto/md2/Makefile.ssl
@@ -2,7 +2,7 @@
 # SSLeay/crypto/md/Makefile
 #
 
-DIR=    md
+DIR=    md2
 TOP=    ../..
 CC=     cc
 INCLUDES=
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,11 +80,11 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h
-md2_dgst.o: ../../include/openssl/opensslv.h
-md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+md2_dgst.o: ../../include/openssl/opensslv.h md2_dgst.c
+md2_one.o: ../../e_os.h ../../include/openssl/bio.h
+md2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 md2_one.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
 md2_one.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 md2_one.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-md2_one.o: ../../include/openssl/symhacks.h ../cryptlib.h
+md2_one.o: ../../include/openssl/symhacks.h ../cryptlib.h md2_one.c
diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h
index a00bd162b3..ad9241455c 100644
--- a/src/lib/libcrypto/md2/md2.h
+++ b/src/lib/libcrypto/md2/md2.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_MD2_H
 #define HEADER_MD2_H
 
-#ifdef NO_MD2
+#ifdef OPENSSL_NO_MD2
 #error MD2 is disabled.
 #endif
 
@@ -80,9 +80,9 @@ typedef struct MD2state_st
         } MD2_CTX;
 
 const char *MD2_options(void);
-void MD2_Init(MD2_CTX *c);
-void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
-void MD2_Final(unsigned char *md, MD2_CTX *c);
+int MD2_Init(MD2_CTX *c);
+int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
+int MD2_Final(unsigned char *md, MD2_CTX *c);
 unsigned char *MD2(const unsigned char *d, unsigned long n,unsigned char *md);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index 608baefa8f..e25dd00e02 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -115,19 +115,20 @@ const char *MD2_options(void)
                 return("md2(int)");
         }
 
-void MD2_Init(MD2_CTX *c)
+int MD2_Init(MD2_CTX *c)
         {
         c->num=0;
         memset(c->state,0,MD2_BLOCK*sizeof(MD2_INT));
         memset(c->cksm,0,MD2_BLOCK*sizeof(MD2_INT));
         memset(c->data,0,MD2_BLOCK);
+        return 1;
         }
 
-void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
+int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
         {
         register UCHAR *p;
 
-        if (len == 0) return;
+        if (len == 0) return 1;
 
         p=c->data;
         if (c->num != 0)
@@ -146,7 +147,7 @@ void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
                         memcpy(&(p[c->num]),data,(int)len);
                         /* data+=len; */
                         c->num+=(int)len;
-                        return;
+                        return 1;
                         }
                 }
         /* we now can process the input data in blocks of MD2_BLOCK
@@ -159,6 +160,7 @@ void MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len)
                 }
         memcpy(p,data,(int)len);
         c->num=(int)len;
+        return 1;
         }
 
 static void md2_block(MD2_CTX *c, const unsigned char *d)
@@ -197,7 +199,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d)
         memset(state,0,48*sizeof(MD2_INT));
         }
 
-void MD2_Final(unsigned char *md, MD2_CTX *c)
+int MD2_Final(unsigned char *md, MD2_CTX *c)
         {
         int i,v;
         register UCHAR *cp;
@@ -219,5 +221,6 @@ void MD2_Final(unsigned char *md, MD2_CTX *c)
         for (i=0; i<16; i++)
                 md[i]=(UCHAR)(p1[i]&0xff);
         memset((char *)&c,0,sizeof(c));
+        return 1;
         }
 
diff --git a/src/lib/libcrypto/md2/md2test.c b/src/lib/libcrypto/md2/md2test.c
index e3f4fb4c34..7d3664faf5 100644
--- a/src/lib/libcrypto/md2/md2test.c
+++ b/src/lib/libcrypto/md2/md2test.c
@@ -59,15 +59,16 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/md2.h>
 
-#ifdef NO_MD2
+#ifdef OPENSSL_NO_MD2
 int main(int argc, char *argv[])
 {
     printf("No MD2 support\n");
     return(0);
 }
 #else
-#include <openssl/md2.h>
+#include <openssl/evp.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -100,13 +101,15 @@ int main(int argc, char *argv[])
         int i,err=0;
         char **P,**R;
         char *p;
+        unsigned char md[MD2_DIGEST_LENGTH];
 
         P=test;
         R=ret;
         i=1;
         while (*P != NULL)
                 {
-                p=pt(MD2((unsigned char *)*P,(unsigned long)strlen(*P),NULL));
+                EVP_Digest((unsigned char *)*P,(unsigned long)strlen(*P),md,NULL,EVP_md2(), NULL);
+                p=pt(md);
                 if (strcmp(p,*R) != 0)
                         {
                         printf("error calculating MD2 on '%s'\n",*P);
diff --git a/src/lib/libcrypto/md32_common.h b/src/lib/libcrypto/md32_common.h
index 1a404a458d..353d2b96ad 100644
--- a/src/lib/libcrypto/md32_common.h
+++ b/src/lib/libcrypto/md32_common.h
@@ -179,7 +179,7 @@
  */
 #undef ROTATE
 #ifndef PEDANTIC
-# if defined(_MSC_VER)
+# if 0 /* defined(_MSC_VER) */
 #  define ROTATE(a,n)   _lrotl(a,n)
 # elif defined(__MWERKS__)
 #  if defined(__POWERPC__)
@@ -190,7 +190,7 @@
 #  else
 #   define ROTATE(a,n)  __rol(a,n)
 #  endif
-# elif defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
+# elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
   /*
    * Some GNU C inline assembler templates. Note that these are
    * rotates by *constant* number of bits! But that's exactly
@@ -198,7 +198,7 @@
    *
    *                                    <appro@fy.chalmers.se>
    */
-#  if defined(__i386)
+#  if defined(__i386) || defined(__i386__)
 #   define ROTATE(a,n)  ({ register unsigned int ret;   \
                                 asm (                   \
                                 "roll %1,%0"            \
@@ -222,9 +222,9 @@
  * Engage compiler specific "fetch in reverse byte order"
  * intrinsic function if available.
  */
-# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
+# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
   /* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
-#  if defined(__i386) && !defined(I386_ONLY)
+#  if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
 #   define BE_FETCH32(a)        ({ register unsigned int l=(a);\
                                 asm (                   \
                                 "bswapl %0"             \
@@ -240,7 +240,7 @@
                            l;                           \
                         })
 
-#  elif defined(__sparc) && defined(ULTRASPARC)
+#  elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
 #  define LE_FETCH32(a) ({ register unsigned int l;             \
                                 asm (                           \
                                 "lda [%1]#ASI_PRIMARY_LITTLE,%0"\
@@ -410,14 +410,14 @@
  * Time for some action:-)
  */
 
-void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
+int HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
         {
         const unsigned char *data=data_;
         register HASH_LONG * p;
         register unsigned long l;
         int sw,sc,ew,ec;
 
-        if (len==0) return;
+        if (len==0) return 1;
 
         l=(c->Nl+(len<<3))&0xffffffffL;
         /* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
@@ -466,7 +466,7 @@ void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
                                         HOST_c2l_p(data,l,ec); p[sw]=l;
                                         }
                                 }
-                        return;
+                        return 1;
                         }
                 }
 
@@ -520,6 +520,7 @@ void HASH_UPDATE (HASH_CTX *c, const void *data_, unsigned long len)
                 HOST_c2l_p(data,l,ec);
                 *p=l;
                 }
+        return 1;
         }
 
 
@@ -543,7 +544,7 @@ void HASH_TRANSFORM (HASH_CTX *c, const unsigned char *data)
         }
 
 
-void HASH_FINAL (unsigned char *md, HASH_CTX *c)
+int HASH_FINAL (unsigned char *md, HASH_CTX *c)
         {
         register HASH_LONG *p;
         register unsigned long l;
@@ -604,4 +605,5 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c)
          * but I'm not worried :-)
         memset((void *)c,0,sizeof(HASH_CTX));
          */
+        return 1;
         }
diff --git a/src/lib/libcrypto/md4/Makefile.ssl b/src/lib/libcrypto/md4/Makefile.ssl
index 646607274e..58c2b20a78 100644
--- a/src/lib/libcrypto/md4/Makefile.ssl
+++ b/src/lib/libcrypto/md4/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -40,8 +41,7 @@ all:    lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,6 +80,9 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
-md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_locl.h
-md4_one.o: ../../include/openssl/md4.h
+md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
+md4_dgst.o: ../../include/openssl/opensslconf.h
+md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_dgst.c
+md4_dgst.o: md4_locl.h
+md4_one.o: ../../include/openssl/e_os2.h ../../include/openssl/md4.h
+md4_one.o: ../../include/openssl/opensslconf.h md4_one.c
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index c794e186db..7a7b23682f 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -59,11 +59,13 @@
 #ifndef HEADER_MD4_H
 #define HEADER_MD4_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef NO_MD4
+#ifdef OPENSSL_NO_MD4
 #error MD4 is disabled.
 #endif
 
@@ -74,9 +76,9 @@ extern "C" {
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
 
-#if defined(WIN16) || defined(__LP32__)
+#if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define MD4_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define MD4_LONG unsigned long
 #define MD4_LONG_LOG2 3
 /*
@@ -102,9 +104,9 @@ typedef struct MD4state_st
         int num;
         } MD4_CTX;
 
-void MD4_Init(MD4_CTX *c);
-void MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
-void MD4_Final(unsigned char *md, MD4_CTX *c);
+int MD4_Init(MD4_CTX *c);
+int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
+int MD4_Final(unsigned char *md, MD4_CTX *c);
 unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
 void MD4_Transform(MD4_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index 81488ae2e2..6446f5f5e7 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -70,7 +70,7 @@ const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 
-void MD4_Init(MD4_CTX *c)
+int MD4_Init(MD4_CTX *c)
         {
         c->A=INIT_DATA_A;
         c->B=INIT_DATA_B;
@@ -79,6 +79,7 @@ void MD4_Init(MD4_CTX *c)
         c->Nl=0;
         c->Nh=0;
         c->num=0;
+        return 1;
         }
 
 #ifndef md4_block_host_order
diff --git a/src/lib/libcrypto/md4/md4_locl.h b/src/lib/libcrypto/md4/md4_locl.h
index 0a2b39018d..a8d31d7a73 100644
--- a/src/lib/libcrypto/md4/md4_locl.h
+++ b/src/lib/libcrypto/md4/md4_locl.h
@@ -68,7 +68,7 @@
 void md4_block_host_order (MD4_CTX *c, const void *p,int num);
 void md4_block_data_order (MD4_CTX *c, const void *p,int num);
 
-#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 /*
  * *_block_host_order is expected to handle aligned data while
  * *_block_data_order - unaligned. As algorithm and host (x86)
diff --git a/src/lib/libcrypto/md4/md4test.c b/src/lib/libcrypto/md4/md4test.c
index 97e6e21efd..e0fdc42282 100644
--- a/src/lib/libcrypto/md4/md4test.c
+++ b/src/lib/libcrypto/md4/md4test.c
@@ -60,13 +60,14 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_MD4
+#ifdef OPENSSL_NO_MD4
 int main(int argc, char *argv[])
 {
     printf("No MD4 support\n");
     return(0);
 }
 #else
+#include <openssl/evp.h>
 #include <openssl/md4.h>
 
 static char *test[]={
@@ -96,13 +97,15 @@ int main(int argc, char *argv[])
         int i,err=0;
         unsigned char **P,**R;
         char *p;
+        unsigned char md[MD4_DIGEST_LENGTH];
 
         P=(unsigned char **)test;
         R=(unsigned char **)ret;
         i=1;
         while (*P != NULL)
                 {
-                p=pt(MD4(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+                EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_md4(), NULL);
+                p=pt(md);
                 if (strcmp(p,(char *)*R) != 0)
                         {
                         printf("error calculating MD4 on '%s'\n",*P);
diff --git a/src/lib/libcrypto/md5/Makefile.ssl b/src/lib/libcrypto/md5/Makefile.ssl
index 784215579b..f9a1190efb 100644
--- a/src/lib/libcrypto/md5/Makefile.ssl
+++ b/src/lib/libcrypto/md5/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -50,8 +51,7 @@ all:    lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -130,5 +130,6 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
-md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_locl.h
-md5_one.o: ../../include/openssl/md5.h
+md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_dgst.c
+md5_dgst.o: md5_locl.h
+md5_one.o: ../../include/openssl/md5.h md5_one.c
diff --git a/src/lib/libcrypto/md5/asm/md5-sparcv9.S b/src/lib/libcrypto/md5/asm/md5-sparcv9.S
index ca4257f134..a599ed5660 100644
--- a/src/lib/libcrypto/md5/asm/md5-sparcv9.S
+++ b/src/lib/libcrypto/md5/asm/md5-sparcv9.S
@@ -24,12 +24,12 @@
  *
  * To compile with SC4.x/SC5.x:
  *
- *      cc -xarch=v[9|8plus] -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *      cc -xarch=v[9|8plus] -DOPENSSL_SYSNAME_ULTRASPARC -DMD5_BLOCK_DATA_ORDER \
  *              -c md5-sparcv9.S
  *
  * and with gcc:
  *
- *      gcc -mcpu=ultrasparc -DULTRASPARC -DMD5_BLOCK_DATA_ORDER \
+ *      gcc -mcpu=ultrasparc -DOPENSSL_SYSNAME_ULTRASPARC -DMD5_BLOCK_DATA_ORDER \
  *              -c md5-sparcv9.S
  *
  * or if above fails (it does if you have gas):
@@ -72,7 +72,7 @@
 #define Dval    R8
 
 #if defined(MD5_BLOCK_DATA_ORDER)
-# if defined(ULTRASPARC)
+# if defined(OPENSSL_SYSNAME_ULTRASPARC)
 #  define       LOAD                    lda
 #  define       X(i)                    [%i1+i*4]%asi
 #  define       md5_block               md5_block_asm_data_order_aligned
@@ -1012,7 +1012,7 @@ md5_block:
         st      B,[Bptr]
         nop                             !=
 
-#ifdef  ULTRASPARC
+#ifdef  OPENSSL_SYSNAME_ULTRASPARC
         bg,a,pt %icc,.Lmd5_block_loop
 #else
         bg,a    .Lmd5_block_loop
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index d10bc8397f..52cb753e6a 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -63,7 +63,7 @@
 extern "C" {
 #endif
 
-#ifdef NO_MD5
+#ifdef OPENSSL_NO_MD5
 #error MD5 is disabled.
 #endif
 
@@ -74,9 +74,9 @@ extern "C" {
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
 
-#if defined(WIN16) || defined(__LP32__)
+#if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define MD5_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
+#elif defined(OENSSL_SYS_CRAY) || defined(__ILP64__)
 #define MD5_LONG unsigned long
 #define MD5_LONG_LOG2 3
 /*
@@ -102,9 +102,9 @@ typedef struct MD5state_st
         int num;
         } MD5_CTX;
 
-void MD5_Init(MD5_CTX *c);
-void MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
-void MD5_Final(unsigned char *md, MD5_CTX *c);
+int MD5_Init(MD5_CTX *c);
+int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
+int MD5_Final(unsigned char *md, MD5_CTX *c);
 unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index 23d196b8d4..c38a3f021e 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -70,7 +70,7 @@ const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 
-void MD5_Init(MD5_CTX *c)
+int MD5_Init(MD5_CTX *c)
         {
         c->A=INIT_DATA_A;
         c->B=INIT_DATA_B;
@@ -79,6 +79,7 @@ void MD5_Init(MD5_CTX *c)
         c->Nl=0;
         c->Nh=0;
         c->num=0;
+        return 1;
         }
 
 #ifndef md5_block_host_order
diff --git a/src/lib/libcrypto/md5/md5_locl.h b/src/lib/libcrypto/md5/md5_locl.h
index c912484122..34c5257306 100644
--- a/src/lib/libcrypto/md5/md5_locl.h
+++ b/src/lib/libcrypto/md5/md5_locl.h
@@ -66,9 +66,9 @@
 #endif
 
 #ifdef MD5_ASM
-# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 #  define md5_block_host_order md5_block_asm_host_order
-# elif defined(__sparc) && defined(ULTRASPARC)
+# elif defined(__sparc) && defined(OPENSSL_SYS_ULTRASPARC)
    void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
 #  define HASH_BLOCK_DATA_ORDER_ALIGNED md5_block_asm_data_order_aligned
 # endif
@@ -77,7 +77,7 @@
 void md5_block_host_order (MD5_CTX *c, const void *p,int num);
 void md5_block_data_order (MD5_CTX *c, const void *p,int num);
 
-#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 /*
  * *_block_host_order is expected to handle aligned data while
  * *_block_data_order - unaligned. As algorithm and host (x86)
diff --git a/src/lib/libcrypto/md5/md5test.c b/src/lib/libcrypto/md5/md5test.c
index 6bd8656302..862b89658a 100644
--- a/src/lib/libcrypto/md5/md5test.c
+++ b/src/lib/libcrypto/md5/md5test.c
@@ -60,13 +60,14 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_MD5
+#ifdef OPENSSL_NO_MD5
 int main(int argc, char *argv[])
 {
     printf("No MD5 support\n");
     return(0);
 }
 #else
+#include <openssl/evp.h>
 #include <openssl/md5.h>
 
 static char *test[]={
@@ -96,13 +97,15 @@ int main(int argc, char *argv[])
         int i,err=0;
         unsigned char **P,**R;
         char *p;
+        unsigned char md[MD5_DIGEST_LENGTH];
 
         P=(unsigned char **)test;
         R=(unsigned char **)ret;
         i=1;
         while (*P != NULL)
                 {
-                p=pt(MD5(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+                EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_md5(), NULL);
+                p=pt(md);
                 if (strcmp(p,(char *)*R) != 0)
                         {
                         printf("error calculating MD5 on '%s'\n",*P);
diff --git a/src/lib/libcrypto/mdc2/Makefile.ssl b/src/lib/libcrypto/mdc2/Makefile.ssl
index a9b06b02bd..941d96c9e9 100644
--- a/src/lib/libcrypto/mdc2/Makefile.ssl
+++ b/src/lib/libcrypto/mdc2/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,13 +79,20 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-mdc2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-mdc2_one.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-mdc2_one.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-mdc2_one.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-mdc2_one.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
+mdc2_one.o: ../../e_os.h ../../include/openssl/bio.h
+mdc2_one.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+mdc2_one.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+mdc2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+mdc2_one.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
+mdc2_one.o: ../../include/openssl/opensslconf.h
 mdc2_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 mdc2_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-mdc2_one.o: ../cryptlib.h
-mdc2dgst.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+mdc2_one.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2_one.o: ../cryptlib.h mdc2_one.c
+mdc2dgst.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+mdc2dgst.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 mdc2dgst.o: ../../include/openssl/mdc2.h ../../include/openssl/opensslconf.h
+mdc2dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+mdc2dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+mdc2dgst.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+mdc2dgst.o: mdc2dgst.c
diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h
index 5da8da72f5..793a8a0f13 100644
--- a/src/lib/libcrypto/mdc2/mdc2.h
+++ b/src/lib/libcrypto/mdc2/mdc2.h
@@ -65,7 +65,7 @@
 extern "C" {
 #endif
 
-#ifdef NO_MDC2
+#ifdef OPENSSL_NO_MDC2
 #error MDC2 is disabled.
 #endif
 
@@ -76,14 +76,14 @@ typedef struct mdc2_ctx_st
         {
         int num;
         unsigned char data[MDC2_BLOCK];
-        des_cblock h,hh;
+        DES_cblock h,hh;
         int pad_type; /* either 1 or 2, default 1 */
         } MDC2_CTX;
 
 
-void MDC2_Init(MDC2_CTX *c);
-void MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
-void MDC2_Final(unsigned char *md, MDC2_CTX *c);
+int MDC2_Init(MDC2_CTX *c);
+int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len);
+int MDC2_Final(unsigned char *md, MDC2_CTX *c);
 unsigned char *MDC2(const unsigned char *d, unsigned long n,
         unsigned char *md);
 
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 3b5b2bbc68..effec714e8 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -70,14 +70,36 @@ static int allow_customize_debug = 1;/* exchanging memory-related functions at
                                       * problems when malloc/free pairs
                                       * don't match etc. */
 
-/* may be changed as long as `allow_customize' is set */
-static void *(*malloc_locked_func)(size_t)  = malloc;
-static void (*free_locked_func)(void *)     = free;
+
+
+/* the following pointers may be changed as long as 'allow_customize' is set */
+
 static void *(*malloc_func)(size_t)         = malloc;
+static void *default_malloc_ex(size_t num, const char *file, int line)
+        { return malloc_func(num); }
+static void *(*malloc_ex_func)(size_t, const char *file, int line)
+        = default_malloc_ex;
+
 static void *(*realloc_func)(void *, size_t)= realloc;
+static void *default_realloc_ex(void *str, size_t num,
+        const char *file, int line)
+        { return realloc_func(str,num); }
+static void *(*realloc_ex_func)(void *, size_t, const char *file, int line)
+        = default_realloc_ex;
+
 static void (*free_func)(void *)            = free;
 
-/* may be changed as long as `allow_customize_debug' is set */
+static void *(*malloc_locked_func)(size_t)  = malloc;
+static void *default_malloc_locked_ex(size_t num, const char *file, int line)
+        { return malloc_locked_func(num); }
+static void *(*malloc_locked_ex_func)(size_t, const char *file, int line)
+        = default_malloc_locked_ex;
+
+static void (*free_locked_func)(void *)     = free;
+
+
+
+/* may be changed as long as 'allow_customize_debug' is set */
 /* XXX use correct function pointer types */
 #ifdef CRYPTO_MDEBUG
 /* use default functions from mem_dbg.c */
@@ -105,12 +127,29 @@ int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
         {
         if (!allow_customize)
                 return 0;
-        if ((m == NULL) || (r == NULL) || (f == NULL))
+        if ((m == 0) || (r == 0) || (f == 0))
+                return 0;
+        malloc_func=m; malloc_ex_func=default_malloc_ex;
+        realloc_func=r; realloc_ex_func=default_realloc_ex;
+        free_func=f;
+        malloc_locked_func=m; malloc_locked_ex_func=default_malloc_locked_ex;
+        free_locked_func=f;
+        return 1;
+        }
+
+int CRYPTO_set_mem_ex_functions(
+        void *(*m)(size_t,const char *,int),
+        void *(*r)(void *, size_t,const char *,int),
+        void (*f)(void *))
+        {
+        if (!allow_customize)
+                return 0;
+        if ((m == 0) || (r == 0) || (f == 0))
                 return 0;
-        malloc_func=m;
-        realloc_func=r;
+        malloc_func=0; malloc_ex_func=m;
+        realloc_func=0; realloc_ex_func=r;
         free_func=f;
-        malloc_locked_func=m;
+        malloc_locked_func=0; malloc_locked_ex_func=m;
         free_locked_func=f;
         return 1;
         }
@@ -121,11 +160,24 @@ int CRYPTO_set_locked_mem_functions(void *(*m)(size_t), void (*f)(void *))
                 return 0;
         if ((m == NULL) || (f == NULL))
                 return 0;
-        malloc_locked_func=m;
+        malloc_locked_func=m; malloc_locked_ex_func=default_malloc_locked_ex;
         free_locked_func=f;
         return 1;
         }
 
+int CRYPTO_set_locked_mem_ex_functions(
+        void *(*m)(size_t,const char *,int),
+        void (*f)(void *))
+        {
+        if (!allow_customize)
+                return 0;
+        if ((m == NULL) || (f == NULL))
+                return 0;
+        malloc_locked_func=0; malloc_locked_ex_func=m;
+        free_func=f;
+        return 1;
+        }
+
 int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
                                    void (*r)(void *,void *,int,const char *,int,int),
                                    void (*f)(void *,int),
@@ -142,17 +194,42 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
         return 1;
         }
 
+
 void CRYPTO_get_mem_functions(void *(**m)(size_t), void *(**r)(void *, size_t),
         void (**f)(void *))
         {
-        if (m != NULL) *m=malloc_func;
-        if (r != NULL) *r=realloc_func;
+        if (m != NULL) *m = (malloc_ex_func == default_malloc_ex) ? 
+                             malloc_func : 0;
+        if (r != NULL) *r = (realloc_ex_func == default_realloc_ex) ? 
+                             realloc_func : 0;
+        if (f != NULL) *f=free_func;
+        }
+
+void CRYPTO_get_mem_ex_functions(
+        void *(**m)(size_t,const char *,int),
+        void *(**r)(void *, size_t,const char *,int),
+        void (**f)(void *))
+        {
+        if (m != NULL) *m = (malloc_ex_func != default_malloc_ex) ?
+                            malloc_ex_func : 0;
+        if (r != NULL) *r = (realloc_ex_func != default_realloc_ex) ?
+                            realloc_ex_func : 0;
         if (f != NULL) *f=free_func;
         }
 
 void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *))
         {
-        if (m != NULL) *m=malloc_locked_func;
+        if (m != NULL) *m = (malloc_locked_ex_func == default_malloc_locked_ex) ? 
+                             malloc_locked_func : 0;
+        if (f != NULL) *f=free_locked_func;
+        }
+
+void CRYPTO_get_locked_mem_ex_functions(
+        void *(**m)(size_t,const char *,int),
+        void (**f)(void *))
+        {
+        if (m != NULL) *m = (malloc_locked_ex_func != default_malloc_locked_ex) ?
+                            malloc_locked_ex_func : 0;
         if (f != NULL) *f=free_locked_func;
         }
 
@@ -180,9 +257,9 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line)
                 allow_customize_debug = 0;
                 malloc_debug_func(NULL, num, file, line, 0);
                 }
-        ret = malloc_locked_func(num);
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+        ret = malloc_locked_ex_func(num,file,line);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         > 0x%p (%d)\n", ret, num);
 #endif
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
@@ -194,8 +271,8 @@ void CRYPTO_free_locked(void *str)
         {
         if (free_debug_func != NULL)
                 free_debug_func(str, 0);
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         < 0x%p\n", str);
 #endif
         free_locked_func(str);
         if (free_debug_func != NULL)
@@ -212,9 +289,9 @@ void *CRYPTO_malloc(int num, const char *file, int line)
                 allow_customize_debug = 0;
                 malloc_debug_func(NULL, num, file, line, 0);
                 }
-        ret = malloc_func(num);
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
+        ret = malloc_ex_func(num,file,line);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         > 0x%p (%d)\n", ret, num);
 #endif
         if (malloc_debug_func != NULL)
                 malloc_debug_func(ret, num, file, line, 1);
@@ -228,9 +305,9 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line)
 
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, NULL, num, file, line, 0);
-        ret = realloc_func(str,num);
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
+        ret = realloc_ex_func(str,num,file,line);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         | 0x%p -> 0x%p (%d)\n", str, ret, num);
 #endif
         if (realloc_debug_func != NULL)
                 realloc_debug_func(str, ret, num, file, line, 1);
@@ -242,8 +319,8 @@ void CRYPTO_free(void *str)
         {
         if (free_debug_func != NULL)
                 free_debug_func(str, 0);
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM:         < 0x%p\n", str);
 #endif
         free_func(str);
         if (free_debug_func != NULL)
diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c
index ef19d8f844..1c4e04f51f 100644
--- a/src/lib/libcrypto/mem_dbg.c
+++ b/src/lib/libcrypto/mem_dbg.c
@@ -235,37 +235,43 @@ long CRYPTO_dbg_get_options(void)
         return options;
         }
 
-static int mem_cmp(MEM *a, MEM *b)
+/* static int mem_cmp(MEM *a, MEM *b) */
+static int mem_cmp(const void *a_void, const void *b_void)
         {
-        return((char *)a->addr - (char *)b->addr);
+        return((const char *)((const MEM *)a_void)->addr
+                - (const char *)((const MEM *)b_void)->addr);
         }
 
-static unsigned long mem_hash(MEM *a)
+/* static unsigned long mem_hash(MEM *a) */
+static unsigned long mem_hash(const void *a_void)
         {
         unsigned long ret;
 
-        ret=(unsigned long)a->addr;
+        ret=(unsigned long)((const MEM *)a_void)->addr;
 
         ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
         return(ret);
         }
 
-static int app_info_cmp(APP_INFO *a, APP_INFO *b)
+/* static int app_info_cmp(APP_INFO *a, APP_INFO *b) */
+static int app_info_cmp(const void *a_void, const void *b_void)
         {
-        return(a->thread != b->thread);
+        return(((const APP_INFO *)a_void)->thread
+                != ((const APP_INFO *)b_void)->thread);
         }
 
-static unsigned long app_info_hash(APP_INFO *a)
+/* static unsigned long app_info_hash(APP_INFO *a) */
+static unsigned long app_info_hash(const void *a_void)
         {
         unsigned long ret;
 
-        ret=(unsigned long)a->thread;
+        ret=(unsigned long)((const APP_INFO *)a_void)->thread;
 
         ret=ret*17851+(ret>>14)*7+(ret>>4)*251;
         return(ret);
         }
 
-static APP_INFO *pop_info()
+static APP_INFO *pop_info(void)
         {
         APP_INFO tmp;
         APP_INFO *ret = NULL;
@@ -282,7 +288,7 @@ static APP_INFO *pop_info()
                                 next->references++;
                                 lh_insert(amih,(char *)next);
                                 }
-#ifdef LEVITTE_DEBUG
+#ifdef LEVITTE_DEBUG_MEM
                         if (ret->thread != tmp.thread)
                                 {
                                 fprintf(stderr, "pop_info(): deleted info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
@@ -318,7 +324,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line)
                         }
                 if (amih == NULL)
                         {
-                        if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)
+                        if ((amih=lh_new(app_info_hash, app_info_cmp)) == NULL)
                                 {
                                 OPENSSL_free(ami);
                                 ret=0;
@@ -335,7 +341,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line)
 
                 if ((amim=(APP_INFO *)lh_insert(amih,(char *)ami)) != NULL)
                         {
-#ifdef LEVITTE_DEBUG
+#ifdef LEVITTE_DEBUG_MEM
                         if (ami->thread != amim->thread)
                                 {
                                 fprintf(stderr, "CRYPTO_push_info(): previous info has other thread ID (%lu) than the current thread (%lu)!!!!\n",
@@ -411,7 +417,7 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
                                 }
                         if (mh == NULL)
                                 {
-                                if ((mh=lh_new(mem_hash,mem_cmp)) == NULL)
+                                if ((mh=lh_new(mem_hash, mem_cmp)) == NULL)
                                         {
                                         OPENSSL_free(addr);
                                         OPENSSL_free(m);
@@ -435,8 +441,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line,
                                 m->order=order;
                                 }
                         m->order=order++;
-#ifdef LEVITTE_DEBUG
-                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] %c 0x%p (%d)\n",
+#ifdef LEVITTE_DEBUG_MEM
+                        fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] %c 0x%p (%d)\n",
                                 m->order,
                                 (before_p & 128) ? '*' : '+',
                                 m->addr, m->num);
@@ -491,8 +497,8 @@ void CRYPTO_dbg_free(void *addr, int before_p)
                         mp=(MEM *)lh_delete(mh,(char *)&m);
                         if (mp != NULL)
                                 {
-#ifdef LEVITTE_DEBUG
-                        fprintf(stderr, "LEVITTE_DEBUG: [%5d] - 0x%p (%d)\n",
+#ifdef LEVITTE_DEBUG_MEM
+                        fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] - 0x%p (%d)\n",
                                 mp->order, mp->addr, mp->num);
 #endif
                                 if (mp->app_info != NULL)
@@ -516,8 +522,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
         {
         MEM m,*mp;
 
-#ifdef LEVITTE_DEBUG
-        fprintf(stderr, "LEVITTE_DEBUG: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
+#ifdef LEVITTE_DEBUG_MEM
+        fprintf(stderr, "LEVITTE_DEBUG_MEM: --> CRYPTO_dbg_malloc(addr1 = %p, addr2 = %p, num = %d, file = \"%s\", line = %d, before_p = %d)\n",
                 addr1, addr2, num, file, line, before_p);
 #endif
 
@@ -543,8 +549,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num,
                         mp=(MEM *)lh_delete(mh,(char *)&m);
                         if (mp != NULL)
                                 {
-#ifdef LEVITTE_DEBUG
-                                fprintf(stderr, "LEVITTE_DEBUG: [%5d] * 0x%p (%d) -> 0x%p (%d)\n",
+#ifdef LEVITTE_DEBUG_MEM
+                                fprintf(stderr, "LEVITTE_DEBUG_MEM: [%5d] * 0x%p (%d) -> 0x%p (%d)\n",
                                         mp->order,
                                         mp->addr, mp->num,
                                         addr2, num);
@@ -570,7 +576,7 @@ typedef struct mem_leak_st
         long bytes;
         } MEM_LEAK;
 
-static void print_leak(MEM *m, MEM_LEAK *l)
+static void print_leak(const MEM *m, MEM_LEAK *l)
         {
         char buf[1024];
         char *bufp = buf;
@@ -646,7 +652,7 @@ static void print_leak(MEM *m, MEM_LEAK *l)
                 }
         while(amip && amip->thread == ti);
                 
-#ifdef LEVITTE_DEBUG
+#ifdef LEVITTE_DEBUG_MEM
         if (amip)
                 {
                 fprintf(stderr, "Thread switch detected in backtrace!!!!\n");
@@ -655,6 +661,8 @@ static void print_leak(MEM *m, MEM_LEAK *l)
 #endif
         }
 
+static IMPLEMENT_LHASH_DOALL_ARG_FN(print_leak, const MEM *, MEM_LEAK *)
+
 void CRYPTO_mem_leaks(BIO *b)
         {
         MEM_LEAK ml;
@@ -669,7 +677,8 @@ void CRYPTO_mem_leaks(BIO *b)
         ml.bytes=0;
         ml.chunks=0;
         if (mh != NULL)
-                lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml);
+                lh_doall_arg(mh, LHASH_DOALL_ARG_FN(print_leak),
+                                (char *)&ml);
         if (ml.chunks != 0)
                 {
                 sprintf(buf,"%ld bytes leaked in %d chunks\n",
@@ -722,14 +731,19 @@ void CRYPTO_mem_leaks(BIO *b)
         MemCheck_on(); /* release MALLOC2 lock */
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 void CRYPTO_mem_leaks_fp(FILE *fp)
         {
         BIO *b;
 
         if (mh == NULL) return;
-        if ((b=BIO_new(BIO_s_file())) == NULL)
-                return;
+        /* Need to turn off memory checking when allocated BIOs ... especially
+         * as we're creating them at a time when we're trying to check we've not
+         * left anything un-free()'d!! */
+        MemCheck_off();
+        b = BIO_new(BIO_s_file());
+        MemCheck_on();
+        if(!b) return;
         BIO_set_fp(b,fp,BIO_NOCLOSE);
         CRYPTO_mem_leaks(b);
         BIO_free(b);
@@ -741,16 +755,20 @@ void CRYPTO_mem_leaks_fp(FILE *fp)
 /* FIXME: We really don't allow much to the callback.  For example, it has
    no chance of reaching the info stack for the item it processes.  Should
    it really be this way?  -- Richard Levitte */
-static void cb_leak(MEM *m,
-                    void (**cb)(unsigned long, const char *, int, int, void *))
+/* NB: The prototypes have been typedef'd to CRYPTO_MEM_LEAK_CB inside crypto.h
+ * If this code is restructured, remove the callback type if it is no longer
+ * needed. -- Geoff Thorpe */
+static void cb_leak(const MEM *m, CRYPTO_MEM_LEAK_CB **cb)
         {
         (**cb)(m->order,m->file,m->line,m->num,m->addr);
         }
 
-void CRYPTO_mem_leaks_cb(void (*cb)(unsigned long, const char *, int, int, void *))
+static IMPLEMENT_LHASH_DOALL_ARG_FN(cb_leak, const MEM *, CRYPTO_MEM_LEAK_CB **)
+
+void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb)
         {
         if (mh == NULL) return;
         CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2);
-        lh_doall_arg(mh,(void (*)())cb_leak,(void *)&cb);
+        lh_doall_arg(mh, LHASH_DOALL_ARG_FN(cb_leak), &cb);
         CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
         }
diff --git a/src/lib/libcrypto/o_time.c b/src/lib/libcrypto/o_time.c
new file mode 100644
index 0000000000..1bc0297b36
--- /dev/null
+++ b/src/lib/libcrypto/o_time.c
@@ -0,0 +1,203 @@
+/* crypto/o_time.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/e_os2.h>
+#include <string.h>
+#include "o_time.h"
+
+#ifdef OPENSSL_SYS_VMS
+# include <libdtdef.h>
+# include <lib$routines.h>
+# include <lnmdef.h>
+# include <starlet.h>
+# include <descrip.h>
+# include <stdlib.h>
+#endif
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
+        {
+        struct tm *ts = NULL;
+
+#if defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_OS2) && !defined(__CYGWIN32__) && (!defined(OPENSSL_SYS_VMS) || defined(gmtime_r)) && !defined(OPENSSL_SYS_MACOSX)
+        /* should return &data, but doesn't on some systems,
+           so we don't even look at the return value */
+        gmtime_r(timer,result);
+        ts = result;
+#elif !defined(OPENSSL_SYS_VMS)
+        ts = gmtime(timer);
+        memcpy(result, ts, sizeof(struct tm));
+        ts = result;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        if (ts == NULL)
+                {
+                static $DESCRIPTOR(tabnam,"LNM$DCL_LOGICAL");
+                static $DESCRIPTOR(lognam,"SYS$TIMEZONE_DIFFERENTIAL");
+                char logvalue[256];
+                unsigned int reslen = 0;
+                struct {
+                        short buflen;
+                        short code;
+                        void *bufaddr;
+                        unsigned int *reslen;
+                } itemlist[] = {
+                        { 0, LNM$_STRING, 0, 0 },
+                        { 0, 0, 0, 0 },
+                };
+                int status;
+                time_t t;
+
+                /* Get the value for SYS$TIMEZONE_DIFFERENTIAL */
+                itemlist[0].buflen = sizeof(logvalue);
+                itemlist[0].bufaddr = logvalue;
+                itemlist[0].reslen = &reslen;
+                status = sys$trnlnm(0, &tabnam, &lognam, 0, itemlist);
+                if (!(status & 1))
+                        return NULL;
+                logvalue[reslen] = '\0';
+
+                /* Get the numerical value of the equivalence string */
+                status = atoi(logvalue);
+
+                /* and use it to move time to GMT */
+                t = *timer - status;
+
+                /* then convert the result to the time structure */
+#ifndef OPENSSL_THREADS
+                ts=(struct tm *)localtime(&t);
+#else
+                /* Since there was no gmtime_r() to do this stuff for us,
+                   we have to do it the hard way. */
+                {
+                /* The VMS epoch is the astronomical Smithsonian date,
+                   if I remember correctly, which is November 17, 1858.
+                   Furthermore, time is measure in thenths of microseconds
+                   and stored in quadwords (64 bit integers).  unix_epoch
+                   below is January 1st 1970 expressed as a VMS time.  The
+                   following code was used to get this number:
+
+                   #include <stdio.h>
+                   #include <stdlib.h>
+                   #include <lib$routines.h>
+                   #include <starlet.h>
+
+                   main()
+                   {
+                     unsigned long systime[2];
+                     unsigned short epoch_values[7] =
+                       { 1970, 1, 1, 0, 0, 0, 0 };
+
+                     lib$cvt_vectim(epoch_values, systime);
+
+                     printf("%u %u", systime[0], systime[1]);
+                   }
+                */
+                unsigned long unix_epoch[2] = { 1273708544, 8164711 };
+                unsigned long deltatime[2];
+                unsigned long systime[2];
+                struct vms_vectime
+                        {
+                        short year, month, day, hour, minute, second,
+                                centi_second;
+                        } time_values;
+                long operation;
+
+                /* Turn the number of seconds since January 1st 1970 to
+                   an internal delta time.
+                   Note that lib$cvt_to_internal_time() will assume
+                   that t is signed, and will therefore break on 32-bit
+                   systems some time in 2038.
+                */
+                operation = LIB$K_DELTA_SECONDS;
+                status = lib$cvt_to_internal_time(&operation,
+                        &t, deltatime);
+
+                /* Add the delta time with the Unix epoch and we have
+                   the current UTC time in internal format */
+                status = lib$add_times(unix_epoch, deltatime, systime);
+
+                /* Turn the internal time into a time vector */
+                status = sys$numtim(&time_values, systime);
+
+                /* Fill in the struct tm with the result */
+                result->tm_sec = time_values.second;
+                result->tm_min = time_values.minute;
+                result->tm_hour = time_values.hour;
+                result->tm_mday = time_values.day;
+                result->tm_mon = time_values.month - 1;
+                result->tm_year = time_values.year - 1900;
+
+                operation = LIB$K_DAY_OF_WEEK;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_wday, systime);
+                result->tm_wday %= 7;
+
+                operation = LIB$K_DAY_OF_YEAR;
+                status = lib$cvt_from_internal_time(&operation,
+                        &result->tm_yday, systime);
+                result->tm_yday--;
+
+                result->tm_isdst = 0; /* There's no way to know... */
+
+                ts = result;
+#endif
+                }
+                }
+#endif
+        return ts;
+        }       
diff --git a/src/lib/libcrypto/o_time.h b/src/lib/libcrypto/o_time.h
new file mode 100644
index 0000000000..e66044626d
--- /dev/null
+++ b/src/lib/libcrypto/o_time.h
@@ -0,0 +1,66 @@
+/* crypto/o_time.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_TIME_H
+#define HEADER_O_TIME_H
+
+#include <time.h>
+
+struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
+
+#endif
diff --git a/src/lib/libcrypto/objects/Makefile.ssl b/src/lib/libcrypto/objects/Makefile.ssl
index 6746ad21e7..7962a089db 100644
--- a/src/lib/libcrypto/objects/Makefile.ssl
+++ b/src/lib/libcrypto/objects/Makefile.ssl
@@ -5,15 +5,17 @@
 DIR=    objects
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
+PERL=           perl
 
 CFLAGS= $(INCLUDES) $(CFLAG)
 
@@ -39,10 +41,16 @@ all:	obj_dat.h lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
+obj_dat.h: obj_dat.pl obj_mac.h
+        $(PERL) obj_dat.pl obj_mac.h obj_dat.h
+
+# objects.pl both reads and writes obj_mac.num
+obj_mac.h: objects.pl objects.txt obj_mac.num
+        $(PERL) objects.pl objects.txt obj_mac.num obj_mac.h
+
 files:
         $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
@@ -81,32 +89,35 @@ clean:
 
 o_names.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 o_names.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-o_names.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-o_names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-o_names.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+o_names.o: ../../include/openssl/e_os2.h ../../include/openssl/lhash.h
+o_names.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+o_names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+o_names.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
 o_names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-obj_dat.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-obj_dat.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-obj_dat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+o_names.o: o_names.c
+obj_dat.o: ../../e_os.h ../../include/openssl/asn1.h
+obj_dat.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+obj_dat.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 obj_dat.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 obj_dat.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 obj_dat.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-obj_dat.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-obj_dat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-obj_dat.o: ../cryptlib.h obj_dat.h
+obj_dat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+obj_dat.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_dat.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_dat.c obj_dat.h
 obj_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 obj_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
-obj_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-obj_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-obj_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+obj_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+obj_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+obj_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+obj_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 obj_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-obj_err.o: ../../include/openssl/symhacks.h
-obj_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-obj_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-obj_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+obj_err.o: ../../include/openssl/symhacks.h obj_err.c
+obj_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+obj_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+obj_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 obj_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 obj_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 obj_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-obj_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-obj_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-obj_lib.o: ../cryptlib.h
+obj_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+obj_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+obj_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h obj_lib.c
diff --git a/src/lib/libcrypto/objects/o_names.c b/src/lib/libcrypto/objects/o_names.c
index dca988230e..2b80243256 100644
--- a/src/lib/libcrypto/objects/o_names.c
+++ b/src/lib/libcrypto/objects/o_names.c
@@ -5,6 +5,18 @@
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include <openssl/safestack.h>
+#include <openssl/e_os2.h>
+
+/* Later versions of DEC C has started to add lnkage information to certain
+ * functions, which makes it tricky to use them as values to regular function
+ * pointers.  One way is to define a macro that takes care of casting them
+ * correctly.
+ */
+#ifdef OPENSSL_SYS_VMS_DECC
+# define OPENSSL_strcmp (int (*)(const char *,const char *))strcmp
+#else
+# define OPENSSL_strcmp strcmp
+#endif
 
 /* I use the ex_data stuff to manage the identifiers for the obj_name_types
  * that applications may define.  I only really use the free function field.
@@ -14,9 +26,9 @@ static int names_type_num=OBJ_NAME_TYPE_NUM;
 
 typedef struct name_funcs_st
         {
-        unsigned long (*hash_func)();
-        int (*cmp_func)();
-        void (*free_func)();
+        unsigned long (*hash_func)(const char *name);
+        int (*cmp_func)(const char *a,const char *b);
+        void (*free_func)(const char *, int, const char *);
         } NAME_FUNCS;
 
 DECLARE_STACK_OF(NAME_FUNCS)
@@ -24,20 +36,26 @@ IMPLEMENT_STACK_OF(NAME_FUNCS)
 
 static STACK_OF(NAME_FUNCS) *name_funcs_stack;
 
-static unsigned long obj_name_hash(OBJ_NAME *a);
-static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b);
+/* The LHASH callbacks now use the raw "void *" prototypes and do per-variable
+ * casting in the functions. This prevents function pointer casting without the
+ * need for macro-generated wrapper functions. */
+
+/* static unsigned long obj_name_hash(OBJ_NAME *a); */
+static unsigned long obj_name_hash(const void *a_void);
+/* static int obj_name_cmp(OBJ_NAME *a,OBJ_NAME *b); */
+static int obj_name_cmp(const void *a_void,const void *b_void);
 
 int OBJ_NAME_init(void)
         {
         if (names_lh != NULL) return(1);
         MemCheck_off();
-        names_lh=lh_new(obj_name_hash,obj_name_cmp);
+        names_lh=lh_new(obj_name_hash, obj_name_cmp);
         MemCheck_on();
         return(names_lh != NULL);
         }
 
 int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
-        int (*cmp_func)(const void *, const void *),
+        int (*cmp_func)(const char *, const char *),
         void (*free_func)(const char *, int, const char *))
         {
         int ret;
@@ -62,12 +80,12 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
                 MemCheck_off();
                 name_funcs = OPENSSL_malloc(sizeof(NAME_FUNCS));
                 name_funcs->hash_func = lh_strhash;
-                name_funcs->cmp_func = (int (*)())strcmp;
+                name_funcs->cmp_func = OPENSSL_strcmp;
                 name_funcs->free_func = 0; /* NULL is often declared to
-                                            * ((void *)0), which according
-                                            * to Compaq C is not really
-                                            * compatible with a function
-                                            * pointer.  -- Richard Levitte*/
+                                                * ((void *)0), which according
+                                                * to Compaq C is not really
+                                                * compatible with a function
+                                                * pointer.      -- Richard Levitte*/
                 sk_NAME_FUNCS_push(name_funcs_stack,name_funcs);
                 MemCheck_on();
                 }
@@ -81,9 +99,12 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
         return(ret);
         }
 
-static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
+/* static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b) */
+static int obj_name_cmp(const void *a_void, const void *b_void)
         {
         int ret;
+        OBJ_NAME *a = (OBJ_NAME *)a_void;
+        OBJ_NAME *b = (OBJ_NAME *)b_void;
 
         ret=a->type-b->type;
         if (ret == 0)
@@ -91,8 +112,8 @@ static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
                 if ((name_funcs_stack != NULL)
                         && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
                         {
-                        ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
-                                ->cmp_func(a->name,b->name);
+                        ret=sk_NAME_FUNCS_value(name_funcs_stack,
+                                a->type)->cmp_func(a->name,b->name);
                         }
                 else
                         ret=strcmp(a->name,b->name);
@@ -100,14 +121,16 @@ static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
         return(ret);
         }
 
-static unsigned long obj_name_hash(OBJ_NAME *a)
+/* static unsigned long obj_name_hash(OBJ_NAME *a) */
+static unsigned long obj_name_hash(const void *a_void)
         {
         unsigned long ret;
+        OBJ_NAME *a = (OBJ_NAME *)a_void;
 
         if ((name_funcs_stack != NULL) && (sk_NAME_FUNCS_num(name_funcs_stack) > a->type))
                 {
-                ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
-                        ->hash_func(a->name);
+                ret=sk_NAME_FUNCS_value(name_funcs_stack,
+                        a->type)->hash_func(a->name);
                 }
         else
                 {
@@ -132,7 +155,7 @@ const char *OBJ_NAME_get(const char *name, int type)
         on.type=type;
 
         for (;;)
-                {
+        {
                 ret=(OBJ_NAME *)lh_retrieve(names_lh,&on);
                 if (ret == NULL) return(NULL);
                 if ((ret->alias) && !alias)
@@ -179,8 +202,8 @@ int OBJ_NAME_add(const char *name, int type, const char *data)
                          * function should get three arguments...
                          * -- Richard Levitte
                          */
-                        sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
-                                ->free_func(ret->name,ret->type,ret->data);
+                        sk_NAME_FUNCS_value(name_funcs_stack,
+                                ret->type)->free_func(ret->name,ret->type,ret->data);
                         }
                 OPENSSL_free(ret);
                 }
@@ -214,8 +237,8 @@ int OBJ_NAME_remove(const char *name, int type)
                          * function should get three arguments...
                          * -- Richard Levitte
                          */
-                        sk_NAME_FUNCS_value(name_funcs_stack,ret->type)
-                                ->free_func(ret->name,ret->type,ret->data);
+                        sk_NAME_FUNCS_value(name_funcs_stack,
+                                ret->type)->free_func(ret->name,ret->type,ret->data);
                         }
                 OPENSSL_free(ret);
                 return(1);
@@ -224,12 +247,82 @@ int OBJ_NAME_remove(const char *name, int type)
                 return(0);
         }
 
+struct doall
+        {
+        int type;
+        void (*fn)(const OBJ_NAME *,void *arg);
+        void *arg;
+        };
+
+static void do_all_fn(const OBJ_NAME *name,struct doall *d)
+        {
+        if(name->type == d->type)
+                d->fn(name,d->arg);
+        }
+
+static IMPLEMENT_LHASH_DOALL_ARG_FN(do_all_fn, const OBJ_NAME *, struct doall *)
+
+void OBJ_NAME_do_all(int type,void (*fn)(const OBJ_NAME *,void *arg),void *arg)
+        {
+        struct doall d;
+
+        d.type=type;
+        d.fn=fn;
+        d.arg=arg;
+
+        lh_doall_arg(names_lh,LHASH_DOALL_ARG_FN(do_all_fn),&d);
+        }
+
+struct doall_sorted
+        {
+        int type;
+        int n;
+        const OBJ_NAME **names;
+        };
+
+static void do_all_sorted_fn(const OBJ_NAME *name,void *d_)
+        {
+        struct doall_sorted *d=d_;
+
+        if(name->type != d->type)
+                return;
+
+        d->names[d->n++]=name;
+        }
+
+static int do_all_sorted_cmp(const void *n1_,const void *n2_)
+        {
+        const OBJ_NAME * const *n1=n1_;
+        const OBJ_NAME * const *n2=n2_;
+
+        return strcmp((*n1)->name,(*n2)->name);
+        }
+
+void OBJ_NAME_do_all_sorted(int type,void (*fn)(const OBJ_NAME *,void *arg),
+                                void *arg)
+        {
+        struct doall_sorted d;
+        int n;
+
+        d.type=type;
+        d.names=OPENSSL_malloc(lh_num_items(names_lh)*sizeof *d.names);
+        d.n=0;
+        OBJ_NAME_do_all(type,do_all_sorted_fn,&d);
+
+        qsort((void *)d.names,d.n,sizeof *d.names,do_all_sorted_cmp);
+
+        for(n=0 ; n < d.n ; ++n)
+                fn(d.names[n],arg);
+
+        OPENSSL_free((void *)d.names);
+        }
+
 static int free_type;
 
-static void names_lh_free(OBJ_NAME *onp, int type)
+static void names_lh_free(OBJ_NAME *onp)
 {
         if(onp == NULL)
-            return;
+                return;
 
         if ((free_type < 0) || (free_type == onp->type))
                 {
@@ -237,6 +330,8 @@ static void names_lh_free(OBJ_NAME *onp, int type)
                 }
         }
 
+static IMPLEMENT_LHASH_DOALL_FN(names_lh_free, OBJ_NAME *)
+
 static void name_funcs_free(NAME_FUNCS *ptr)
         {
         OPENSSL_free(ptr);
@@ -252,7 +347,7 @@ void OBJ_NAME_cleanup(int type)
         down_load=names_lh->down_load;
         names_lh->down_load=0;
 
-        lh_doall(names_lh,names_lh_free);
+        lh_doall(names_lh,LHASH_DOALL_FN(names_lh_free));
         if (type < 0)
                 {
                 lh_free(names_lh);
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 4b1bb9583a..8779ba7d1d 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -64,7 +64,7 @@
 #include <openssl/objects.h>
 
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
-#ifndef NO_OBJECT
+#ifndef OPENSSL_NO_OBJECT
 #include "obj_dat.h"
 #else
 /* You will have to load all the objects needed manually in the application */
@@ -108,12 +108,14 @@ static int ln_cmp(const void *a, const void *b)
         return(strcmp((*ap)->ln,(*bp)->ln));
         }
 
-static unsigned long add_hash(ADDED_OBJ *ca)
+/* static unsigned long add_hash(ADDED_OBJ *ca) */
+static unsigned long add_hash(const void *ca_void)
         {
-        ASN1_OBJECT *a;
+        const ASN1_OBJECT *a;
         int i;
         unsigned long ret=0;
         unsigned char *p;
+        ADDED_OBJ *ca = (ADDED_OBJ *)ca_void;
 
         a=ca->obj;
         switch (ca->type)
@@ -142,10 +144,13 @@ static unsigned long add_hash(ADDED_OBJ *ca)
         return(ret);
         }
 
-static int add_cmp(ADDED_OBJ *ca, ADDED_OBJ *cb)
+/* static int add_cmp(ADDED_OBJ *ca, ADDED_OBJ *cb) */
+static int add_cmp(const void *ca_void, const void *cb_void)
         {
         ASN1_OBJECT *a,*b;
         int i;
+        ADDED_OBJ *ca = (ADDED_OBJ *)ca_void;
+        ADDED_OBJ *cb = (ADDED_OBJ *)cb_void;
 
         i=ca->type-cb->type;
         if (i) return(i);
@@ -171,7 +176,6 @@ static int add_cmp(ADDED_OBJ *ca, ADDED_OBJ *cb)
                 /* abort(); */
                 return 0;
                 }
-        return(1); /* should not get here */
         }
 
 static int init_added(void)
@@ -199,13 +203,17 @@ static void cleanup3(ADDED_OBJ *a)
         OPENSSL_free(a);
         }
 
+static IMPLEMENT_LHASH_DOALL_FN(cleanup1, ADDED_OBJ *)
+static IMPLEMENT_LHASH_DOALL_FN(cleanup2, ADDED_OBJ *)
+static IMPLEMENT_LHASH_DOALL_FN(cleanup3, ADDED_OBJ *)
+
 void OBJ_cleanup(void)
         {
         if (added == NULL) return;
         added->down_load=0;
-        lh_doall(added,cleanup1); /* zero counters */
-        lh_doall(added,cleanup2); /* set counters */
-        lh_doall(added,cleanup3); /* free objects */
+        lh_doall(added,LHASH_DOALL_FN(cleanup1)); /* zero counters */
+        lh_doall(added,LHASH_DOALL_FN(cleanup2)); /* set counters */
+        lh_doall(added,LHASH_DOALL_FN(cleanup3)); /* free objects */
         lh_free(added);
         added=NULL;
         }
@@ -219,7 +227,7 @@ int OBJ_new_nid(int num)
         return(i);
         }
 
-int OBJ_add_object(ASN1_OBJECT *obj)
+int OBJ_add_object(const ASN1_OBJECT *obj)
         {
         ASN1_OBJECT *o;
         ADDED_OBJ *ao[4]={NULL,NULL,NULL,NULL},*aop;
@@ -355,7 +363,7 @@ const char *OBJ_nid2ln(int n)
                 }
         }
 
-int OBJ_obj2nid(ASN1_OBJECT *a)
+int OBJ_obj2nid(const ASN1_OBJECT *a)
         {
         ASN1_OBJECT **op;
         ADDED_OBJ ad,*adp;
@@ -368,7 +376,7 @@ int OBJ_obj2nid(ASN1_OBJECT *a)
         if (added != NULL)
                 {
                 ad.type=ADDED_DATA;
-                ad.obj=a;
+                ad.obj=(ASN1_OBJECT *)a; /* XXX: ugly but harmless */
                 adp=(ADDED_OBJ *)lh_retrieve(added,&ad);
                 if (adp != NULL) return (adp->obj->nid);
                 }
@@ -422,7 +430,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
         return op;
         }
 
-int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name)
+int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 {
         int i,idx=0,n=0,len,nid;
         unsigned long l;
@@ -437,8 +445,7 @@ int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name)
                 return(0);
         }
 
-        nid=OBJ_obj2nid(a);
-        if ((nid == NID_undef) || no_name) {
+        if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) {
                 len=a->length;
                 p=a->data;
 
@@ -488,7 +495,7 @@ int OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name)
         return(n);
 }
 
-int OBJ_txt2nid(char *s)
+int OBJ_txt2nid(const char *s)
 {
         ASN1_OBJECT *obj;
         int nid;
@@ -547,10 +554,11 @@ static int obj_cmp(const void *ap, const void *bp)
         return(memcmp(a->data,b->data,a->length));
         }
 
-char *OBJ_bsearch(char *key, char *base, int num, int size, int (*cmp)(const void *, const void *))
+const char *OBJ_bsearch(const char *key, const char *base, int num, int size,
+        int (*cmp)(const void *, const void *))
         {
         int l,h,i,c;
-        char *p;
+        const char *p;
 
         if (num == 0) return(NULL);
         l=0;
@@ -629,7 +637,7 @@ int OBJ_create_objects(BIO *in)
         /* return(num); */
         }
 
-int OBJ_create(char *oid, char *sn, char *ln)
+int OBJ_create(const char *oid, const char *sn, const char *ln)
         {
         int ok=0;
         ASN1_OBJECT *op=NULL;
@@ -645,6 +653,8 @@ int OBJ_create(char *oid, char *sn, char *ln)
                 return(0);
                 }
         i=a2d_ASN1_OBJECT(buf,i,oid,-1);
+        if (i == 0)
+                goto err;
         op=(ASN1_OBJECT *)ASN1_OBJECT_create(OBJ_new_nid(1),buf,i,sn,ln);
         if (op == NULL) 
                 goto err;
diff --git a/src/lib/libcrypto/objects/obj_dat.h b/src/lib/libcrypto/objects/obj_dat.h
new file mode 100644
index 0000000000..39cfcda783
--- /dev/null
+++ b/src/lib/libcrypto/objects/obj_dat.h
@@ -0,0 +1,2842 @@
+/* crypto/objects/obj_dat.h */
+
+/* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the
+ * following command:
+ * perl obj_dat.pl obj_mac.h obj_dat.h
+ */
+
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#define NUM_NID 510
+#define NUM_SN 507
+#define NUM_LN 507
+#define NUM_OBJ 481
+
+static unsigned char lvalues[3881]={
+0x00,                                        /* [  0] OBJ_undef */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,     /* [ 14] OBJ_md2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05,     /* [ 22] OBJ_md5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04,     /* [ 30] OBJ_rc4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,/* [ 38] OBJ_rsaEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02,/* [ 47] OBJ_md2WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04,/* [ 56] OBJ_md5WithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01,/* [ 65] OBJ_pbeWithMD2AndDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03,/* [ 74] OBJ_pbeWithMD5AndDES_CBC */
+0x55,                                        /* [ 83] OBJ_X500 */
+0x55,0x04,                                   /* [ 84] OBJ_X509 */
+0x55,0x04,0x03,                              /* [ 86] OBJ_commonName */
+0x55,0x04,0x06,                              /* [ 89] OBJ_countryName */
+0x55,0x04,0x07,                              /* [ 92] OBJ_localityName */
+0x55,0x04,0x08,                              /* [ 95] OBJ_stateOrProvinceName */
+0x55,0x04,0x0A,                              /* [ 98] OBJ_organizationName */
+0x55,0x04,0x0B,                              /* [101] OBJ_organizationalUnitName */
+0x55,0x08,0x01,0x01,                         /* [104] OBJ_rsa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,     /* [108] OBJ_pkcs7 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01,/* [116] OBJ_pkcs7_data */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02,/* [125] OBJ_pkcs7_signed */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03,/* [134] OBJ_pkcs7_enveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04,/* [143] OBJ_pkcs7_signedAndEnveloped */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05,/* [152] OBJ_pkcs7_digest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06,/* [161] OBJ_pkcs7_encrypted */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,     /* [170] OBJ_pkcs3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01,/* [178] OBJ_dhKeyAgreement */
+0x2B,0x0E,0x03,0x02,0x06,                    /* [187] OBJ_des_ecb */
+0x2B,0x0E,0x03,0x02,0x09,                    /* [192] OBJ_des_cfb64 */
+0x2B,0x0E,0x03,0x02,0x07,                    /* [197] OBJ_des_cbc */
+0x2B,0x0E,0x03,0x02,0x11,                    /* [202] OBJ_des_ede_ecb */
+0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [207] OBJ_idea_cbc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02,     /* [218] OBJ_rc2_cbc */
+0x2B,0x0E,0x03,0x02,0x12,                    /* [226] OBJ_sha */
+0x2B,0x0E,0x03,0x02,0x0F,                    /* [231] OBJ_shaWithRSAEncryption */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07,     /* [236] OBJ_des_ede3_cbc */
+0x2B,0x0E,0x03,0x02,0x08,                    /* [244] OBJ_des_ofb64 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,     /* [249] OBJ_pkcs9 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01,/* [257] OBJ_pkcs9_emailAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02,/* [266] OBJ_pkcs9_unstructuredName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03,/* [275] OBJ_pkcs9_contentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04,/* [284] OBJ_pkcs9_messageDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05,/* [293] OBJ_pkcs9_signingTime */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06,/* [302] OBJ_pkcs9_countersignature */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07,/* [311] OBJ_pkcs9_challengePassword */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08,/* [320] OBJ_pkcs9_unstructuredAddress */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09,/* [329] OBJ_pkcs9_extCertAttributes */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,          /* [338] OBJ_netscape */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,     /* [345] OBJ_netscape_cert_extension */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,     /* [353] OBJ_netscape_data_type */
+0x2B,0x0E,0x03,0x02,0x1A,                    /* [361] OBJ_sha1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,/* [366] OBJ_sha1WithRSAEncryption */
+0x2B,0x0E,0x03,0x02,0x0D,                    /* [375] OBJ_dsaWithSHA */
+0x2B,0x0E,0x03,0x02,0x0C,                    /* [380] OBJ_dsa_2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B,/* [385] OBJ_pbeWithSHA1AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C,/* [394] OBJ_id_pbkdf2 */
+0x2B,0x0E,0x03,0x02,0x1B,                    /* [403] OBJ_dsaWithSHA1_2 */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01,/* [408] OBJ_netscape_cert_type */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02,/* [417] OBJ_netscape_base_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03,/* [426] OBJ_netscape_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04,/* [435] OBJ_netscape_ca_revocation_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07,/* [444] OBJ_netscape_renewal_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08,/* [453] OBJ_netscape_ca_policy_url */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C,/* [462] OBJ_netscape_ssl_server_name */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D,/* [471] OBJ_netscape_comment */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05,/* [480] OBJ_netscape_cert_sequence */
+0x55,0x1D,                                   /* [489] OBJ_id_ce */
+0x55,0x1D,0x0E,                              /* [491] OBJ_subject_key_identifier */
+0x55,0x1D,0x0F,                              /* [494] OBJ_key_usage */
+0x55,0x1D,0x10,                              /* [497] OBJ_private_key_usage_period */
+0x55,0x1D,0x11,                              /* [500] OBJ_subject_alt_name */
+0x55,0x1D,0x12,                              /* [503] OBJ_issuer_alt_name */
+0x55,0x1D,0x13,                              /* [506] OBJ_basic_constraints */
+0x55,0x1D,0x14,                              /* [509] OBJ_crl_number */
+0x55,0x1D,0x20,                              /* [512] OBJ_certificate_policies */
+0x55,0x1D,0x23,                              /* [515] OBJ_authority_key_identifier */
+0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02,/* [518] OBJ_bf_cbc */
+0x55,0x08,0x03,0x65,                         /* [527] OBJ_mdc2 */
+0x55,0x08,0x03,0x64,                         /* [531] OBJ_mdc2WithRSA */
+0x55,0x04,0x2A,                              /* [535] OBJ_givenName */
+0x55,0x04,0x04,                              /* [538] OBJ_surname */
+0x55,0x04,0x2B,                              /* [541] OBJ_initials */
+0x55,0x1D,0x1F,                              /* [544] OBJ_crl_distribution_points */
+0x2B,0x0E,0x03,0x02,0x03,                    /* [547] OBJ_md5WithRSA */
+0x55,0x04,0x05,                              /* [552] OBJ_serialNumber */
+0x55,0x04,0x0C,                              /* [555] OBJ_title */
+0x55,0x04,0x0D,                              /* [558] OBJ_description */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A,/* [561] OBJ_cast5_cbc */
+0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C,/* [570] OBJ_pbeWithMD5AndCast5_CBC */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x03,          /* [579] OBJ_dsaWithSHA1 */
+0x2B,0x0E,0x03,0x02,0x1D,                    /* [586] OBJ_sha1WithRSA */
+0x2A,0x86,0x48,0xCE,0x38,0x04,0x01,          /* [591] OBJ_dsa */
+0x2B,0x24,0x03,0x02,0x01,                    /* [598] OBJ_ripemd160 */
+0x2B,0x24,0x03,0x03,0x01,0x02,               /* [603] OBJ_ripemd160WithRSA */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08,     /* [609] OBJ_rc5_cbc */
+0x29,0x01,0x01,0x85,0x1A,0x01,               /* [617] OBJ_rle_compression */
+0x29,0x01,0x01,0x85,0x1A,0x02,               /* [623] OBJ_zlib_compression */
+0x55,0x1D,0x25,                              /* [629] OBJ_ext_key_usage */
+0x2B,0x06,0x01,0x05,0x05,0x07,               /* [632] OBJ_id_pkix */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,          /* [638] OBJ_id_kp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,     /* [645] OBJ_server_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,     /* [653] OBJ_client_auth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03,     /* [661] OBJ_code_sign */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04,     /* [669] OBJ_email_protect */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08,     /* [677] OBJ_time_stamp */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15,/* [685] OBJ_ms_code_ind */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16,/* [695] OBJ_ms_code_com */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01,/* [705] OBJ_ms_ctl_sign */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03,/* [715] OBJ_ms_sgc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04,/* [725] OBJ_ms_efs */
+0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01,/* [735] OBJ_ns_sgc */
+0x55,0x1D,0x1B,                              /* [744] OBJ_delta_crl */
+0x55,0x1D,0x15,                              /* [747] OBJ_crl_reason */
+0x55,0x1D,0x18,                              /* [750] OBJ_invalidity_date */
+0x2B,0x65,0x01,0x04,0x01,                    /* [753] OBJ_sxnet */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01,/* [758] OBJ_pbe_WithSHA1And128BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02,/* [768] OBJ_pbe_WithSHA1And40BitRC4 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03,/* [778] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04,/* [788] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05,/* [798] OBJ_pbe_WithSHA1And128BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06,/* [808] OBJ_pbe_WithSHA1And40BitRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01,/* [818] OBJ_keyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02,/* [829] OBJ_pkcs8ShroudedKeyBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03,/* [840] OBJ_certBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04,/* [851] OBJ_crlBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05,/* [862] OBJ_secretBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06,/* [873] OBJ_safeContentsBag */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14,/* [884] OBJ_friendlyName */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15,/* [893] OBJ_localKeyID */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01,/* [902] OBJ_x509Certificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02,/* [912] OBJ_sdsiCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01,/* [922] OBJ_x509Crl */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D,/* [932] OBJ_pbes2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E,/* [941] OBJ_pbmac1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07,     /* [950] OBJ_hmacWithSHA1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01,     /* [958] OBJ_id_qt_cps */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,     /* [966] OBJ_id_qt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F,/* [974] OBJ_SMIMECapabilities */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04,/* [983] OBJ_pbeWithMD2AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06,/* [992] OBJ_pbeWithMD5AndRC2_CBC */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A,/* [1001] OBJ_pbeWithSHA1AndDES_CBC */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E,/* [1010] OBJ_ms_ext_req */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E,/* [1020] OBJ_ext_req */
+0x55,0x04,0x29,                              /* [1029] OBJ_name */
+0x55,0x04,0x2E,                              /* [1032] OBJ_dnQualifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,          /* [1035] OBJ_id_pe */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,          /* [1042] OBJ_id_ad */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,     /* [1049] OBJ_info_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,     /* [1057] OBJ_ad_OCSP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,     /* [1065] OBJ_ad_ca_issuers */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09,     /* [1073] OBJ_OCSP_sign */
+0x28,                                        /* [1081] OBJ_iso */
+0x2A,                                        /* [1082] OBJ_member_body */
+0x2A,0x86,0x48,                              /* [1083] OBJ_ISO_US */
+0x2A,0x86,0x48,0xCE,0x38,                    /* [1086] OBJ_X9_57 */
+0x2A,0x86,0x48,0xCE,0x38,0x04,               /* [1091] OBJ_X9cm */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,     /* [1097] OBJ_pkcs1 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,     /* [1105] OBJ_pkcs5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,/* [1113] OBJ_SMIME */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,/* [1122] OBJ_id_smime_mod */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,/* [1132] OBJ_id_smime_ct */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,/* [1142] OBJ_id_smime_aa */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,/* [1152] OBJ_id_smime_alg */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,/* [1162] OBJ_id_smime_cd */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,/* [1172] OBJ_id_smime_spq */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,/* [1182] OBJ_id_smime_cti */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01,/* [1192] OBJ_id_smime_mod_cms */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02,/* [1203] OBJ_id_smime_mod_ess */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03,/* [1214] OBJ_id_smime_mod_oid */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04,/* [1225] OBJ_id_smime_mod_msg_v3 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05,/* [1236] OBJ_id_smime_mod_ets_eSignature_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06,/* [1247] OBJ_id_smime_mod_ets_eSignature_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07,/* [1258] OBJ_id_smime_mod_ets_eSigPolicy_88 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08,/* [1269] OBJ_id_smime_mod_ets_eSigPolicy_97 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01,/* [1280] OBJ_id_smime_ct_receipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02,/* [1291] OBJ_id_smime_ct_authData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03,/* [1302] OBJ_id_smime_ct_publishCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04,/* [1313] OBJ_id_smime_ct_TSTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05,/* [1324] OBJ_id_smime_ct_TDTInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06,/* [1335] OBJ_id_smime_ct_contentInfo */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07,/* [1346] OBJ_id_smime_ct_DVCSRequestData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08,/* [1357] OBJ_id_smime_ct_DVCSResponseData */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01,/* [1368] OBJ_id_smime_aa_receiptRequest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02,/* [1379] OBJ_id_smime_aa_securityLabel */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03,/* [1390] OBJ_id_smime_aa_mlExpandHistory */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04,/* [1401] OBJ_id_smime_aa_contentHint */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05,/* [1412] OBJ_id_smime_aa_msgSigDigest */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06,/* [1423] OBJ_id_smime_aa_encapContentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07,/* [1434] OBJ_id_smime_aa_contentIdentifier */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08,/* [1445] OBJ_id_smime_aa_macValue */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09,/* [1456] OBJ_id_smime_aa_equivalentLabels */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A,/* [1467] OBJ_id_smime_aa_contentReference */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B,/* [1478] OBJ_id_smime_aa_encrypKeyPref */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C,/* [1489] OBJ_id_smime_aa_signingCertificate */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D,/* [1500] OBJ_id_smime_aa_smimeEncryptCerts */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E,/* [1511] OBJ_id_smime_aa_timeStampToken */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F,/* [1522] OBJ_id_smime_aa_ets_sigPolicyId */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10,/* [1533] OBJ_id_smime_aa_ets_commitmentType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11,/* [1544] OBJ_id_smime_aa_ets_signerLocation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12,/* [1555] OBJ_id_smime_aa_ets_signerAttr */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13,/* [1566] OBJ_id_smime_aa_ets_otherSigCert */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14,/* [1577] OBJ_id_smime_aa_ets_contentTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15,/* [1588] OBJ_id_smime_aa_ets_CertificateRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16,/* [1599] OBJ_id_smime_aa_ets_RevocationRefs */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17,/* [1610] OBJ_id_smime_aa_ets_certValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18,/* [1621] OBJ_id_smime_aa_ets_revocationValues */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19,/* [1632] OBJ_id_smime_aa_ets_escTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A,/* [1643] OBJ_id_smime_aa_ets_certCRLTimestamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B,/* [1654] OBJ_id_smime_aa_ets_archiveTimeStamp */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C,/* [1665] OBJ_id_smime_aa_signatureType */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D,/* [1676] OBJ_id_smime_aa_dvcs_dvc */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01,/* [1687] OBJ_id_smime_alg_ESDHwith3DES */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02,/* [1698] OBJ_id_smime_alg_ESDHwithRC2 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03,/* [1709] OBJ_id_smime_alg_3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04,/* [1720] OBJ_id_smime_alg_RC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05,/* [1731] OBJ_id_smime_alg_ESDH */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06,/* [1742] OBJ_id_smime_alg_CMS3DESwrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07,/* [1753] OBJ_id_smime_alg_CMSRC2wrap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01,/* [1764] OBJ_id_smime_cd_ldap */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01,/* [1775] OBJ_id_smime_spq_ets_sqt_uri */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02,/* [1786] OBJ_id_smime_spq_ets_sqt_unotice */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01,/* [1797] OBJ_id_smime_cti_ets_proofOfOrigin */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02,/* [1808] OBJ_id_smime_cti_ets_proofOfReceipt */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03,/* [1819] OBJ_id_smime_cti_ets_proofOfDelivery */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04,/* [1830] OBJ_id_smime_cti_ets_proofOfSender */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05,/* [1841] OBJ_id_smime_cti_ets_proofOfApproval */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06,/* [1852] OBJ_id_smime_cti_ets_proofOfCreation */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04,     /* [1863] OBJ_md4 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,          /* [1871] OBJ_id_pkix_mod */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,          /* [1878] OBJ_id_qt */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,          /* [1885] OBJ_id_it */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,          /* [1892] OBJ_id_pkip */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,          /* [1899] OBJ_id_alg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,          /* [1906] OBJ_id_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,          /* [1913] OBJ_id_on */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,          /* [1920] OBJ_id_pda */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,          /* [1927] OBJ_id_aca */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,          /* [1934] OBJ_id_qcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,          /* [1941] OBJ_id_cct */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01,     /* [1948] OBJ_id_pkix1_explicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02,     /* [1956] OBJ_id_pkix1_implicit_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03,     /* [1964] OBJ_id_pkix1_explicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04,     /* [1972] OBJ_id_pkix1_implicit_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05,     /* [1980] OBJ_id_mod_crmf */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06,     /* [1988] OBJ_id_mod_cmc */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07,     /* [1996] OBJ_id_mod_kea_profile_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08,     /* [2004] OBJ_id_mod_kea_profile_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09,     /* [2012] OBJ_id_mod_cmp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A,     /* [2020] OBJ_id_mod_qualified_cert_88 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B,     /* [2028] OBJ_id_mod_qualified_cert_93 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C,     /* [2036] OBJ_id_mod_attribute_cert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D,     /* [2044] OBJ_id_mod_timestamp_protocol */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E,     /* [2052] OBJ_id_mod_ocsp */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F,     /* [2060] OBJ_id_mod_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10,     /* [2068] OBJ_id_mod_cmp2000 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02,     /* [2076] OBJ_biometricInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03,     /* [2084] OBJ_qcStatements */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07,     /* [2164] OBJ_ipsecUser */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A,     /* [2172] OBJ_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01,     /* [2180] OBJ_id_it_caProtEncCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02,     /* [2188] OBJ_id_it_signKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03,     /* [2196] OBJ_id_it_encKeyPairTypes */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04,     /* [2204] OBJ_id_it_preferredSymmAlg */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05,     /* [2212] OBJ_id_it_caKeyUpdateInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06,     /* [2220] OBJ_id_it_currentCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07,     /* [2228] OBJ_id_it_unsupportedOIDs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08,     /* [2236] OBJ_id_it_subscriptionRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09,     /* [2244] OBJ_id_it_subscriptionResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A,     /* [2252] OBJ_id_it_keyPairParamReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B,     /* [2260] OBJ_id_it_keyPairParamRep */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C,     /* [2268] OBJ_id_it_revPassphrase */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D,     /* [2276] OBJ_id_it_implicitConfirm */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E,     /* [2284] OBJ_id_it_confirmWaitTime */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F,     /* [2292] OBJ_id_it_origPKIMessage */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,     /* [2300] OBJ_id_regCtrl */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,     /* [2308] OBJ_id_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01,/* [2316] OBJ_id_regCtrl_regToken */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02,/* [2325] OBJ_id_regCtrl_authenticator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03,/* [2334] OBJ_id_regCtrl_pkiPublicationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04,/* [2343] OBJ_id_regCtrl_pkiArchiveOptions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05,/* [2352] OBJ_id_regCtrl_oldCertID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06,/* [2361] OBJ_id_regCtrl_protocolEncrKey */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01,/* [2370] OBJ_id_regInfo_utf8Pairs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02,/* [2379] OBJ_id_regInfo_certReq */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01,     /* [2388] OBJ_id_alg_des40 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02,     /* [2396] OBJ_id_alg_noSignature */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03,     /* [2404] OBJ_id_alg_dh_sig_hmac_sha1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04,     /* [2412] OBJ_id_alg_dh_pop */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01,     /* [2420] OBJ_id_cmc_statusInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02,     /* [2428] OBJ_id_cmc_identification */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03,     /* [2436] OBJ_id_cmc_identityProof */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04,     /* [2444] OBJ_id_cmc_dataReturn */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05,     /* [2452] OBJ_id_cmc_transactionId */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06,     /* [2460] OBJ_id_cmc_senderNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07,     /* [2468] OBJ_id_cmc_recipientNonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08,     /* [2476] OBJ_id_cmc_addExtensions */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09,     /* [2484] OBJ_id_cmc_encryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A,     /* [2492] OBJ_id_cmc_decryptedPOP */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B,     /* [2500] OBJ_id_cmc_lraPOPWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F,     /* [2508] OBJ_id_cmc_getCert */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10,     /* [2516] OBJ_id_cmc_getCRL */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11,     /* [2524] OBJ_id_cmc_revokeRequest */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12,     /* [2532] OBJ_id_cmc_regInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13,     /* [2540] OBJ_id_cmc_responseInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15,     /* [2548] OBJ_id_cmc_queryPending */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16,     /* [2556] OBJ_id_cmc_popLinkRandom */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17,     /* [2564] OBJ_id_cmc_popLinkWitness */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18,     /* [2572] OBJ_id_cmc_confirmCertAcceptance */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01,     /* [2580] OBJ_id_on_personalData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01,     /* [2588] OBJ_id_pda_dateOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02,     /* [2596] OBJ_id_pda_placeOfBirth */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03,     /* [2604] OBJ_id_pda_gender */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04,     /* [2612] OBJ_id_pda_countryOfCitizenship */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05,     /* [2620] OBJ_id_pda_countryOfResidence */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01,     /* [2628] OBJ_id_aca_authenticationInfo */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02,     /* [2636] OBJ_id_aca_accessIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03,     /* [2644] OBJ_id_aca_chargingIdentity */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04,     /* [2652] OBJ_id_aca_group */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05,     /* [2660] OBJ_id_aca_role */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01,     /* [2668] OBJ_id_qcs_pkixQCSyntax_v1 */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01,     /* [2676] OBJ_id_cct_crs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02,     /* [2684] OBJ_id_cct_PKIData */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03,     /* [2692] OBJ_id_cct_PKIResponse */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03,     /* [2700] OBJ_ad_timeStamping */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04,     /* [2708] OBJ_ad_dvcs */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2716] OBJ_id_pkix_OCSP_basic */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2725] OBJ_id_pkix_OCSP_Nonce */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2734] OBJ_id_pkix_OCSP_CrlID */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2743] OBJ_id_pkix_OCSP_acceptableResponses */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2752] OBJ_id_pkix_OCSP_noCheck */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2761] OBJ_id_pkix_OCSP_archiveCutoff */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2770] OBJ_id_pkix_OCSP_serviceLocator */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2779] OBJ_id_pkix_OCSP_extendedStatus */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2788] OBJ_id_pkix_OCSP_valid */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2797] OBJ_id_pkix_OCSP_path */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2806] OBJ_id_pkix_OCSP_trustRoot */
+0x2B,0x0E,0x03,0x02,                         /* [2815] OBJ_algorithm */
+0x2B,0x0E,0x03,0x02,0x0B,                    /* [2819] OBJ_rsaSignature */
+0x55,0x08,                                   /* [2824] OBJ_X500algorithms */
+0x2B,                                        /* [2826] OBJ_org */
+0x2B,0x06,                                   /* [2827] OBJ_dod */
+0x2B,0x06,0x01,                              /* [2829] OBJ_iana */
+0x2B,0x06,0x01,0x01,                         /* [2832] OBJ_Directory */
+0x2B,0x06,0x01,0x02,                         /* [2836] OBJ_Management */
+0x2B,0x06,0x01,0x03,                         /* [2840] OBJ_Experimental */
+0x2B,0x06,0x01,0x04,                         /* [2844] OBJ_Private */
+0x2B,0x06,0x01,0x05,                         /* [2848] OBJ_Security */
+0x2B,0x06,0x01,0x06,                         /* [2852] OBJ_SNMPv2 */
+0x2B,0x06,0x01,0x07,                         /* [2856] OBJ_Mail */
+0x2B,0x06,0x01,0x04,0x01,                    /* [2860] OBJ_Enterprises */
+0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58,/* [2865] OBJ_dcObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2874] OBJ_domainComponent */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2884] OBJ_Domain */
+0x50,                                        /* [2894] OBJ_joint_iso_ccitt */
+0x55,0x01,0x05,                              /* [2895] OBJ_selected_attribute_types */
+0x55,0x01,0x05,0x37,                         /* [2898] OBJ_clearance */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2902] OBJ_md4WithRSAEncryption */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A,     /* [2911] OBJ_ac_proxying */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B,     /* [2919] OBJ_sinfo_access */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06,     /* [2927] OBJ_id_aca_encAttrs */
+0x55,0x04,0x48,                              /* [2935] OBJ_role */
+0x55,0x1D,0x24,                              /* [2938] OBJ_policy_constraints */
+0x55,0x1D,0x37,                              /* [2941] OBJ_target_information */
+0x55,0x1D,0x38,                              /* [2944] OBJ_no_rev_avail */
+0x00,                                        /* [2947] OBJ_ccitt */
+0x2A,0x86,0x48,0xCE,0x3D,                    /* [2948] OBJ_ansi_X9_62 */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01,          /* [2953] OBJ_X9_62_prime_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,          /* [2960] OBJ_X9_62_characteristic_two_field */
+0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,          /* [2967] OBJ_X9_62_id_ecPublicKey */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01,     /* [2974] OBJ_X9_62_prime192v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02,     /* [2982] OBJ_X9_62_prime192v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03,     /* [2990] OBJ_X9_62_prime192v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04,     /* [2998] OBJ_X9_62_prime239v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05,     /* [3006] OBJ_X9_62_prime239v2 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06,     /* [3014] OBJ_X9_62_prime239v3 */
+0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,     /* [3022] OBJ_X9_62_prime256v1 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01,          /* [3030] OBJ_ecdsa_with_SHA1 */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01,/* [3037] OBJ_ms_csp_name */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01,/* [3046] OBJ_aes_128_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02,/* [3055] OBJ_aes_128_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03,/* [3064] OBJ_aes_128_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04,/* [3073] OBJ_aes_128_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15,/* [3082] OBJ_aes_192_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16,/* [3091] OBJ_aes_192_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17,/* [3100] OBJ_aes_192_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18,/* [3109] OBJ_aes_192_cfb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29,/* [3118] OBJ_aes_256_ecb */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A,/* [3127] OBJ_aes_256_cbc */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B,/* [3136] OBJ_aes_256_ofb128 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C,/* [3145] OBJ_aes_256_cfb128 */
+0x55,0x1D,0x17,                              /* [3154] OBJ_hold_instruction_code */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x01,          /* [3157] OBJ_hold_instruction_none */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x02,          /* [3164] OBJ_hold_instruction_call_issuer */
+0x2A,0x86,0x48,0xCE,0x38,0x02,0x03,          /* [3171] OBJ_hold_instruction_reject */
+0x09,                                        /* [3178] OBJ_data */
+0x09,0x92,0x26,                              /* [3179] OBJ_pss */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,          /* [3182] OBJ_ucl */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,     /* [3189] OBJ_pilot */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,/* [3197] OBJ_pilotAttributeType */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,/* [3206] OBJ_pilotAttributeSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,/* [3215] OBJ_pilotObjectClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A,/* [3224] OBJ_pilotGroups */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04,/* [3233] OBJ_iA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05,/* [3243] OBJ_caseIgnoreIA5StringSyntax */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03,/* [3253] OBJ_pilotObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04,/* [3263] OBJ_pilotPerson */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05,/* [3273] OBJ_account */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06,/* [3283] OBJ_document */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07,/* [3293] OBJ_room */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09,/* [3303] OBJ_documentSeries */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E,/* [3313] OBJ_rFC822localPart */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F,/* [3323] OBJ_dNSDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11,/* [3333] OBJ_domainRelatedObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12,/* [3343] OBJ_friendlyCountry */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13,/* [3353] OBJ_simpleSecurityObject */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14,/* [3363] OBJ_pilotOrganization */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15,/* [3373] OBJ_pilotDSA */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16,/* [3383] OBJ_qualityLabelledData */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01,/* [3393] OBJ_userId */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02,/* [3403] OBJ_textEncodedORAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03,/* [3413] OBJ_rfc822Mailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04,/* [3423] OBJ_info */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05,/* [3433] OBJ_favouriteDrink */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06,/* [3443] OBJ_roomNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07,/* [3453] OBJ_photo */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08,/* [3463] OBJ_userClass */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09,/* [3473] OBJ_host */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A,/* [3483] OBJ_manager */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B,/* [3493] OBJ_documentIdentifier */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C,/* [3503] OBJ_documentTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D,/* [3513] OBJ_documentVersion */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E,/* [3523] OBJ_documentAuthor */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F,/* [3533] OBJ_documentLocation */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14,/* [3543] OBJ_homeTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15,/* [3553] OBJ_secretary */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16,/* [3563] OBJ_otherMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17,/* [3573] OBJ_lastModifiedTime */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18,/* [3583] OBJ_lastModifiedBy */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A,/* [3593] OBJ_aRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B,/* [3603] OBJ_pilotAttributeType27 */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C,/* [3613] OBJ_mXRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D,/* [3623] OBJ_nSRecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E,/* [3633] OBJ_sOARecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F,/* [3643] OBJ_cNAMERecord */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25,/* [3653] OBJ_associatedDomain */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26,/* [3663] OBJ_associatedName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27,/* [3673] OBJ_homePostalAddress */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28,/* [3683] OBJ_personalTitle */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29,/* [3693] OBJ_mobileTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A,/* [3703] OBJ_pagerTelephoneNumber */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B,/* [3713] OBJ_friendlyCountryName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D,/* [3723] OBJ_organizationalStatus */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E,/* [3733] OBJ_janetMailbox */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F,/* [3743] OBJ_mailPreferenceOption */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30,/* [3753] OBJ_buildingName */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31,/* [3763] OBJ_dSAQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32,/* [3773] OBJ_singleLevelQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33,/* [3783] OBJ_subtreeMinimumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34,/* [3793] OBJ_subtreeMaximumQuality */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35,/* [3803] OBJ_personalSignature */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36,/* [3813] OBJ_dITRedirect */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37,/* [3823] OBJ_audio */
+0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38,/* [3833] OBJ_documentPublisher */
+0x55,0x04,0x2D,                              /* [3843] OBJ_x500UniqueIdentifier */
+0x2B,0x06,0x01,0x07,0x01,                    /* [3846] OBJ_mime_mhs */
+0x2B,0x06,0x01,0x07,0x01,0x01,               /* [3851] OBJ_mime_mhs_headings */
+0x2B,0x06,0x01,0x07,0x01,0x02,               /* [3857] OBJ_mime_mhs_bodies */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x01,          /* [3863] OBJ_id_hex_partial_message */
+0x2B,0x06,0x01,0x07,0x01,0x01,0x02,          /* [3870] OBJ_id_hex_multipart_message */
+0x55,0x04,0x2C,                              /* [3877] OBJ_generationQualifier */
+};
+
+static ASN1_OBJECT nid_objs[NUM_NID]={
+{"UNDEF","undefined",NID_undef,1,&(lvalues[0]),0},
+{"rsadsi","RSA Data Security, Inc.",NID_rsadsi,6,&(lvalues[1]),0},
+{"pkcs","RSA Data Security, Inc. PKCS",NID_pkcs,7,&(lvalues[7]),0},
+{"MD2","md2",NID_md2,8,&(lvalues[14]),0},
+{"MD5","md5",NID_md5,8,&(lvalues[22]),0},
+{"RC4","rc4",NID_rc4,8,&(lvalues[30]),0},
+{"rsaEncryption","rsaEncryption",NID_rsaEncryption,9,&(lvalues[38]),0},
+{"RSA-MD2","md2WithRSAEncryption",NID_md2WithRSAEncryption,9,
+        &(lvalues[47]),0},
+{"RSA-MD5","md5WithRSAEncryption",NID_md5WithRSAEncryption,9,
+        &(lvalues[56]),0},
+{"PBE-MD2-DES","pbeWithMD2AndDES-CBC",NID_pbeWithMD2AndDES_CBC,9,
+        &(lvalues[65]),0},
+{"PBE-MD5-DES","pbeWithMD5AndDES-CBC",NID_pbeWithMD5AndDES_CBC,9,
+        &(lvalues[74]),0},
+{"X500","directory services (X.500)",NID_X500,1,&(lvalues[83]),0},
+{"X509","X509",NID_X509,2,&(lvalues[84]),0},
+{"CN","commonName",NID_commonName,3,&(lvalues[86]),0},
+{"C","countryName",NID_countryName,3,&(lvalues[89]),0},
+{"L","localityName",NID_localityName,3,&(lvalues[92]),0},
+{"ST","stateOrProvinceName",NID_stateOrProvinceName,3,&(lvalues[95]),0},
+{"O","organizationName",NID_organizationName,3,&(lvalues[98]),0},
+{"OU","organizationalUnitName",NID_organizationalUnitName,3,
+        &(lvalues[101]),0},
+{"RSA","rsa",NID_rsa,4,&(lvalues[104]),0},
+{"pkcs7","pkcs7",NID_pkcs7,8,&(lvalues[108]),0},
+{"pkcs7-data","pkcs7-data",NID_pkcs7_data,9,&(lvalues[116]),0},
+{"pkcs7-signedData","pkcs7-signedData",NID_pkcs7_signed,9,
+        &(lvalues[125]),0},
+{"pkcs7-envelopedData","pkcs7-envelopedData",NID_pkcs7_enveloped,9,
+        &(lvalues[134]),0},
+{"pkcs7-signedAndEnvelopedData","pkcs7-signedAndEnvelopedData",
+        NID_pkcs7_signedAndEnveloped,9,&(lvalues[143]),0},
+{"pkcs7-digestData","pkcs7-digestData",NID_pkcs7_digest,9,
+        &(lvalues[152]),0},
+{"pkcs7-encryptedData","pkcs7-encryptedData",NID_pkcs7_encrypted,9,
+        &(lvalues[161]),0},
+{"pkcs3","pkcs3",NID_pkcs3,8,&(lvalues[170]),0},
+{"dhKeyAgreement","dhKeyAgreement",NID_dhKeyAgreement,9,
+        &(lvalues[178]),0},
+{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[187]),0},
+{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
+{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
+{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[202]),0},
+{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL},
+{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
+{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL},
+{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL},
+{"RC2-CBC","rc2-cbc",NID_rc2_cbc,8,&(lvalues[218]),0},
+{"RC2-ECB","rc2-ecb",NID_rc2_ecb,0,NULL},
+{"RC2-CFB","rc2-cfb",NID_rc2_cfb64,0,NULL},
+{"RC2-OFB","rc2-ofb",NID_rc2_ofb64,0,NULL},
+{"SHA","sha",NID_sha,5,&(lvalues[226]),0},
+{"RSA-SHA","shaWithRSAEncryption",NID_shaWithRSAEncryption,5,
+        &(lvalues[231]),0},
+{"DES-EDE-CBC","des-ede-cbc",NID_des_ede_cbc,0,NULL},
+{"DES-EDE3-CBC","des-ede3-cbc",NID_des_ede3_cbc,8,&(lvalues[236]),0},
+{"DES-OFB","des-ofb",NID_des_ofb64,5,&(lvalues[244]),0},
+{"IDEA-OFB","idea-ofb",NID_idea_ofb64,0,NULL},
+{"pkcs9","pkcs9",NID_pkcs9,8,&(lvalues[249]),0},
+{"emailAddress","emailAddress",NID_pkcs9_emailAddress,9,
+        &(lvalues[257]),0},
+{"unstructuredName","unstructuredName",NID_pkcs9_unstructuredName,9,
+        &(lvalues[266]),0},
+{"contentType","contentType",NID_pkcs9_contentType,9,&(lvalues[275]),0},
+{"messageDigest","messageDigest",NID_pkcs9_messageDigest,9,
+        &(lvalues[284]),0},
+{"signingTime","signingTime",NID_pkcs9_signingTime,9,&(lvalues[293]),0},
+{"countersignature","countersignature",NID_pkcs9_countersignature,9,
+        &(lvalues[302]),0},
+{"challengePassword","challengePassword",NID_pkcs9_challengePassword,
+        9,&(lvalues[311]),0},
+{"unstructuredAddress","unstructuredAddress",
+        NID_pkcs9_unstructuredAddress,9,&(lvalues[320]),0},
+{"extendedCertificateAttributes","extendedCertificateAttributes",
+        NID_pkcs9_extCertAttributes,9,&(lvalues[329]),0},
+{"Netscape","Netscape Communications Corp.",NID_netscape,7,
+        &(lvalues[338]),0},
+{"nsCertExt","Netscape Certificate Extension",
+        NID_netscape_cert_extension,8,&(lvalues[345]),0},
+{"nsDataType","Netscape Data Type",NID_netscape_data_type,8,
+        &(lvalues[353]),0},
+{"DES-EDE-CFB","des-ede-cfb",NID_des_ede_cfb64,0,NULL},
+{"DES-EDE3-CFB","des-ede3-cfb",NID_des_ede3_cfb64,0,NULL},
+{"DES-EDE-OFB","des-ede-ofb",NID_des_ede_ofb64,0,NULL},
+{"DES-EDE3-OFB","des-ede3-ofb",NID_des_ede3_ofb64,0,NULL},
+{"SHA1","sha1",NID_sha1,5,&(lvalues[361]),0},
+{"RSA-SHA1","sha1WithRSAEncryption",NID_sha1WithRSAEncryption,9,
+        &(lvalues[366]),0},
+{"DSA-SHA","dsaWithSHA",NID_dsaWithSHA,5,&(lvalues[375]),0},
+{"DSA-old","dsaEncryption-old",NID_dsa_2,5,&(lvalues[380]),0},
+{"PBE-SHA1-RC2-64","pbeWithSHA1AndRC2-CBC",NID_pbeWithSHA1AndRC2_CBC,
+        9,&(lvalues[385]),0},
+{"PBKDF2","PBKDF2",NID_id_pbkdf2,9,&(lvalues[394]),0},
+{"DSA-SHA1-old","dsaWithSHA1-old",NID_dsaWithSHA1_2,5,&(lvalues[403]),0},
+{"nsCertType","Netscape Cert Type",NID_netscape_cert_type,9,
+        &(lvalues[408]),0},
+{"nsBaseUrl","Netscape Base Url",NID_netscape_base_url,9,
+        &(lvalues[417]),0},
+{"nsRevocationUrl","Netscape Revocation Url",
+        NID_netscape_revocation_url,9,&(lvalues[426]),0},
+{"nsCaRevocationUrl","Netscape CA Revocation Url",
+        NID_netscape_ca_revocation_url,9,&(lvalues[435]),0},
+{"nsRenewalUrl","Netscape Renewal Url",NID_netscape_renewal_url,9,
+        &(lvalues[444]),0},
+{"nsCaPolicyUrl","Netscape CA Policy Url",NID_netscape_ca_policy_url,
+        9,&(lvalues[453]),0},
+{"nsSslServerName","Netscape SSL Server Name",
+        NID_netscape_ssl_server_name,9,&(lvalues[462]),0},
+{"nsComment","Netscape Comment",NID_netscape_comment,9,&(lvalues[471]),0},
+{"nsCertSequence","Netscape Certificate Sequence",
+        NID_netscape_cert_sequence,9,&(lvalues[480]),0},
+{"DESX-CBC","desx-cbc",NID_desx_cbc,0,NULL},
+{"id-ce","id-ce",NID_id_ce,2,&(lvalues[489]),0},
+{"subjectKeyIdentifier","X509v3 Subject Key Identifier",
+        NID_subject_key_identifier,3,&(lvalues[491]),0},
+{"keyUsage","X509v3 Key Usage",NID_key_usage,3,&(lvalues[494]),0},
+{"privateKeyUsagePeriod","X509v3 Private Key Usage Period",
+        NID_private_key_usage_period,3,&(lvalues[497]),0},
+{"subjectAltName","X509v3 Subject Alternative Name",
+        NID_subject_alt_name,3,&(lvalues[500]),0},
+{"issuerAltName","X509v3 Issuer Alternative Name",NID_issuer_alt_name,
+        3,&(lvalues[503]),0},
+{"basicConstraints","X509v3 Basic Constraints",NID_basic_constraints,
+        3,&(lvalues[506]),0},
+{"crlNumber","X509v3 CRL Number",NID_crl_number,3,&(lvalues[509]),0},
+{"certificatePolicies","X509v3 Certificate Policies",
+        NID_certificate_policies,3,&(lvalues[512]),0},
+{"authorityKeyIdentifier","X509v3 Authority Key Identifier",
+        NID_authority_key_identifier,3,&(lvalues[515]),0},
+{"BF-CBC","bf-cbc",NID_bf_cbc,9,&(lvalues[518]),0},
+{"BF-ECB","bf-ecb",NID_bf_ecb,0,NULL},
+{"BF-CFB","bf-cfb",NID_bf_cfb64,0,NULL},
+{"BF-OFB","bf-ofb",NID_bf_ofb64,0,NULL},
+{"MDC2","mdc2",NID_mdc2,4,&(lvalues[527]),0},
+{"RSA-MDC2","mdc2WithRSA",NID_mdc2WithRSA,4,&(lvalues[531]),0},
+{"RC4-40","rc4-40",NID_rc4_40,0,NULL},
+{"RC2-40-CBC","rc2-40-cbc",NID_rc2_40_cbc,0,NULL},
+{"gn","givenName",NID_givenName,3,&(lvalues[535]),0},
+{"SN","surname",NID_surname,3,&(lvalues[538]),0},
+{"initials","initials",NID_initials,3,&(lvalues[541]),0},
+{NULL,NULL,NID_undef,0,NULL},
+{"crlDistributionPoints","X509v3 CRL Distribution Points",
+        NID_crl_distribution_points,3,&(lvalues[544]),0},
+{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[547]),0},
+{"serialNumber","serialNumber",NID_serialNumber,3,&(lvalues[552]),0},
+{"title","title",NID_title,3,&(lvalues[555]),0},
+{"description","description",NID_description,3,&(lvalues[558]),0},
+{"CAST5-CBC","cast5-cbc",NID_cast5_cbc,9,&(lvalues[561]),0},
+{"CAST5-ECB","cast5-ecb",NID_cast5_ecb,0,NULL},
+{"CAST5-CFB","cast5-cfb",NID_cast5_cfb64,0,NULL},
+{"CAST5-OFB","cast5-ofb",NID_cast5_ofb64,0,NULL},
+{"pbeWithMD5AndCast5CBC","pbeWithMD5AndCast5CBC",
+        NID_pbeWithMD5AndCast5_CBC,9,&(lvalues[570]),0},
+{"DSA-SHA1","dsaWithSHA1",NID_dsaWithSHA1,7,&(lvalues[579]),0},
+{"MD5-SHA1","md5-sha1",NID_md5_sha1,0,NULL},
+{"RSA-SHA1-2","sha1WithRSA",NID_sha1WithRSA,5,&(lvalues[586]),0},
+{"DSA","dsaEncryption",NID_dsa,7,&(lvalues[591]),0},
+{"RIPEMD160","ripemd160",NID_ripemd160,5,&(lvalues[598]),0},
+{NULL,NULL,NID_undef,0,NULL},
+{"RSA-RIPEMD160","ripemd160WithRSA",NID_ripemd160WithRSA,6,
+        &(lvalues[603]),0},
+{"RC5-CBC","rc5-cbc",NID_rc5_cbc,8,&(lvalues[609]),0},
+{"RC5-ECB","rc5-ecb",NID_rc5_ecb,0,NULL},
+{"RC5-CFB","rc5-cfb",NID_rc5_cfb64,0,NULL},
+{"RC5-OFB","rc5-ofb",NID_rc5_ofb64,0,NULL},
+{"RLE","run length compression",NID_rle_compression,6,&(lvalues[617]),0},
+{"ZLIB","zlib compression",NID_zlib_compression,6,&(lvalues[623]),0},
+{"extendedKeyUsage","X509v3 Extended Key Usage",NID_ext_key_usage,3,
+        &(lvalues[629]),0},
+{"PKIX","PKIX",NID_id_pkix,6,&(lvalues[632]),0},
+{"id-kp","id-kp",NID_id_kp,7,&(lvalues[638]),0},
+{"serverAuth","TLS Web Server Authentication",NID_server_auth,8,
+        &(lvalues[645]),0},
+{"clientAuth","TLS Web Client Authentication",NID_client_auth,8,
+        &(lvalues[653]),0},
+{"codeSigning","Code Signing",NID_code_sign,8,&(lvalues[661]),0},
+{"emailProtection","E-mail Protection",NID_email_protect,8,
+        &(lvalues[669]),0},
+{"timeStamping","Time Stamping",NID_time_stamp,8,&(lvalues[677]),0},
+{"msCodeInd","Microsoft Individual Code Signing",NID_ms_code_ind,10,
+        &(lvalues[685]),0},
+{"msCodeCom","Microsoft Commercial Code Signing",NID_ms_code_com,10,
+        &(lvalues[695]),0},
+{"msCTLSign","Microsoft Trust List Signing",NID_ms_ctl_sign,10,
+        &(lvalues[705]),0},
+{"msSGC","Microsoft Server Gated Crypto",NID_ms_sgc,10,&(lvalues[715]),0},
+{"msEFS","Microsoft Encrypted File System",NID_ms_efs,10,
+        &(lvalues[725]),0},
+{"nsSGC","Netscape Server Gated Crypto",NID_ns_sgc,9,&(lvalues[735]),0},
+{"deltaCRL","X509v3 Delta CRL Indicator",NID_delta_crl,3,
+        &(lvalues[744]),0},
+{"CRLReason","X509v3 CRL Reason Code",NID_crl_reason,3,&(lvalues[747]),0},
+{"invalidityDate","Invalidity Date",NID_invalidity_date,3,
+        &(lvalues[750]),0},
+{"SXNetID","Strong Extranet ID",NID_sxnet,5,&(lvalues[753]),0},
+{"PBE-SHA1-RC4-128","pbeWithSHA1And128BitRC4",
+        NID_pbe_WithSHA1And128BitRC4,10,&(lvalues[758]),0},
+{"PBE-SHA1-RC4-40","pbeWithSHA1And40BitRC4",
+        NID_pbe_WithSHA1And40BitRC4,10,&(lvalues[768]),0},
+{"PBE-SHA1-3DES","pbeWithSHA1And3-KeyTripleDES-CBC",
+        NID_pbe_WithSHA1And3_Key_TripleDES_CBC,10,&(lvalues[778]),0},
+{"PBE-SHA1-2DES","pbeWithSHA1And2-KeyTripleDES-CBC",
+        NID_pbe_WithSHA1And2_Key_TripleDES_CBC,10,&(lvalues[788]),0},
+{"PBE-SHA1-RC2-128","pbeWithSHA1And128BitRC2-CBC",
+        NID_pbe_WithSHA1And128BitRC2_CBC,10,&(lvalues[798]),0},
+{"PBE-SHA1-RC2-40","pbeWithSHA1And40BitRC2-CBC",
+        NID_pbe_WithSHA1And40BitRC2_CBC,10,&(lvalues[808]),0},
+{"keyBag","keyBag",NID_keyBag,11,&(lvalues[818]),0},
+{"pkcs8ShroudedKeyBag","pkcs8ShroudedKeyBag",NID_pkcs8ShroudedKeyBag,
+        11,&(lvalues[829]),0},
+{"certBag","certBag",NID_certBag,11,&(lvalues[840]),0},
+{"crlBag","crlBag",NID_crlBag,11,&(lvalues[851]),0},
+{"secretBag","secretBag",NID_secretBag,11,&(lvalues[862]),0},
+{"safeContentsBag","safeContentsBag",NID_safeContentsBag,11,
+        &(lvalues[873]),0},
+{"friendlyName","friendlyName",NID_friendlyName,9,&(lvalues[884]),0},
+{"localKeyID","localKeyID",NID_localKeyID,9,&(lvalues[893]),0},
+{"x509Certificate","x509Certificate",NID_x509Certificate,10,
+        &(lvalues[902]),0},
+{"sdsiCertificate","sdsiCertificate",NID_sdsiCertificate,10,
+        &(lvalues[912]),0},
+{"x509Crl","x509Crl",NID_x509Crl,10,&(lvalues[922]),0},
+{"PBES2","PBES2",NID_pbes2,9,&(lvalues[932]),0},
+{"PBMAC1","PBMAC1",NID_pbmac1,9,&(lvalues[941]),0},
+{"hmacWithSHA1","hmacWithSHA1",NID_hmacWithSHA1,8,&(lvalues[950]),0},
+{"id-qt-cps","Policy Qualifier CPS",NID_id_qt_cps,8,&(lvalues[958]),0},
+{"id-qt-unotice","Policy Qualifier User Notice",NID_id_qt_unotice,8,
+        &(lvalues[966]),0},
+{"RC2-64-CBC","rc2-64-cbc",NID_rc2_64_cbc,0,NULL},
+{"SMIME-CAPS","S/MIME Capabilities",NID_SMIMECapabilities,9,
+        &(lvalues[974]),0},
+{"PBE-MD2-RC2-64","pbeWithMD2AndRC2-CBC",NID_pbeWithMD2AndRC2_CBC,9,
+        &(lvalues[983]),0},
+{"PBE-MD5-RC2-64","pbeWithMD5AndRC2-CBC",NID_pbeWithMD5AndRC2_CBC,9,
+        &(lvalues[992]),0},
+{"PBE-SHA1-DES","pbeWithSHA1AndDES-CBC",NID_pbeWithSHA1AndDES_CBC,9,
+        &(lvalues[1001]),0},
+{"msExtReq","Microsoft Extension Request",NID_ms_ext_req,10,
+        &(lvalues[1010]),0},
+{"extReq","Extension Request",NID_ext_req,9,&(lvalues[1020]),0},
+{"name","name",NID_name,3,&(lvalues[1029]),0},
+{"dnQualifier","dnQualifier",NID_dnQualifier,3,&(lvalues[1032]),0},
+{"id-pe","id-pe",NID_id_pe,7,&(lvalues[1035]),0},
+{"id-ad","id-ad",NID_id_ad,7,&(lvalues[1042]),0},
+{"authorityInfoAccess","Authority Information Access",NID_info_access,
+        8,&(lvalues[1049]),0},
+{"OCSP","OCSP",NID_ad_OCSP,8,&(lvalues[1057]),0},
+{"caIssuers","CA Issuers",NID_ad_ca_issuers,8,&(lvalues[1065]),0},
+{"OCSPSigning","OCSP Signing",NID_OCSP_sign,8,&(lvalues[1073]),0},
+{"ISO","iso",NID_iso,1,&(lvalues[1081]),0},
+{"member-body","ISO Member Body",NID_member_body,1,&(lvalues[1082]),0},
+{"ISO-US","ISO US Member Body",NID_ISO_US,3,&(lvalues[1083]),0},
+{"X9-57","X9.57",NID_X9_57,5,&(lvalues[1086]),0},
+{"X9cm","X9.57 CM ?",NID_X9cm,6,&(lvalues[1091]),0},
+{"pkcs1","pkcs1",NID_pkcs1,8,&(lvalues[1097]),0},
+{"pkcs5","pkcs5",NID_pkcs5,8,&(lvalues[1105]),0},
+{"SMIME","S/MIME",NID_SMIME,9,&(lvalues[1113]),0},
+{"id-smime-mod","id-smime-mod",NID_id_smime_mod,10,&(lvalues[1122]),0},
+{"id-smime-ct","id-smime-ct",NID_id_smime_ct,10,&(lvalues[1132]),0},
+{"id-smime-aa","id-smime-aa",NID_id_smime_aa,10,&(lvalues[1142]),0},
+{"id-smime-alg","id-smime-alg",NID_id_smime_alg,10,&(lvalues[1152]),0},
+{"id-smime-cd","id-smime-cd",NID_id_smime_cd,10,&(lvalues[1162]),0},
+{"id-smime-spq","id-smime-spq",NID_id_smime_spq,10,&(lvalues[1172]),0},
+{"id-smime-cti","id-smime-cti",NID_id_smime_cti,10,&(lvalues[1182]),0},
+{"id-smime-mod-cms","id-smime-mod-cms",NID_id_smime_mod_cms,11,
+        &(lvalues[1192]),0},
+{"id-smime-mod-ess","id-smime-mod-ess",NID_id_smime_mod_ess,11,
+        &(lvalues[1203]),0},
+{"id-smime-mod-oid","id-smime-mod-oid",NID_id_smime_mod_oid,11,
+        &(lvalues[1214]),0},
+{"id-smime-mod-msg-v3","id-smime-mod-msg-v3",NID_id_smime_mod_msg_v3,
+        11,&(lvalues[1225]),0},
+{"id-smime-mod-ets-eSignature-88","id-smime-mod-ets-eSignature-88",
+        NID_id_smime_mod_ets_eSignature_88,11,&(lvalues[1236]),0},
+{"id-smime-mod-ets-eSignature-97","id-smime-mod-ets-eSignature-97",
+        NID_id_smime_mod_ets_eSignature_97,11,&(lvalues[1247]),0},
+{"id-smime-mod-ets-eSigPolicy-88","id-smime-mod-ets-eSigPolicy-88",
+        NID_id_smime_mod_ets_eSigPolicy_88,11,&(lvalues[1258]),0},
+{"id-smime-mod-ets-eSigPolicy-97","id-smime-mod-ets-eSigPolicy-97",
+        NID_id_smime_mod_ets_eSigPolicy_97,11,&(lvalues[1269]),0},
+{"id-smime-ct-receipt","id-smime-ct-receipt",NID_id_smime_ct_receipt,
+        11,&(lvalues[1280]),0},
+{"id-smime-ct-authData","id-smime-ct-authData",
+        NID_id_smime_ct_authData,11,&(lvalues[1291]),0},
+{"id-smime-ct-publishCert","id-smime-ct-publishCert",
+        NID_id_smime_ct_publishCert,11,&(lvalues[1302]),0},
+{"id-smime-ct-TSTInfo","id-smime-ct-TSTInfo",NID_id_smime_ct_TSTInfo,
+        11,&(lvalues[1313]),0},
+{"id-smime-ct-TDTInfo","id-smime-ct-TDTInfo",NID_id_smime_ct_TDTInfo,
+        11,&(lvalues[1324]),0},
+{"id-smime-ct-contentInfo","id-smime-ct-contentInfo",
+        NID_id_smime_ct_contentInfo,11,&(lvalues[1335]),0},
+{"id-smime-ct-DVCSRequestData","id-smime-ct-DVCSRequestData",
+        NID_id_smime_ct_DVCSRequestData,11,&(lvalues[1346]),0},
+{"id-smime-ct-DVCSResponseData","id-smime-ct-DVCSResponseData",
+        NID_id_smime_ct_DVCSResponseData,11,&(lvalues[1357]),0},
+{"id-smime-aa-receiptRequest","id-smime-aa-receiptRequest",
+        NID_id_smime_aa_receiptRequest,11,&(lvalues[1368]),0},
+{"id-smime-aa-securityLabel","id-smime-aa-securityLabel",
+        NID_id_smime_aa_securityLabel,11,&(lvalues[1379]),0},
+{"id-smime-aa-mlExpandHistory","id-smime-aa-mlExpandHistory",
+        NID_id_smime_aa_mlExpandHistory,11,&(lvalues[1390]),0},
+{"id-smime-aa-contentHint","id-smime-aa-contentHint",
+        NID_id_smime_aa_contentHint,11,&(lvalues[1401]),0},
+{"id-smime-aa-msgSigDigest","id-smime-aa-msgSigDigest",
+        NID_id_smime_aa_msgSigDigest,11,&(lvalues[1412]),0},
+{"id-smime-aa-encapContentType","id-smime-aa-encapContentType",
+        NID_id_smime_aa_encapContentType,11,&(lvalues[1423]),0},
+{"id-smime-aa-contentIdentifier","id-smime-aa-contentIdentifier",
+        NID_id_smime_aa_contentIdentifier,11,&(lvalues[1434]),0},
+{"id-smime-aa-macValue","id-smime-aa-macValue",
+        NID_id_smime_aa_macValue,11,&(lvalues[1445]),0},
+{"id-smime-aa-equivalentLabels","id-smime-aa-equivalentLabels",
+        NID_id_smime_aa_equivalentLabels,11,&(lvalues[1456]),0},
+{"id-smime-aa-contentReference","id-smime-aa-contentReference",
+        NID_id_smime_aa_contentReference,11,&(lvalues[1467]),0},
+{"id-smime-aa-encrypKeyPref","id-smime-aa-encrypKeyPref",
+        NID_id_smime_aa_encrypKeyPref,11,&(lvalues[1478]),0},
+{"id-smime-aa-signingCertificate","id-smime-aa-signingCertificate",
+        NID_id_smime_aa_signingCertificate,11,&(lvalues[1489]),0},
+{"id-smime-aa-smimeEncryptCerts","id-smime-aa-smimeEncryptCerts",
+        NID_id_smime_aa_smimeEncryptCerts,11,&(lvalues[1500]),0},
+{"id-smime-aa-timeStampToken","id-smime-aa-timeStampToken",
+        NID_id_smime_aa_timeStampToken,11,&(lvalues[1511]),0},
+{"id-smime-aa-ets-sigPolicyId","id-smime-aa-ets-sigPolicyId",
+        NID_id_smime_aa_ets_sigPolicyId,11,&(lvalues[1522]),0},
+{"id-smime-aa-ets-commitmentType","id-smime-aa-ets-commitmentType",
+        NID_id_smime_aa_ets_commitmentType,11,&(lvalues[1533]),0},
+{"id-smime-aa-ets-signerLocation","id-smime-aa-ets-signerLocation",
+        NID_id_smime_aa_ets_signerLocation,11,&(lvalues[1544]),0},
+{"id-smime-aa-ets-signerAttr","id-smime-aa-ets-signerAttr",
+        NID_id_smime_aa_ets_signerAttr,11,&(lvalues[1555]),0},
+{"id-smime-aa-ets-otherSigCert","id-smime-aa-ets-otherSigCert",
+        NID_id_smime_aa_ets_otherSigCert,11,&(lvalues[1566]),0},
+{"id-smime-aa-ets-contentTimestamp",
+        "id-smime-aa-ets-contentTimestamp",
+        NID_id_smime_aa_ets_contentTimestamp,11,&(lvalues[1577]),0},
+{"id-smime-aa-ets-CertificateRefs","id-smime-aa-ets-CertificateRefs",
+        NID_id_smime_aa_ets_CertificateRefs,11,&(lvalues[1588]),0},
+{"id-smime-aa-ets-RevocationRefs","id-smime-aa-ets-RevocationRefs",
+        NID_id_smime_aa_ets_RevocationRefs,11,&(lvalues[1599]),0},
+{"id-smime-aa-ets-certValues","id-smime-aa-ets-certValues",
+        NID_id_smime_aa_ets_certValues,11,&(lvalues[1610]),0},
+{"id-smime-aa-ets-revocationValues",
+        "id-smime-aa-ets-revocationValues",
+        NID_id_smime_aa_ets_revocationValues,11,&(lvalues[1621]),0},
+{"id-smime-aa-ets-escTimeStamp","id-smime-aa-ets-escTimeStamp",
+        NID_id_smime_aa_ets_escTimeStamp,11,&(lvalues[1632]),0},
+{"id-smime-aa-ets-certCRLTimestamp",
+        "id-smime-aa-ets-certCRLTimestamp",
+        NID_id_smime_aa_ets_certCRLTimestamp,11,&(lvalues[1643]),0},
+{"id-smime-aa-ets-archiveTimeStamp",
+        "id-smime-aa-ets-archiveTimeStamp",
+        NID_id_smime_aa_ets_archiveTimeStamp,11,&(lvalues[1654]),0},
+{"id-smime-aa-signatureType","id-smime-aa-signatureType",
+        NID_id_smime_aa_signatureType,11,&(lvalues[1665]),0},
+{"id-smime-aa-dvcs-dvc","id-smime-aa-dvcs-dvc",
+        NID_id_smime_aa_dvcs_dvc,11,&(lvalues[1676]),0},
+{"id-smime-alg-ESDHwith3DES","id-smime-alg-ESDHwith3DES",
+        NID_id_smime_alg_ESDHwith3DES,11,&(lvalues[1687]),0},
+{"id-smime-alg-ESDHwithRC2","id-smime-alg-ESDHwithRC2",
+        NID_id_smime_alg_ESDHwithRC2,11,&(lvalues[1698]),0},
+{"id-smime-alg-3DESwrap","id-smime-alg-3DESwrap",
+        NID_id_smime_alg_3DESwrap,11,&(lvalues[1709]),0},
+{"id-smime-alg-RC2wrap","id-smime-alg-RC2wrap",
+        NID_id_smime_alg_RC2wrap,11,&(lvalues[1720]),0},
+{"id-smime-alg-ESDH","id-smime-alg-ESDH",NID_id_smime_alg_ESDH,11,
+        &(lvalues[1731]),0},
+{"id-smime-alg-CMS3DESwrap","id-smime-alg-CMS3DESwrap",
+        NID_id_smime_alg_CMS3DESwrap,11,&(lvalues[1742]),0},
+{"id-smime-alg-CMSRC2wrap","id-smime-alg-CMSRC2wrap",
+        NID_id_smime_alg_CMSRC2wrap,11,&(lvalues[1753]),0},
+{"id-smime-cd-ldap","id-smime-cd-ldap",NID_id_smime_cd_ldap,11,
+        &(lvalues[1764]),0},
+{"id-smime-spq-ets-sqt-uri","id-smime-spq-ets-sqt-uri",
+        NID_id_smime_spq_ets_sqt_uri,11,&(lvalues[1775]),0},
+{"id-smime-spq-ets-sqt-unotice","id-smime-spq-ets-sqt-unotice",
+        NID_id_smime_spq_ets_sqt_unotice,11,&(lvalues[1786]),0},
+{"id-smime-cti-ets-proofOfOrigin","id-smime-cti-ets-proofOfOrigin",
+        NID_id_smime_cti_ets_proofOfOrigin,11,&(lvalues[1797]),0},
+{"id-smime-cti-ets-proofOfReceipt","id-smime-cti-ets-proofOfReceipt",
+        NID_id_smime_cti_ets_proofOfReceipt,11,&(lvalues[1808]),0},
+{"id-smime-cti-ets-proofOfDelivery",
+        "id-smime-cti-ets-proofOfDelivery",
+        NID_id_smime_cti_ets_proofOfDelivery,11,&(lvalues[1819]),0},
+{"id-smime-cti-ets-proofOfSender","id-smime-cti-ets-proofOfSender",
+        NID_id_smime_cti_ets_proofOfSender,11,&(lvalues[1830]),0},
+{"id-smime-cti-ets-proofOfApproval",
+        "id-smime-cti-ets-proofOfApproval",
+        NID_id_smime_cti_ets_proofOfApproval,11,&(lvalues[1841]),0},
+{"id-smime-cti-ets-proofOfCreation",
+        "id-smime-cti-ets-proofOfCreation",
+        NID_id_smime_cti_ets_proofOfCreation,11,&(lvalues[1852]),0},
+{"MD4","md4",NID_md4,8,&(lvalues[1863]),0},
+{"id-pkix-mod","id-pkix-mod",NID_id_pkix_mod,7,&(lvalues[1871]),0},
+{"id-qt","id-qt",NID_id_qt,7,&(lvalues[1878]),0},
+{"id-it","id-it",NID_id_it,7,&(lvalues[1885]),0},
+{"id-pkip","id-pkip",NID_id_pkip,7,&(lvalues[1892]),0},
+{"id-alg","id-alg",NID_id_alg,7,&(lvalues[1899]),0},
+{"id-cmc","id-cmc",NID_id_cmc,7,&(lvalues[1906]),0},
+{"id-on","id-on",NID_id_on,7,&(lvalues[1913]),0},
+{"id-pda","id-pda",NID_id_pda,7,&(lvalues[1920]),0},
+{"id-aca","id-aca",NID_id_aca,7,&(lvalues[1927]),0},
+{"id-qcs","id-qcs",NID_id_qcs,7,&(lvalues[1934]),0},
+{"id-cct","id-cct",NID_id_cct,7,&(lvalues[1941]),0},
+{"id-pkix1-explicit-88","id-pkix1-explicit-88",
+        NID_id_pkix1_explicit_88,8,&(lvalues[1948]),0},
+{"id-pkix1-implicit-88","id-pkix1-implicit-88",
+        NID_id_pkix1_implicit_88,8,&(lvalues[1956]),0},
+{"id-pkix1-explicit-93","id-pkix1-explicit-93",
+        NID_id_pkix1_explicit_93,8,&(lvalues[1964]),0},
+{"id-pkix1-implicit-93","id-pkix1-implicit-93",
+        NID_id_pkix1_implicit_93,8,&(lvalues[1972]),0},
+{"id-mod-crmf","id-mod-crmf",NID_id_mod_crmf,8,&(lvalues[1980]),0},
+{"id-mod-cmc","id-mod-cmc",NID_id_mod_cmc,8,&(lvalues[1988]),0},
+{"id-mod-kea-profile-88","id-mod-kea-profile-88",
+        NID_id_mod_kea_profile_88,8,&(lvalues[1996]),0},
+{"id-mod-kea-profile-93","id-mod-kea-profile-93",
+        NID_id_mod_kea_profile_93,8,&(lvalues[2004]),0},
+{"id-mod-cmp","id-mod-cmp",NID_id_mod_cmp,8,&(lvalues[2012]),0},
+{"id-mod-qualified-cert-88","id-mod-qualified-cert-88",
+        NID_id_mod_qualified_cert_88,8,&(lvalues[2020]),0},
+{"id-mod-qualified-cert-93","id-mod-qualified-cert-93",
+        NID_id_mod_qualified_cert_93,8,&(lvalues[2028]),0},
+{"id-mod-attribute-cert","id-mod-attribute-cert",
+        NID_id_mod_attribute_cert,8,&(lvalues[2036]),0},
+{"id-mod-timestamp-protocol","id-mod-timestamp-protocol",
+        NID_id_mod_timestamp_protocol,8,&(lvalues[2044]),0},
+{"id-mod-ocsp","id-mod-ocsp",NID_id_mod_ocsp,8,&(lvalues[2052]),0},
+{"id-mod-dvcs","id-mod-dvcs",NID_id_mod_dvcs,8,&(lvalues[2060]),0},
+{"id-mod-cmp2000","id-mod-cmp2000",NID_id_mod_cmp2000,8,
+        &(lvalues[2068]),0},
+{"biometricInfo","Biometric Info",NID_biometricInfo,8,&(lvalues[2076]),0},
+{"qcStatements","qcStatements",NID_qcStatements,8,&(lvalues[2084]),0},
+{"ac-auditEntity","ac-auditEntity",NID_ac_auditEntity,8,
+        &(lvalues[2092]),0},
+{"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
+{"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
+{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+        &(lvalues[2116]),0},
+{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
+        NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbqp-routerIdentifier","sbqp-routerIdentifier",
+        NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
+{"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
+        &(lvalues[2148]),0},
+{"ipsecTunnel","IPSec Tunnel",NID_ipsecTunnel,8,&(lvalues[2156]),0},
+{"ipsecUser","IPSec User",NID_ipsecUser,8,&(lvalues[2164]),0},
+{"DVCS","dvcs",NID_dvcs,8,&(lvalues[2172]),0},
+{"id-it-caProtEncCert","id-it-caProtEncCert",NID_id_it_caProtEncCert,
+        8,&(lvalues[2180]),0},
+{"id-it-signKeyPairTypes","id-it-signKeyPairTypes",
+        NID_id_it_signKeyPairTypes,8,&(lvalues[2188]),0},
+{"id-it-encKeyPairTypes","id-it-encKeyPairTypes",
+        NID_id_it_encKeyPairTypes,8,&(lvalues[2196]),0},
+{"id-it-preferredSymmAlg","id-it-preferredSymmAlg",
+        NID_id_it_preferredSymmAlg,8,&(lvalues[2204]),0},
+{"id-it-caKeyUpdateInfo","id-it-caKeyUpdateInfo",
+        NID_id_it_caKeyUpdateInfo,8,&(lvalues[2212]),0},
+{"id-it-currentCRL","id-it-currentCRL",NID_id_it_currentCRL,8,
+        &(lvalues[2220]),0},
+{"id-it-unsupportedOIDs","id-it-unsupportedOIDs",
+        NID_id_it_unsupportedOIDs,8,&(lvalues[2228]),0},
+{"id-it-subscriptionRequest","id-it-subscriptionRequest",
+        NID_id_it_subscriptionRequest,8,&(lvalues[2236]),0},
+{"id-it-subscriptionResponse","id-it-subscriptionResponse",
+        NID_id_it_subscriptionResponse,8,&(lvalues[2244]),0},
+{"id-it-keyPairParamReq","id-it-keyPairParamReq",
+        NID_id_it_keyPairParamReq,8,&(lvalues[2252]),0},
+{"id-it-keyPairParamRep","id-it-keyPairParamRep",
+        NID_id_it_keyPairParamRep,8,&(lvalues[2260]),0},
+{"id-it-revPassphrase","id-it-revPassphrase",NID_id_it_revPassphrase,
+        8,&(lvalues[2268]),0},
+{"id-it-implicitConfirm","id-it-implicitConfirm",
+        NID_id_it_implicitConfirm,8,&(lvalues[2276]),0},
+{"id-it-confirmWaitTime","id-it-confirmWaitTime",
+        NID_id_it_confirmWaitTime,8,&(lvalues[2284]),0},
+{"id-it-origPKIMessage","id-it-origPKIMessage",
+        NID_id_it_origPKIMessage,8,&(lvalues[2292]),0},
+{"id-regCtrl","id-regCtrl",NID_id_regCtrl,8,&(lvalues[2300]),0},
+{"id-regInfo","id-regInfo",NID_id_regInfo,8,&(lvalues[2308]),0},
+{"id-regCtrl-regToken","id-regCtrl-regToken",NID_id_regCtrl_regToken,
+        9,&(lvalues[2316]),0},
+{"id-regCtrl-authenticator","id-regCtrl-authenticator",
+        NID_id_regCtrl_authenticator,9,&(lvalues[2325]),0},
+{"id-regCtrl-pkiPublicationInfo","id-regCtrl-pkiPublicationInfo",
+        NID_id_regCtrl_pkiPublicationInfo,9,&(lvalues[2334]),0},
+{"id-regCtrl-pkiArchiveOptions","id-regCtrl-pkiArchiveOptions",
+        NID_id_regCtrl_pkiArchiveOptions,9,&(lvalues[2343]),0},
+{"id-regCtrl-oldCertID","id-regCtrl-oldCertID",
+        NID_id_regCtrl_oldCertID,9,&(lvalues[2352]),0},
+{"id-regCtrl-protocolEncrKey","id-regCtrl-protocolEncrKey",
+        NID_id_regCtrl_protocolEncrKey,9,&(lvalues[2361]),0},
+{"id-regInfo-utf8Pairs","id-regInfo-utf8Pairs",
+        NID_id_regInfo_utf8Pairs,9,&(lvalues[2370]),0},
+{"id-regInfo-certReq","id-regInfo-certReq",NID_id_regInfo_certReq,9,
+        &(lvalues[2379]),0},
+{"id-alg-des40","id-alg-des40",NID_id_alg_des40,8,&(lvalues[2388]),0},
+{"id-alg-noSignature","id-alg-noSignature",NID_id_alg_noSignature,8,
+        &(lvalues[2396]),0},
+{"id-alg-dh-sig-hmac-sha1","id-alg-dh-sig-hmac-sha1",
+        NID_id_alg_dh_sig_hmac_sha1,8,&(lvalues[2404]),0},
+{"id-alg-dh-pop","id-alg-dh-pop",NID_id_alg_dh_pop,8,&(lvalues[2412]),0},
+{"id-cmc-statusInfo","id-cmc-statusInfo",NID_id_cmc_statusInfo,8,
+        &(lvalues[2420]),0},
+{"id-cmc-identification","id-cmc-identification",
+        NID_id_cmc_identification,8,&(lvalues[2428]),0},
+{"id-cmc-identityProof","id-cmc-identityProof",
+        NID_id_cmc_identityProof,8,&(lvalues[2436]),0},
+{"id-cmc-dataReturn","id-cmc-dataReturn",NID_id_cmc_dataReturn,8,
+        &(lvalues[2444]),0},
+{"id-cmc-transactionId","id-cmc-transactionId",
+        NID_id_cmc_transactionId,8,&(lvalues[2452]),0},
+{"id-cmc-senderNonce","id-cmc-senderNonce",NID_id_cmc_senderNonce,8,
+        &(lvalues[2460]),0},
+{"id-cmc-recipientNonce","id-cmc-recipientNonce",
+        NID_id_cmc_recipientNonce,8,&(lvalues[2468]),0},
+{"id-cmc-addExtensions","id-cmc-addExtensions",
+        NID_id_cmc_addExtensions,8,&(lvalues[2476]),0},
+{"id-cmc-encryptedPOP","id-cmc-encryptedPOP",NID_id_cmc_encryptedPOP,
+        8,&(lvalues[2484]),0},
+{"id-cmc-decryptedPOP","id-cmc-decryptedPOP",NID_id_cmc_decryptedPOP,
+        8,&(lvalues[2492]),0},
+{"id-cmc-lraPOPWitness","id-cmc-lraPOPWitness",
+        NID_id_cmc_lraPOPWitness,8,&(lvalues[2500]),0},
+{"id-cmc-getCert","id-cmc-getCert",NID_id_cmc_getCert,8,
+        &(lvalues[2508]),0},
+{"id-cmc-getCRL","id-cmc-getCRL",NID_id_cmc_getCRL,8,&(lvalues[2516]),0},
+{"id-cmc-revokeRequest","id-cmc-revokeRequest",
+        NID_id_cmc_revokeRequest,8,&(lvalues[2524]),0},
+{"id-cmc-regInfo","id-cmc-regInfo",NID_id_cmc_regInfo,8,
+        &(lvalues[2532]),0},
+{"id-cmc-responseInfo","id-cmc-responseInfo",NID_id_cmc_responseInfo,
+        8,&(lvalues[2540]),0},
+{"id-cmc-queryPending","id-cmc-queryPending",NID_id_cmc_queryPending,
+        8,&(lvalues[2548]),0},
+{"id-cmc-popLinkRandom","id-cmc-popLinkRandom",
+        NID_id_cmc_popLinkRandom,8,&(lvalues[2556]),0},
+{"id-cmc-popLinkWitness","id-cmc-popLinkWitness",
+        NID_id_cmc_popLinkWitness,8,&(lvalues[2564]),0},
+{"id-cmc-confirmCertAcceptance","id-cmc-confirmCertAcceptance",
+        NID_id_cmc_confirmCertAcceptance,8,&(lvalues[2572]),0},
+{"id-on-personalData","id-on-personalData",NID_id_on_personalData,8,
+        &(lvalues[2580]),0},
+{"id-pda-dateOfBirth","id-pda-dateOfBirth",NID_id_pda_dateOfBirth,8,
+        &(lvalues[2588]),0},
+{"id-pda-placeOfBirth","id-pda-placeOfBirth",NID_id_pda_placeOfBirth,
+        8,&(lvalues[2596]),0},
+{NULL,NULL,NID_undef,0,NULL},
+{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2604]),0},
+{"id-pda-countryOfCitizenship","id-pda-countryOfCitizenship",
+        NID_id_pda_countryOfCitizenship,8,&(lvalues[2612]),0},
+{"id-pda-countryOfResidence","id-pda-countryOfResidence",
+        NID_id_pda_countryOfResidence,8,&(lvalues[2620]),0},
+{"id-aca-authenticationInfo","id-aca-authenticationInfo",
+        NID_id_aca_authenticationInfo,8,&(lvalues[2628]),0},
+{"id-aca-accessIdentity","id-aca-accessIdentity",
+        NID_id_aca_accessIdentity,8,&(lvalues[2636]),0},
+{"id-aca-chargingIdentity","id-aca-chargingIdentity",
+        NID_id_aca_chargingIdentity,8,&(lvalues[2644]),0},
+{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2652]),0},
+{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2660]),0},
+{"id-qcs-pkixQCSyntax-v1","id-qcs-pkixQCSyntax-v1",
+        NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2668]),0},
+{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2676]),0},
+{"id-cct-PKIData","id-cct-PKIData",NID_id_cct_PKIData,8,
+        &(lvalues[2684]),0},
+{"id-cct-PKIResponse","id-cct-PKIResponse",NID_id_cct_PKIResponse,8,
+        &(lvalues[2692]),0},
+{"ad_timestamping","AD Time Stamping",NID_ad_timeStamping,8,
+        &(lvalues[2700]),0},
+{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2708]),0},
+{"basicOCSPResponse","Basic OCSP Response",NID_id_pkix_OCSP_basic,9,
+        &(lvalues[2716]),0},
+{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2725]),0},
+{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2734]),0},
+{"acceptableResponses","Acceptable OCSP Responses",
+        NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2743]),0},
+{"noCheck","OCSP No Check",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2752]),0},
+{"archiveCutoff","OCSP Archive Cutoff",NID_id_pkix_OCSP_archiveCutoff,
+        9,&(lvalues[2761]),0},
+{"serviceLocator","OCSP Service Locator",
+        NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2770]),0},
+{"extendedStatus","Extended OCSP Status",
+        NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2779]),0},
+{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2788]),0},
+{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2797]),0},
+{"trustRoot","Trust Root",NID_id_pkix_OCSP_trustRoot,9,
+        &(lvalues[2806]),0},
+{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2815]),0},
+{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2819]),0},
+{"X500algorithms","directory services - algorithms",
+        NID_X500algorithms,2,&(lvalues[2824]),0},
+{"ORG","org",NID_org,1,&(lvalues[2826]),0},
+{"DOD","dod",NID_dod,2,&(lvalues[2827]),0},
+{"IANA","iana",NID_iana,3,&(lvalues[2829]),0},
+{"directory","Directory",NID_Directory,4,&(lvalues[2832]),0},
+{"mgmt","Management",NID_Management,4,&(lvalues[2836]),0},
+{"experimental","Experimental",NID_Experimental,4,&(lvalues[2840]),0},
+{"private","Private",NID_Private,4,&(lvalues[2844]),0},
+{"security","Security",NID_Security,4,&(lvalues[2848]),0},
+{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2852]),0},
+{"Mail","Mail",NID_Mail,4,&(lvalues[2856]),0},
+{"enterprises","Enterprises",NID_Enterprises,5,&(lvalues[2860]),0},
+{"dcobject","dcObject",NID_dcObject,9,&(lvalues[2865]),0},
+{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2874]),0},
+{"domain","Domain",NID_Domain,10,&(lvalues[2884]),0},
+{"JOINT-ISO-CCITT","joint-iso-ccitt",NID_joint_iso_ccitt,1,
+        &(lvalues[2894]),0},
+{"selected-attribute-types","Selected Attribute Types",
+        NID_selected_attribute_types,3,&(lvalues[2895]),0},
+{"clearance","clearance",NID_clearance,4,&(lvalues[2898]),0},
+{"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9,
+        &(lvalues[2902]),0},
+{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2911]),0},
+{"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8,
+        &(lvalues[2919]),0},
+{"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8,
+        &(lvalues[2927]),0},
+{"role","role",NID_role,3,&(lvalues[2935]),0},
+{"policyConstraints","X509v3 Policy Constraints",
+        NID_policy_constraints,3,&(lvalues[2938]),0},
+{"targetInformation","X509v3 AC Targeting",NID_target_information,3,
+        &(lvalues[2941]),0},
+{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
+        &(lvalues[2944]),0},
+{"CCITT","ccitt",NID_ccitt,1,&(lvalues[2947]),0},
+{"ansi-X9-62","ANSI X9.62",NID_ansi_X9_62,5,&(lvalues[2948]),0},
+{"prime-field","prime-field",NID_X9_62_prime_field,7,&(lvalues[2953]),0},
+{"characteristic-two-field","characteristic-two-field",
+        NID_X9_62_characteristic_two_field,7,&(lvalues[2960]),0},
+{"id-ecPublicKey","id-ecPublicKey",NID_X9_62_id_ecPublicKey,7,
+        &(lvalues[2967]),0},
+{"prime192v1","prime192v1",NID_X9_62_prime192v1,8,&(lvalues[2974]),0},
+{"prime192v2","prime192v2",NID_X9_62_prime192v2,8,&(lvalues[2982]),0},
+{"prime192v3","prime192v3",NID_X9_62_prime192v3,8,&(lvalues[2990]),0},
+{"prime239v1","prime239v1",NID_X9_62_prime239v1,8,&(lvalues[2998]),0},
+{"prime239v2","prime239v2",NID_X9_62_prime239v2,8,&(lvalues[3006]),0},
+{"prime239v3","prime239v3",NID_X9_62_prime239v3,8,&(lvalues[3014]),0},
+{"prime256v1","prime256v1",NID_X9_62_prime256v1,8,&(lvalues[3022]),0},
+{"ecdsa-with-SHA1","ecdsa-with-SHA1",NID_ecdsa_with_SHA1,7,
+        &(lvalues[3030]),0},
+{"CSPName","Microsoft CSP Name",NID_ms_csp_name,9,&(lvalues[3037]),0},
+{"AES-128-ECB","aes-128-ecb",NID_aes_128_ecb,9,&(lvalues[3046]),0},
+{"AES-128-CBC","aes-128-cbc",NID_aes_128_cbc,9,&(lvalues[3055]),0},
+{"AES-128-OFB","aes-128-ofb",NID_aes_128_ofb128,9,&(lvalues[3064]),0},
+{"AES-128-CFB","aes-128-cfb",NID_aes_128_cfb128,9,&(lvalues[3073]),0},
+{"AES-192-ECB","aes-192-ecb",NID_aes_192_ecb,9,&(lvalues[3082]),0},
+{"AES-192-CBC","aes-192-cbc",NID_aes_192_cbc,9,&(lvalues[3091]),0},
+{"AES-192-OFB","aes-192-ofb",NID_aes_192_ofb128,9,&(lvalues[3100]),0},
+{"AES-192-CFB","aes-192-cfb",NID_aes_192_cfb128,9,&(lvalues[3109]),0},
+{"AES-256-ECB","aes-256-ecb",NID_aes_256_ecb,9,&(lvalues[3118]),0},
+{"AES-256-CBC","aes-256-cbc",NID_aes_256_cbc,9,&(lvalues[3127]),0},
+{"AES-256-OFB","aes-256-ofb",NID_aes_256_ofb128,9,&(lvalues[3136]),0},
+{"AES-256-CFB","aes-256-cfb",NID_aes_256_cfb128,9,&(lvalues[3145]),0},
+{"holdInstructionCode","Hold Instruction Code",
+        NID_hold_instruction_code,3,&(lvalues[3154]),0},
+{"holdInstructionNone","Hold Instruction None",
+        NID_hold_instruction_none,7,&(lvalues[3157]),0},
+{"holdInstructionCallIssuer","Hold Instruction Call Issuer",
+        NID_hold_instruction_call_issuer,7,&(lvalues[3164]),0},
+{"holdInstructionReject","Hold Instruction Reject",
+        NID_hold_instruction_reject,7,&(lvalues[3171]),0},
+{"data","data",NID_data,1,&(lvalues[3178]),0},
+{"pss","pss",NID_pss,3,&(lvalues[3179]),0},
+{"ucl","ucl",NID_ucl,7,&(lvalues[3182]),0},
+{"pilot","pilot",NID_pilot,8,&(lvalues[3189]),0},
+{"pilotAttributeType","pilotAttributeType",NID_pilotAttributeType,9,
+        &(lvalues[3197]),0},
+{"pilotAttributeSyntax","pilotAttributeSyntax",
+        NID_pilotAttributeSyntax,9,&(lvalues[3206]),0},
+{"pilotObjectClass","pilotObjectClass",NID_pilotObjectClass,9,
+        &(lvalues[3215]),0},
+{"pilotGroups","pilotGroups",NID_pilotGroups,9,&(lvalues[3224]),0},
+{"iA5StringSyntax","iA5StringSyntax",NID_iA5StringSyntax,10,
+        &(lvalues[3233]),0},
+{"caseIgnoreIA5StringSyntax","caseIgnoreIA5StringSyntax",
+        NID_caseIgnoreIA5StringSyntax,10,&(lvalues[3243]),0},
+{"pilotObject","pilotObject",NID_pilotObject,10,&(lvalues[3253]),0},
+{"pilotPerson","pilotPerson",NID_pilotPerson,10,&(lvalues[3263]),0},
+{"account","account",NID_account,10,&(lvalues[3273]),0},
+{"document","document",NID_document,10,&(lvalues[3283]),0},
+{"room","room",NID_room,10,&(lvalues[3293]),0},
+{"documentSeries","documentSeries",NID_documentSeries,10,
+        &(lvalues[3303]),0},
+{"rFC822localPart","rFC822localPart",NID_rFC822localPart,10,
+        &(lvalues[3313]),0},
+{"dNSDomain","dNSDomain",NID_dNSDomain,10,&(lvalues[3323]),0},
+{"domainRelatedObject","domainRelatedObject",NID_domainRelatedObject,
+        10,&(lvalues[3333]),0},
+{"friendlyCountry","friendlyCountry",NID_friendlyCountry,10,
+        &(lvalues[3343]),0},
+{"simpleSecurityObject","simpleSecurityObject",
+        NID_simpleSecurityObject,10,&(lvalues[3353]),0},
+{"pilotOrganization","pilotOrganization",NID_pilotOrganization,10,
+        &(lvalues[3363]),0},
+{"pilotDSA","pilotDSA",NID_pilotDSA,10,&(lvalues[3373]),0},
+{"qualityLabelledData","qualityLabelledData",NID_qualityLabelledData,
+        10,&(lvalues[3383]),0},
+{"UID","userId",NID_userId,10,&(lvalues[3393]),0},
+{"textEncodedORAddress","textEncodedORAddress",
+        NID_textEncodedORAddress,10,&(lvalues[3403]),0},
+{"mail","rfc822Mailbox",NID_rfc822Mailbox,10,&(lvalues[3413]),0},
+{"info","info",NID_info,10,&(lvalues[3423]),0},
+{"favouriteDrink","favouriteDrink",NID_favouriteDrink,10,
+        &(lvalues[3433]),0},
+{"roomNumber","roomNumber",NID_roomNumber,10,&(lvalues[3443]),0},
+{"photo","photo",NID_photo,10,&(lvalues[3453]),0},
+{"userClass","userClass",NID_userClass,10,&(lvalues[3463]),0},
+{"host","host",NID_host,10,&(lvalues[3473]),0},
+{"manager","manager",NID_manager,10,&(lvalues[3483]),0},
+{"documentIdentifier","documentIdentifier",NID_documentIdentifier,10,
+        &(lvalues[3493]),0},
+{"documentTitle","documentTitle",NID_documentTitle,10,&(lvalues[3503]),0},
+{"documentVersion","documentVersion",NID_documentVersion,10,
+        &(lvalues[3513]),0},
+{"documentAuthor","documentAuthor",NID_documentAuthor,10,
+        &(lvalues[3523]),0},
+{"documentLocation","documentLocation",NID_documentLocation,10,
+        &(lvalues[3533]),0},
+{"homeTelephoneNumber","homeTelephoneNumber",NID_homeTelephoneNumber,
+        10,&(lvalues[3543]),0},
+{"secretary","secretary",NID_secretary,10,&(lvalues[3553]),0},
+{"otherMailbox","otherMailbox",NID_otherMailbox,10,&(lvalues[3563]),0},
+{"lastModifiedTime","lastModifiedTime",NID_lastModifiedTime,10,
+        &(lvalues[3573]),0},
+{"lastModifiedBy","lastModifiedBy",NID_lastModifiedBy,10,
+        &(lvalues[3583]),0},
+{"aRecord","aRecord",NID_aRecord,10,&(lvalues[3593]),0},
+{"pilotAttributeType27","pilotAttributeType27",
+        NID_pilotAttributeType27,10,&(lvalues[3603]),0},
+{"mXRecord","mXRecord",NID_mXRecord,10,&(lvalues[3613]),0},
+{"nSRecord","nSRecord",NID_nSRecord,10,&(lvalues[3623]),0},
+{"sOARecord","sOARecord",NID_sOARecord,10,&(lvalues[3633]),0},
+{"cNAMERecord","cNAMERecord",NID_cNAMERecord,10,&(lvalues[3643]),0},
+{"associatedDomain","associatedDomain",NID_associatedDomain,10,
+        &(lvalues[3653]),0},
+{"associatedName","associatedName",NID_associatedName,10,
+        &(lvalues[3663]),0},
+{"homePostalAddress","homePostalAddress",NID_homePostalAddress,10,
+        &(lvalues[3673]),0},
+{"personalTitle","personalTitle",NID_personalTitle,10,&(lvalues[3683]),0},
+{"mobileTelephoneNumber","mobileTelephoneNumber",
+        NID_mobileTelephoneNumber,10,&(lvalues[3693]),0},
+{"pagerTelephoneNumber","pagerTelephoneNumber",
+        NID_pagerTelephoneNumber,10,&(lvalues[3703]),0},
+{"friendlyCountryName","friendlyCountryName",NID_friendlyCountryName,
+        10,&(lvalues[3713]),0},
+{"organizationalStatus","organizationalStatus",
+        NID_organizationalStatus,10,&(lvalues[3723]),0},
+{"janetMailbox","janetMailbox",NID_janetMailbox,10,&(lvalues[3733]),0},
+{"mailPreferenceOption","mailPreferenceOption",
+        NID_mailPreferenceOption,10,&(lvalues[3743]),0},
+{"buildingName","buildingName",NID_buildingName,10,&(lvalues[3753]),0},
+{"dSAQuality","dSAQuality",NID_dSAQuality,10,&(lvalues[3763]),0},
+{"singleLevelQuality","singleLevelQuality",NID_singleLevelQuality,10,
+        &(lvalues[3773]),0},
+{"subtreeMinimumQuality","subtreeMinimumQuality",
+        NID_subtreeMinimumQuality,10,&(lvalues[3783]),0},
+{"subtreeMaximumQuality","subtreeMaximumQuality",
+        NID_subtreeMaximumQuality,10,&(lvalues[3793]),0},
+{"personalSignature","personalSignature",NID_personalSignature,10,
+        &(lvalues[3803]),0},
+{"dITRedirect","dITRedirect",NID_dITRedirect,10,&(lvalues[3813]),0},
+{"audio","audio",NID_audio,10,&(lvalues[3823]),0},
+{"documentPublisher","documentPublisher",NID_documentPublisher,10,
+        &(lvalues[3833]),0},
+{"x500UniqueIdentifier","x500UniqueIdentifier",
+        NID_x500UniqueIdentifier,3,&(lvalues[3843]),0},
+{"mime-mhs","MIME MHS",NID_mime_mhs,5,&(lvalues[3846]),0},
+{"mime-mhs-headings","mime-mhs-headings",NID_mime_mhs_headings,6,
+        &(lvalues[3851]),0},
+{"mime-mhs-bodies","mime-mhs-bodies",NID_mime_mhs_bodies,6,
+        &(lvalues[3857]),0},
+{"id-hex-partial-message","id-hex-partial-message",
+        NID_id_hex_partial_message,7,&(lvalues[3863]),0},
+{"id-hex-multipart-message","id-hex-multipart-message",
+        NID_id_hex_multipart_message,7,&(lvalues[3870]),0},
+{"generationQualifier","generationQualifier",NID_generationQualifier,
+        3,&(lvalues[3877]),0},
+};
+
+static ASN1_OBJECT *sn_objs[NUM_SN]={
+&(nid_objs[364]),/* "AD_DVCS" */
+&(nid_objs[419]),/* "AES-128-CBC" */
+&(nid_objs[421]),/* "AES-128-CFB" */
+&(nid_objs[418]),/* "AES-128-ECB" */
+&(nid_objs[420]),/* "AES-128-OFB" */
+&(nid_objs[423]),/* "AES-192-CBC" */
+&(nid_objs[425]),/* "AES-192-CFB" */
+&(nid_objs[422]),/* "AES-192-ECB" */
+&(nid_objs[424]),/* "AES-192-OFB" */
+&(nid_objs[427]),/* "AES-256-CBC" */
+&(nid_objs[429]),/* "AES-256-CFB" */
+&(nid_objs[426]),/* "AES-256-ECB" */
+&(nid_objs[428]),/* "AES-256-OFB" */
+&(nid_objs[91]),/* "BF-CBC" */
+&(nid_objs[93]),/* "BF-CFB" */
+&(nid_objs[92]),/* "BF-ECB" */
+&(nid_objs[94]),/* "BF-OFB" */
+&(nid_objs[14]),/* "C" */
+&(nid_objs[108]),/* "CAST5-CBC" */
+&(nid_objs[110]),/* "CAST5-CFB" */
+&(nid_objs[109]),/* "CAST5-ECB" */
+&(nid_objs[111]),/* "CAST5-OFB" */
+&(nid_objs[404]),/* "CCITT" */
+&(nid_objs[13]),/* "CN" */
+&(nid_objs[141]),/* "CRLReason" */
+&(nid_objs[417]),/* "CSPName" */
+&(nid_objs[367]),/* "CrlID" */
+&(nid_objs[391]),/* "DC" */
+&(nid_objs[31]),/* "DES-CBC" */
+&(nid_objs[30]),/* "DES-CFB" */
+&(nid_objs[29]),/* "DES-ECB" */
+&(nid_objs[32]),/* "DES-EDE" */
+&(nid_objs[43]),/* "DES-EDE-CBC" */
+&(nid_objs[60]),/* "DES-EDE-CFB" */
+&(nid_objs[62]),/* "DES-EDE-OFB" */
+&(nid_objs[33]),/* "DES-EDE3" */
+&(nid_objs[44]),/* "DES-EDE3-CBC" */
+&(nid_objs[61]),/* "DES-EDE3-CFB" */
+&(nid_objs[63]),/* "DES-EDE3-OFB" */
+&(nid_objs[45]),/* "DES-OFB" */
+&(nid_objs[80]),/* "DESX-CBC" */
+&(nid_objs[380]),/* "DOD" */
+&(nid_objs[116]),/* "DSA" */
+&(nid_objs[66]),/* "DSA-SHA" */
+&(nid_objs[113]),/* "DSA-SHA1" */
+&(nid_objs[70]),/* "DSA-SHA1-old" */
+&(nid_objs[67]),/* "DSA-old" */
+&(nid_objs[297]),/* "DVCS" */
+&(nid_objs[381]),/* "IANA" */
+&(nid_objs[34]),/* "IDEA-CBC" */
+&(nid_objs[35]),/* "IDEA-CFB" */
+&(nid_objs[36]),/* "IDEA-ECB" */
+&(nid_objs[46]),/* "IDEA-OFB" */
+&(nid_objs[181]),/* "ISO" */
+&(nid_objs[183]),/* "ISO-US" */
+&(nid_objs[393]),/* "JOINT-ISO-CCITT" */
+&(nid_objs[15]),/* "L" */
+&(nid_objs[ 3]),/* "MD2" */
+&(nid_objs[257]),/* "MD4" */
+&(nid_objs[ 4]),/* "MD5" */
+&(nid_objs[114]),/* "MD5-SHA1" */
+&(nid_objs[95]),/* "MDC2" */
+&(nid_objs[388]),/* "Mail" */
+&(nid_objs[57]),/* "Netscape" */
+&(nid_objs[366]),/* "Nonce" */
+&(nid_objs[17]),/* "O" */
+&(nid_objs[178]),/* "OCSP" */
+&(nid_objs[180]),/* "OCSPSigning" */
+&(nid_objs[379]),/* "ORG" */
+&(nid_objs[18]),/* "OU" */
+&(nid_objs[ 9]),/* "PBE-MD2-DES" */
+&(nid_objs[168]),/* "PBE-MD2-RC2-64" */
+&(nid_objs[10]),/* "PBE-MD5-DES" */
+&(nid_objs[169]),/* "PBE-MD5-RC2-64" */
+&(nid_objs[147]),/* "PBE-SHA1-2DES" */
+&(nid_objs[146]),/* "PBE-SHA1-3DES" */
+&(nid_objs[170]),/* "PBE-SHA1-DES" */
+&(nid_objs[148]),/* "PBE-SHA1-RC2-128" */
+&(nid_objs[149]),/* "PBE-SHA1-RC2-40" */
+&(nid_objs[68]),/* "PBE-SHA1-RC2-64" */
+&(nid_objs[144]),/* "PBE-SHA1-RC4-128" */
+&(nid_objs[145]),/* "PBE-SHA1-RC4-40" */
+&(nid_objs[161]),/* "PBES2" */
+&(nid_objs[69]),/* "PBKDF2" */
+&(nid_objs[162]),/* "PBMAC1" */
+&(nid_objs[127]),/* "PKIX" */
+&(nid_objs[98]),/* "RC2-40-CBC" */
+&(nid_objs[166]),/* "RC2-64-CBC" */
+&(nid_objs[37]),/* "RC2-CBC" */
+&(nid_objs[39]),/* "RC2-CFB" */
+&(nid_objs[38]),/* "RC2-ECB" */
+&(nid_objs[40]),/* "RC2-OFB" */
+&(nid_objs[ 5]),/* "RC4" */
+&(nid_objs[97]),/* "RC4-40" */
+&(nid_objs[120]),/* "RC5-CBC" */
+&(nid_objs[122]),/* "RC5-CFB" */
+&(nid_objs[121]),/* "RC5-ECB" */
+&(nid_objs[123]),/* "RC5-OFB" */
+&(nid_objs[117]),/* "RIPEMD160" */
+&(nid_objs[124]),/* "RLE" */
+&(nid_objs[19]),/* "RSA" */
+&(nid_objs[ 7]),/* "RSA-MD2" */
+&(nid_objs[396]),/* "RSA-MD4" */
+&(nid_objs[ 8]),/* "RSA-MD5" */
+&(nid_objs[96]),/* "RSA-MDC2" */
+&(nid_objs[104]),/* "RSA-NP-MD5" */
+&(nid_objs[119]),/* "RSA-RIPEMD160" */
+&(nid_objs[42]),/* "RSA-SHA" */
+&(nid_objs[65]),/* "RSA-SHA1" */
+&(nid_objs[115]),/* "RSA-SHA1-2" */
+&(nid_objs[41]),/* "SHA" */
+&(nid_objs[64]),/* "SHA1" */
+&(nid_objs[188]),/* "SMIME" */
+&(nid_objs[167]),/* "SMIME-CAPS" */
+&(nid_objs[100]),/* "SN" */
+&(nid_objs[16]),/* "ST" */
+&(nid_objs[143]),/* "SXNetID" */
+&(nid_objs[458]),/* "UID" */
+&(nid_objs[ 0]),/* "UNDEF" */
+&(nid_objs[11]),/* "X500" */
+&(nid_objs[378]),/* "X500algorithms" */
+&(nid_objs[12]),/* "X509" */
+&(nid_objs[184]),/* "X9-57" */
+&(nid_objs[185]),/* "X9cm" */
+&(nid_objs[125]),/* "ZLIB" */
+&(nid_objs[478]),/* "aRecord" */
+&(nid_objs[289]),/* "aaControls" */
+&(nid_objs[287]),/* "ac-auditEntity" */
+&(nid_objs[397]),/* "ac-proxying" */
+&(nid_objs[288]),/* "ac-targeting" */
+&(nid_objs[368]),/* "acceptableResponses" */
+&(nid_objs[446]),/* "account" */
+&(nid_objs[363]),/* "ad_timestamping" */
+&(nid_objs[376]),/* "algorithm" */
+&(nid_objs[405]),/* "ansi-X9-62" */
+&(nid_objs[370]),/* "archiveCutoff" */
+&(nid_objs[484]),/* "associatedDomain" */
+&(nid_objs[485]),/* "associatedName" */
+&(nid_objs[501]),/* "audio" */
+&(nid_objs[177]),/* "authorityInfoAccess" */
+&(nid_objs[90]),/* "authorityKeyIdentifier" */
+&(nid_objs[87]),/* "basicConstraints" */
+&(nid_objs[365]),/* "basicOCSPResponse" */
+&(nid_objs[285]),/* "biometricInfo" */
+&(nid_objs[494]),/* "buildingName" */
+&(nid_objs[483]),/* "cNAMERecord" */
+&(nid_objs[179]),/* "caIssuers" */
+&(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */
+&(nid_objs[152]),/* "certBag" */
+&(nid_objs[89]),/* "certificatePolicies" */
+&(nid_objs[54]),/* "challengePassword" */
+&(nid_objs[407]),/* "characteristic-two-field" */
+&(nid_objs[395]),/* "clearance" */
+&(nid_objs[130]),/* "clientAuth" */
+&(nid_objs[131]),/* "codeSigning" */
+&(nid_objs[50]),/* "contentType" */
+&(nid_objs[53]),/* "countersignature" */
+&(nid_objs[153]),/* "crlBag" */
+&(nid_objs[103]),/* "crlDistributionPoints" */
+&(nid_objs[88]),/* "crlNumber" */
+&(nid_objs[500]),/* "dITRedirect" */
+&(nid_objs[451]),/* "dNSDomain" */
+&(nid_objs[495]),/* "dSAQuality" */
+&(nid_objs[434]),/* "data" */
+&(nid_objs[390]),/* "dcobject" */
+&(nid_objs[140]),/* "deltaCRL" */
+&(nid_objs[107]),/* "description" */
+&(nid_objs[28]),/* "dhKeyAgreement" */
+&(nid_objs[382]),/* "directory" */
+&(nid_objs[174]),/* "dnQualifier" */
+&(nid_objs[447]),/* "document" */
+&(nid_objs[471]),/* "documentAuthor" */
+&(nid_objs[468]),/* "documentIdentifier" */
+&(nid_objs[472]),/* "documentLocation" */
+&(nid_objs[502]),/* "documentPublisher" */
+&(nid_objs[449]),/* "documentSeries" */
+&(nid_objs[469]),/* "documentTitle" */
+&(nid_objs[470]),/* "documentVersion" */
+&(nid_objs[392]),/* "domain" */
+&(nid_objs[452]),/* "domainRelatedObject" */
+&(nid_objs[416]),/* "ecdsa-with-SHA1" */
+&(nid_objs[48]),/* "emailAddress" */
+&(nid_objs[132]),/* "emailProtection" */
+&(nid_objs[389]),/* "enterprises" */
+&(nid_objs[384]),/* "experimental" */
+&(nid_objs[172]),/* "extReq" */
+&(nid_objs[56]),/* "extendedCertificateAttributes" */
+&(nid_objs[126]),/* "extendedKeyUsage" */
+&(nid_objs[372]),/* "extendedStatus" */
+&(nid_objs[462]),/* "favouriteDrink" */
+&(nid_objs[453]),/* "friendlyCountry" */
+&(nid_objs[490]),/* "friendlyCountryName" */
+&(nid_objs[156]),/* "friendlyName" */
+&(nid_objs[509]),/* "generationQualifier" */
+&(nid_objs[99]),/* "gn" */
+&(nid_objs[163]),/* "hmacWithSHA1" */
+&(nid_objs[432]),/* "holdInstructionCallIssuer" */
+&(nid_objs[430]),/* "holdInstructionCode" */
+&(nid_objs[431]),/* "holdInstructionNone" */
+&(nid_objs[433]),/* "holdInstructionReject" */
+&(nid_objs[486]),/* "homePostalAddress" */
+&(nid_objs[473]),/* "homeTelephoneNumber" */
+&(nid_objs[466]),/* "host" */
+&(nid_objs[442]),/* "iA5StringSyntax" */
+&(nid_objs[266]),/* "id-aca" */
+&(nid_objs[355]),/* "id-aca-accessIdentity" */
+&(nid_objs[354]),/* "id-aca-authenticationInfo" */
+&(nid_objs[356]),/* "id-aca-chargingIdentity" */
+&(nid_objs[399]),/* "id-aca-encAttrs" */
+&(nid_objs[357]),/* "id-aca-group" */
+&(nid_objs[358]),/* "id-aca-role" */
+&(nid_objs[176]),/* "id-ad" */
+&(nid_objs[262]),/* "id-alg" */
+&(nid_objs[323]),/* "id-alg-des40" */
+&(nid_objs[326]),/* "id-alg-dh-pop" */
+&(nid_objs[325]),/* "id-alg-dh-sig-hmac-sha1" */
+&(nid_objs[324]),/* "id-alg-noSignature" */
+&(nid_objs[268]),/* "id-cct" */
+&(nid_objs[361]),/* "id-cct-PKIData" */
+&(nid_objs[362]),/* "id-cct-PKIResponse" */
+&(nid_objs[360]),/* "id-cct-crs" */
+&(nid_objs[81]),/* "id-ce" */
+&(nid_objs[263]),/* "id-cmc" */
+&(nid_objs[334]),/* "id-cmc-addExtensions" */
+&(nid_objs[346]),/* "id-cmc-confirmCertAcceptance" */
+&(nid_objs[330]),/* "id-cmc-dataReturn" */
+&(nid_objs[336]),/* "id-cmc-decryptedPOP" */
+&(nid_objs[335]),/* "id-cmc-encryptedPOP" */
+&(nid_objs[339]),/* "id-cmc-getCRL" */
+&(nid_objs[338]),/* "id-cmc-getCert" */
+&(nid_objs[328]),/* "id-cmc-identification" */
+&(nid_objs[329]),/* "id-cmc-identityProof" */
+&(nid_objs[337]),/* "id-cmc-lraPOPWitness" */
+&(nid_objs[344]),/* "id-cmc-popLinkRandom" */
+&(nid_objs[345]),/* "id-cmc-popLinkWitness" */
+&(nid_objs[343]),/* "id-cmc-queryPending" */
+&(nid_objs[333]),/* "id-cmc-recipientNonce" */
+&(nid_objs[341]),/* "id-cmc-regInfo" */
+&(nid_objs[342]),/* "id-cmc-responseInfo" */
+&(nid_objs[340]),/* "id-cmc-revokeRequest" */
+&(nid_objs[332]),/* "id-cmc-senderNonce" */
+&(nid_objs[327]),/* "id-cmc-statusInfo" */
+&(nid_objs[331]),/* "id-cmc-transactionId" */
+&(nid_objs[408]),/* "id-ecPublicKey" */
+&(nid_objs[508]),/* "id-hex-multipart-message" */
+&(nid_objs[507]),/* "id-hex-partial-message" */
+&(nid_objs[260]),/* "id-it" */
+&(nid_objs[302]),/* "id-it-caKeyUpdateInfo" */
+&(nid_objs[298]),/* "id-it-caProtEncCert" */
+&(nid_objs[311]),/* "id-it-confirmWaitTime" */
+&(nid_objs[303]),/* "id-it-currentCRL" */
+&(nid_objs[300]),/* "id-it-encKeyPairTypes" */
+&(nid_objs[310]),/* "id-it-implicitConfirm" */
+&(nid_objs[308]),/* "id-it-keyPairParamRep" */
+&(nid_objs[307]),/* "id-it-keyPairParamReq" */
+&(nid_objs[312]),/* "id-it-origPKIMessage" */
+&(nid_objs[301]),/* "id-it-preferredSymmAlg" */
+&(nid_objs[309]),/* "id-it-revPassphrase" */
+&(nid_objs[299]),/* "id-it-signKeyPairTypes" */
+&(nid_objs[305]),/* "id-it-subscriptionRequest" */
+&(nid_objs[306]),/* "id-it-subscriptionResponse" */
+&(nid_objs[304]),/* "id-it-unsupportedOIDs" */
+&(nid_objs[128]),/* "id-kp" */
+&(nid_objs[280]),/* "id-mod-attribute-cert" */
+&(nid_objs[274]),/* "id-mod-cmc" */
+&(nid_objs[277]),/* "id-mod-cmp" */
+&(nid_objs[284]),/* "id-mod-cmp2000" */
+&(nid_objs[273]),/* "id-mod-crmf" */
+&(nid_objs[283]),/* "id-mod-dvcs" */
+&(nid_objs[275]),/* "id-mod-kea-profile-88" */
+&(nid_objs[276]),/* "id-mod-kea-profile-93" */
+&(nid_objs[282]),/* "id-mod-ocsp" */
+&(nid_objs[278]),/* "id-mod-qualified-cert-88" */
+&(nid_objs[279]),/* "id-mod-qualified-cert-93" */
+&(nid_objs[281]),/* "id-mod-timestamp-protocol" */
+&(nid_objs[264]),/* "id-on" */
+&(nid_objs[347]),/* "id-on-personalData" */
+&(nid_objs[265]),/* "id-pda" */
+&(nid_objs[352]),/* "id-pda-countryOfCitizenship" */
+&(nid_objs[353]),/* "id-pda-countryOfResidence" */
+&(nid_objs[348]),/* "id-pda-dateOfBirth" */
+&(nid_objs[351]),/* "id-pda-gender" */
+&(nid_objs[349]),/* "id-pda-placeOfBirth" */
+&(nid_objs[175]),/* "id-pe" */
+&(nid_objs[261]),/* "id-pkip" */
+&(nid_objs[258]),/* "id-pkix-mod" */
+&(nid_objs[269]),/* "id-pkix1-explicit-88" */
+&(nid_objs[271]),/* "id-pkix1-explicit-93" */
+&(nid_objs[270]),/* "id-pkix1-implicit-88" */
+&(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[267]),/* "id-qcs" */
+&(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
+&(nid_objs[259]),/* "id-qt" */
+&(nid_objs[164]),/* "id-qt-cps" */
+&(nid_objs[165]),/* "id-qt-unotice" */
+&(nid_objs[313]),/* "id-regCtrl" */
+&(nid_objs[316]),/* "id-regCtrl-authenticator" */
+&(nid_objs[319]),/* "id-regCtrl-oldCertID" */
+&(nid_objs[318]),/* "id-regCtrl-pkiArchiveOptions" */
+&(nid_objs[317]),/* "id-regCtrl-pkiPublicationInfo" */
+&(nid_objs[320]),/* "id-regCtrl-protocolEncrKey" */
+&(nid_objs[315]),/* "id-regCtrl-regToken" */
+&(nid_objs[314]),/* "id-regInfo" */
+&(nid_objs[322]),/* "id-regInfo-certReq" */
+&(nid_objs[321]),/* "id-regInfo-utf8Pairs" */
+&(nid_objs[191]),/* "id-smime-aa" */
+&(nid_objs[215]),/* "id-smime-aa-contentHint" */
+&(nid_objs[218]),/* "id-smime-aa-contentIdentifier" */
+&(nid_objs[221]),/* "id-smime-aa-contentReference" */
+&(nid_objs[240]),/* "id-smime-aa-dvcs-dvc" */
+&(nid_objs[217]),/* "id-smime-aa-encapContentType" */
+&(nid_objs[222]),/* "id-smime-aa-encrypKeyPref" */
+&(nid_objs[220]),/* "id-smime-aa-equivalentLabels" */
+&(nid_objs[232]),/* "id-smime-aa-ets-CertificateRefs" */
+&(nid_objs[233]),/* "id-smime-aa-ets-RevocationRefs" */
+&(nid_objs[238]),/* "id-smime-aa-ets-archiveTimeStamp" */
+&(nid_objs[237]),/* "id-smime-aa-ets-certCRLTimestamp" */
+&(nid_objs[234]),/* "id-smime-aa-ets-certValues" */
+&(nid_objs[227]),/* "id-smime-aa-ets-commitmentType" */
+&(nid_objs[231]),/* "id-smime-aa-ets-contentTimestamp" */
+&(nid_objs[236]),/* "id-smime-aa-ets-escTimeStamp" */
+&(nid_objs[230]),/* "id-smime-aa-ets-otherSigCert" */
+&(nid_objs[235]),/* "id-smime-aa-ets-revocationValues" */
+&(nid_objs[226]),/* "id-smime-aa-ets-sigPolicyId" */
+&(nid_objs[229]),/* "id-smime-aa-ets-signerAttr" */
+&(nid_objs[228]),/* "id-smime-aa-ets-signerLocation" */
+&(nid_objs[219]),/* "id-smime-aa-macValue" */
+&(nid_objs[214]),/* "id-smime-aa-mlExpandHistory" */
+&(nid_objs[216]),/* "id-smime-aa-msgSigDigest" */
+&(nid_objs[212]),/* "id-smime-aa-receiptRequest" */
+&(nid_objs[213]),/* "id-smime-aa-securityLabel" */
+&(nid_objs[239]),/* "id-smime-aa-signatureType" */
+&(nid_objs[223]),/* "id-smime-aa-signingCertificate" */
+&(nid_objs[224]),/* "id-smime-aa-smimeEncryptCerts" */
+&(nid_objs[225]),/* "id-smime-aa-timeStampToken" */
+&(nid_objs[192]),/* "id-smime-alg" */
+&(nid_objs[243]),/* "id-smime-alg-3DESwrap" */
+&(nid_objs[246]),/* "id-smime-alg-CMS3DESwrap" */
+&(nid_objs[247]),/* "id-smime-alg-CMSRC2wrap" */
+&(nid_objs[245]),/* "id-smime-alg-ESDH" */
+&(nid_objs[241]),/* "id-smime-alg-ESDHwith3DES" */
+&(nid_objs[242]),/* "id-smime-alg-ESDHwithRC2" */
+&(nid_objs[244]),/* "id-smime-alg-RC2wrap" */
+&(nid_objs[193]),/* "id-smime-cd" */
+&(nid_objs[248]),/* "id-smime-cd-ldap" */
+&(nid_objs[190]),/* "id-smime-ct" */
+&(nid_objs[210]),/* "id-smime-ct-DVCSRequestData" */
+&(nid_objs[211]),/* "id-smime-ct-DVCSResponseData" */
+&(nid_objs[208]),/* "id-smime-ct-TDTInfo" */
+&(nid_objs[207]),/* "id-smime-ct-TSTInfo" */
+&(nid_objs[205]),/* "id-smime-ct-authData" */
+&(nid_objs[209]),/* "id-smime-ct-contentInfo" */
+&(nid_objs[206]),/* "id-smime-ct-publishCert" */
+&(nid_objs[204]),/* "id-smime-ct-receipt" */
+&(nid_objs[195]),/* "id-smime-cti" */
+&(nid_objs[255]),/* "id-smime-cti-ets-proofOfApproval" */
+&(nid_objs[256]),/* "id-smime-cti-ets-proofOfCreation" */
+&(nid_objs[253]),/* "id-smime-cti-ets-proofOfDelivery" */
+&(nid_objs[251]),/* "id-smime-cti-ets-proofOfOrigin" */
+&(nid_objs[252]),/* "id-smime-cti-ets-proofOfReceipt" */
+&(nid_objs[254]),/* "id-smime-cti-ets-proofOfSender" */
+&(nid_objs[189]),/* "id-smime-mod" */
+&(nid_objs[196]),/* "id-smime-mod-cms" */
+&(nid_objs[197]),/* "id-smime-mod-ess" */
+&(nid_objs[202]),/* "id-smime-mod-ets-eSigPolicy-88" */
+&(nid_objs[203]),/* "id-smime-mod-ets-eSigPolicy-97" */
+&(nid_objs[200]),/* "id-smime-mod-ets-eSignature-88" */
+&(nid_objs[201]),/* "id-smime-mod-ets-eSignature-97" */
+&(nid_objs[199]),/* "id-smime-mod-msg-v3" */
+&(nid_objs[198]),/* "id-smime-mod-oid" */
+&(nid_objs[194]),/* "id-smime-spq" */
+&(nid_objs[250]),/* "id-smime-spq-ets-sqt-unotice" */
+&(nid_objs[249]),/* "id-smime-spq-ets-sqt-uri" */
+&(nid_objs[461]),/* "info" */
+&(nid_objs[101]),/* "initials" */
+&(nid_objs[142]),/* "invalidityDate" */
+&(nid_objs[294]),/* "ipsecEndSystem" */
+&(nid_objs[295]),/* "ipsecTunnel" */
+&(nid_objs[296]),/* "ipsecUser" */
+&(nid_objs[86]),/* "issuerAltName" */
+&(nid_objs[492]),/* "janetMailbox" */
+&(nid_objs[150]),/* "keyBag" */
+&(nid_objs[83]),/* "keyUsage" */
+&(nid_objs[477]),/* "lastModifiedBy" */
+&(nid_objs[476]),/* "lastModifiedTime" */
+&(nid_objs[157]),/* "localKeyID" */
+&(nid_objs[480]),/* "mXRecord" */
+&(nid_objs[460]),/* "mail" */
+&(nid_objs[493]),/* "mailPreferenceOption" */
+&(nid_objs[467]),/* "manager" */
+&(nid_objs[182]),/* "member-body" */
+&(nid_objs[51]),/* "messageDigest" */
+&(nid_objs[383]),/* "mgmt" */
+&(nid_objs[504]),/* "mime-mhs" */
+&(nid_objs[506]),/* "mime-mhs-bodies" */
+&(nid_objs[505]),/* "mime-mhs-headings" */
+&(nid_objs[488]),/* "mobileTelephoneNumber" */
+&(nid_objs[136]),/* "msCTLSign" */
+&(nid_objs[135]),/* "msCodeCom" */
+&(nid_objs[134]),/* "msCodeInd" */
+&(nid_objs[138]),/* "msEFS" */
+&(nid_objs[171]),/* "msExtReq" */
+&(nid_objs[137]),/* "msSGC" */
+&(nid_objs[481]),/* "nSRecord" */
+&(nid_objs[173]),/* "name" */
+&(nid_objs[369]),/* "noCheck" */
+&(nid_objs[403]),/* "noRevAvail" */
+&(nid_objs[72]),/* "nsBaseUrl" */
+&(nid_objs[76]),/* "nsCaPolicyUrl" */
+&(nid_objs[74]),/* "nsCaRevocationUrl" */
+&(nid_objs[58]),/* "nsCertExt" */
+&(nid_objs[79]),/* "nsCertSequence" */
+&(nid_objs[71]),/* "nsCertType" */
+&(nid_objs[78]),/* "nsComment" */
+&(nid_objs[59]),/* "nsDataType" */
+&(nid_objs[75]),/* "nsRenewalUrl" */
+&(nid_objs[73]),/* "nsRevocationUrl" */
+&(nid_objs[139]),/* "nsSGC" */
+&(nid_objs[77]),/* "nsSslServerName" */
+&(nid_objs[491]),/* "organizationalStatus" */
+&(nid_objs[475]),/* "otherMailbox" */
+&(nid_objs[489]),/* "pagerTelephoneNumber" */
+&(nid_objs[374]),/* "path" */
+&(nid_objs[112]),/* "pbeWithMD5AndCast5CBC" */
+&(nid_objs[499]),/* "personalSignature" */
+&(nid_objs[487]),/* "personalTitle" */
+&(nid_objs[464]),/* "photo" */
+&(nid_objs[437]),/* "pilot" */
+&(nid_objs[439]),/* "pilotAttributeSyntax" */
+&(nid_objs[438]),/* "pilotAttributeType" */
+&(nid_objs[479]),/* "pilotAttributeType27" */
+&(nid_objs[456]),/* "pilotDSA" */
+&(nid_objs[441]),/* "pilotGroups" */
+&(nid_objs[444]),/* "pilotObject" */
+&(nid_objs[440]),/* "pilotObjectClass" */
+&(nid_objs[455]),/* "pilotOrganization" */
+&(nid_objs[445]),/* "pilotPerson" */
+&(nid_objs[ 2]),/* "pkcs" */
+&(nid_objs[186]),/* "pkcs1" */
+&(nid_objs[27]),/* "pkcs3" */
+&(nid_objs[187]),/* "pkcs5" */
+&(nid_objs[20]),/* "pkcs7" */
+&(nid_objs[21]),/* "pkcs7-data" */
+&(nid_objs[25]),/* "pkcs7-digestData" */
+&(nid_objs[26]),/* "pkcs7-encryptedData" */
+&(nid_objs[23]),/* "pkcs7-envelopedData" */
+&(nid_objs[24]),/* "pkcs7-signedAndEnvelopedData" */
+&(nid_objs[22]),/* "pkcs7-signedData" */
+&(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
+&(nid_objs[47]),/* "pkcs9" */
+&(nid_objs[401]),/* "policyConstraints" */
+&(nid_objs[406]),/* "prime-field" */
+&(nid_objs[409]),/* "prime192v1" */
+&(nid_objs[410]),/* "prime192v2" */
+&(nid_objs[411]),/* "prime192v3" */
+&(nid_objs[412]),/* "prime239v1" */
+&(nid_objs[413]),/* "prime239v2" */
+&(nid_objs[414]),/* "prime239v3" */
+&(nid_objs[415]),/* "prime256v1" */
+&(nid_objs[385]),/* "private" */
+&(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[435]),/* "pss" */
+&(nid_objs[286]),/* "qcStatements" */
+&(nid_objs[457]),/* "qualityLabelledData" */
+&(nid_objs[450]),/* "rFC822localPart" */
+&(nid_objs[400]),/* "role" */
+&(nid_objs[448]),/* "room" */
+&(nid_objs[463]),/* "roomNumber" */
+&(nid_objs[ 6]),/* "rsaEncryption" */
+&(nid_objs[377]),/* "rsaSignature" */
+&(nid_objs[ 1]),/* "rsadsi" */
+&(nid_objs[482]),/* "sOARecord" */
+&(nid_objs[155]),/* "safeContentsBag" */
+&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[154]),/* "secretBag" */
+&(nid_objs[474]),/* "secretary" */
+&(nid_objs[386]),/* "security" */
+&(nid_objs[394]),/* "selected-attribute-types" */
+&(nid_objs[105]),/* "serialNumber" */
+&(nid_objs[129]),/* "serverAuth" */
+&(nid_objs[371]),/* "serviceLocator" */
+&(nid_objs[52]),/* "signingTime" */
+&(nid_objs[454]),/* "simpleSecurityObject" */
+&(nid_objs[496]),/* "singleLevelQuality" */
+&(nid_objs[387]),/* "snmpv2" */
+&(nid_objs[85]),/* "subjectAltName" */
+&(nid_objs[398]),/* "subjectInfoAccess" */
+&(nid_objs[82]),/* "subjectKeyIdentifier" */
+&(nid_objs[498]),/* "subtreeMaximumQuality" */
+&(nid_objs[497]),/* "subtreeMinimumQuality" */
+&(nid_objs[402]),/* "targetInformation" */
+&(nid_objs[459]),/* "textEncodedORAddress" */
+&(nid_objs[293]),/* "textNotice" */
+&(nid_objs[133]),/* "timeStamping" */
+&(nid_objs[106]),/* "title" */
+&(nid_objs[375]),/* "trustRoot" */
+&(nid_objs[436]),/* "ucl" */
+&(nid_objs[55]),/* "unstructuredAddress" */
+&(nid_objs[49]),/* "unstructuredName" */
+&(nid_objs[465]),/* "userClass" */
+&(nid_objs[373]),/* "valid" */
+&(nid_objs[503]),/* "x500UniqueIdentifier" */
+&(nid_objs[158]),/* "x509Certificate" */
+&(nid_objs[160]),/* "x509Crl" */
+};
+
+static ASN1_OBJECT *ln_objs[NUM_LN]={
+&(nid_objs[363]),/* "AD Time Stamping" */
+&(nid_objs[405]),/* "ANSI X9.62" */
+&(nid_objs[368]),/* "Acceptable OCSP Responses" */
+&(nid_objs[177]),/* "Authority Information Access" */
+&(nid_objs[365]),/* "Basic OCSP Response" */
+&(nid_objs[285]),/* "Biometric Info" */
+&(nid_objs[179]),/* "CA Issuers" */
+&(nid_objs[131]),/* "Code Signing" */
+&(nid_objs[382]),/* "Directory" */
+&(nid_objs[392]),/* "Domain" */
+&(nid_objs[132]),/* "E-mail Protection" */
+&(nid_objs[389]),/* "Enterprises" */
+&(nid_objs[384]),/* "Experimental" */
+&(nid_objs[372]),/* "Extended OCSP Status" */
+&(nid_objs[172]),/* "Extension Request" */
+&(nid_objs[432]),/* "Hold Instruction Call Issuer" */
+&(nid_objs[430]),/* "Hold Instruction Code" */
+&(nid_objs[431]),/* "Hold Instruction None" */
+&(nid_objs[433]),/* "Hold Instruction Reject" */
+&(nid_objs[294]),/* "IPSec End System" */
+&(nid_objs[295]),/* "IPSec Tunnel" */
+&(nid_objs[296]),/* "IPSec User" */
+&(nid_objs[182]),/* "ISO Member Body" */
+&(nid_objs[183]),/* "ISO US Member Body" */
+&(nid_objs[142]),/* "Invalidity Date" */
+&(nid_objs[504]),/* "MIME MHS" */
+&(nid_objs[388]),/* "Mail" */
+&(nid_objs[383]),/* "Management" */
+&(nid_objs[417]),/* "Microsoft CSP Name" */
+&(nid_objs[135]),/* "Microsoft Commercial Code Signing" */
+&(nid_objs[138]),/* "Microsoft Encrypted File System" */
+&(nid_objs[171]),/* "Microsoft Extension Request" */
+&(nid_objs[134]),/* "Microsoft Individual Code Signing" */
+&(nid_objs[137]),/* "Microsoft Server Gated Crypto" */
+&(nid_objs[136]),/* "Microsoft Trust List Signing" */
+&(nid_objs[72]),/* "Netscape Base Url" */
+&(nid_objs[76]),/* "Netscape CA Policy Url" */
+&(nid_objs[74]),/* "Netscape CA Revocation Url" */
+&(nid_objs[71]),/* "Netscape Cert Type" */
+&(nid_objs[58]),/* "Netscape Certificate Extension" */
+&(nid_objs[79]),/* "Netscape Certificate Sequence" */
+&(nid_objs[78]),/* "Netscape Comment" */
+&(nid_objs[57]),/* "Netscape Communications Corp." */
+&(nid_objs[59]),/* "Netscape Data Type" */
+&(nid_objs[75]),/* "Netscape Renewal Url" */
+&(nid_objs[73]),/* "Netscape Revocation Url" */
+&(nid_objs[77]),/* "Netscape SSL Server Name" */
+&(nid_objs[139]),/* "Netscape Server Gated Crypto" */
+&(nid_objs[178]),/* "OCSP" */
+&(nid_objs[370]),/* "OCSP Archive Cutoff" */
+&(nid_objs[367]),/* "OCSP CRL ID" */
+&(nid_objs[369]),/* "OCSP No Check" */
+&(nid_objs[366]),/* "OCSP Nonce" */
+&(nid_objs[371]),/* "OCSP Service Locator" */
+&(nid_objs[180]),/* "OCSP Signing" */
+&(nid_objs[161]),/* "PBES2" */
+&(nid_objs[69]),/* "PBKDF2" */
+&(nid_objs[162]),/* "PBMAC1" */
+&(nid_objs[127]),/* "PKIX" */
+&(nid_objs[164]),/* "Policy Qualifier CPS" */
+&(nid_objs[165]),/* "Policy Qualifier User Notice" */
+&(nid_objs[385]),/* "Private" */
+&(nid_objs[ 1]),/* "RSA Data Security, Inc." */
+&(nid_objs[ 2]),/* "RSA Data Security, Inc. PKCS" */
+&(nid_objs[188]),/* "S/MIME" */
+&(nid_objs[167]),/* "S/MIME Capabilities" */
+&(nid_objs[387]),/* "SNMPv2" */
+&(nid_objs[386]),/* "Security" */
+&(nid_objs[394]),/* "Selected Attribute Types" */
+&(nid_objs[143]),/* "Strong Extranet ID" */
+&(nid_objs[398]),/* "Subject Information Access" */
+&(nid_objs[130]),/* "TLS Web Client Authentication" */
+&(nid_objs[129]),/* "TLS Web Server Authentication" */
+&(nid_objs[133]),/* "Time Stamping" */
+&(nid_objs[375]),/* "Trust Root" */
+&(nid_objs[12]),/* "X509" */
+&(nid_objs[402]),/* "X509v3 AC Targeting" */
+&(nid_objs[90]),/* "X509v3 Authority Key Identifier" */
+&(nid_objs[87]),/* "X509v3 Basic Constraints" */
+&(nid_objs[103]),/* "X509v3 CRL Distribution Points" */
+&(nid_objs[88]),/* "X509v3 CRL Number" */
+&(nid_objs[141]),/* "X509v3 CRL Reason Code" */
+&(nid_objs[89]),/* "X509v3 Certificate Policies" */
+&(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */
+&(nid_objs[126]),/* "X509v3 Extended Key Usage" */
+&(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
+&(nid_objs[83]),/* "X509v3 Key Usage" */
+&(nid_objs[403]),/* "X509v3 No Revocation Available" */
+&(nid_objs[401]),/* "X509v3 Policy Constraints" */
+&(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
+&(nid_objs[85]),/* "X509v3 Subject Alternative Name" */
+&(nid_objs[82]),/* "X509v3 Subject Key Identifier" */
+&(nid_objs[184]),/* "X9.57" */
+&(nid_objs[185]),/* "X9.57 CM ?" */
+&(nid_objs[478]),/* "aRecord" */
+&(nid_objs[289]),/* "aaControls" */
+&(nid_objs[287]),/* "ac-auditEntity" */
+&(nid_objs[397]),/* "ac-proxying" */
+&(nid_objs[288]),/* "ac-targeting" */
+&(nid_objs[446]),/* "account" */
+&(nid_objs[364]),/* "ad dvcs" */
+&(nid_objs[419]),/* "aes-128-cbc" */
+&(nid_objs[421]),/* "aes-128-cfb" */
+&(nid_objs[418]),/* "aes-128-ecb" */
+&(nid_objs[420]),/* "aes-128-ofb" */
+&(nid_objs[423]),/* "aes-192-cbc" */
+&(nid_objs[425]),/* "aes-192-cfb" */
+&(nid_objs[422]),/* "aes-192-ecb" */
+&(nid_objs[424]),/* "aes-192-ofb" */
+&(nid_objs[427]),/* "aes-256-cbc" */
+&(nid_objs[429]),/* "aes-256-cfb" */
+&(nid_objs[426]),/* "aes-256-ecb" */
+&(nid_objs[428]),/* "aes-256-ofb" */
+&(nid_objs[376]),/* "algorithm" */
+&(nid_objs[484]),/* "associatedDomain" */
+&(nid_objs[485]),/* "associatedName" */
+&(nid_objs[501]),/* "audio" */
+&(nid_objs[91]),/* "bf-cbc" */
+&(nid_objs[93]),/* "bf-cfb" */
+&(nid_objs[92]),/* "bf-ecb" */
+&(nid_objs[94]),/* "bf-ofb" */
+&(nid_objs[494]),/* "buildingName" */
+&(nid_objs[483]),/* "cNAMERecord" */
+&(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */
+&(nid_objs[108]),/* "cast5-cbc" */
+&(nid_objs[110]),/* "cast5-cfb" */
+&(nid_objs[109]),/* "cast5-ecb" */
+&(nid_objs[111]),/* "cast5-ofb" */
+&(nid_objs[404]),/* "ccitt" */
+&(nid_objs[152]),/* "certBag" */
+&(nid_objs[54]),/* "challengePassword" */
+&(nid_objs[407]),/* "characteristic-two-field" */
+&(nid_objs[395]),/* "clearance" */
+&(nid_objs[13]),/* "commonName" */
+&(nid_objs[50]),/* "contentType" */
+&(nid_objs[53]),/* "countersignature" */
+&(nid_objs[14]),/* "countryName" */
+&(nid_objs[153]),/* "crlBag" */
+&(nid_objs[500]),/* "dITRedirect" */
+&(nid_objs[451]),/* "dNSDomain" */
+&(nid_objs[495]),/* "dSAQuality" */
+&(nid_objs[434]),/* "data" */
+&(nid_objs[390]),/* "dcObject" */
+&(nid_objs[31]),/* "des-cbc" */
+&(nid_objs[30]),/* "des-cfb" */
+&(nid_objs[29]),/* "des-ecb" */
+&(nid_objs[32]),/* "des-ede" */
+&(nid_objs[43]),/* "des-ede-cbc" */
+&(nid_objs[60]),/* "des-ede-cfb" */
+&(nid_objs[62]),/* "des-ede-ofb" */
+&(nid_objs[33]),/* "des-ede3" */
+&(nid_objs[44]),/* "des-ede3-cbc" */
+&(nid_objs[61]),/* "des-ede3-cfb" */
+&(nid_objs[63]),/* "des-ede3-ofb" */
+&(nid_objs[45]),/* "des-ofb" */
+&(nid_objs[107]),/* "description" */
+&(nid_objs[80]),/* "desx-cbc" */
+&(nid_objs[28]),/* "dhKeyAgreement" */
+&(nid_objs[11]),/* "directory services (X.500)" */
+&(nid_objs[378]),/* "directory services - algorithms" */
+&(nid_objs[174]),/* "dnQualifier" */
+&(nid_objs[447]),/* "document" */
+&(nid_objs[471]),/* "documentAuthor" */
+&(nid_objs[468]),/* "documentIdentifier" */
+&(nid_objs[472]),/* "documentLocation" */
+&(nid_objs[502]),/* "documentPublisher" */
+&(nid_objs[449]),/* "documentSeries" */
+&(nid_objs[469]),/* "documentTitle" */
+&(nid_objs[470]),/* "documentVersion" */
+&(nid_objs[380]),/* "dod" */
+&(nid_objs[391]),/* "domainComponent" */
+&(nid_objs[452]),/* "domainRelatedObject" */
+&(nid_objs[116]),/* "dsaEncryption" */
+&(nid_objs[67]),/* "dsaEncryption-old" */
+&(nid_objs[66]),/* "dsaWithSHA" */
+&(nid_objs[113]),/* "dsaWithSHA1" */
+&(nid_objs[70]),/* "dsaWithSHA1-old" */
+&(nid_objs[297]),/* "dvcs" */
+&(nid_objs[416]),/* "ecdsa-with-SHA1" */
+&(nid_objs[48]),/* "emailAddress" */
+&(nid_objs[56]),/* "extendedCertificateAttributes" */
+&(nid_objs[462]),/* "favouriteDrink" */
+&(nid_objs[453]),/* "friendlyCountry" */
+&(nid_objs[490]),/* "friendlyCountryName" */
+&(nid_objs[156]),/* "friendlyName" */
+&(nid_objs[509]),/* "generationQualifier" */
+&(nid_objs[99]),/* "givenName" */
+&(nid_objs[163]),/* "hmacWithSHA1" */
+&(nid_objs[486]),/* "homePostalAddress" */
+&(nid_objs[473]),/* "homeTelephoneNumber" */
+&(nid_objs[466]),/* "host" */
+&(nid_objs[442]),/* "iA5StringSyntax" */
+&(nid_objs[381]),/* "iana" */
+&(nid_objs[266]),/* "id-aca" */
+&(nid_objs[355]),/* "id-aca-accessIdentity" */
+&(nid_objs[354]),/* "id-aca-authenticationInfo" */
+&(nid_objs[356]),/* "id-aca-chargingIdentity" */
+&(nid_objs[399]),/* "id-aca-encAttrs" */
+&(nid_objs[357]),/* "id-aca-group" */
+&(nid_objs[358]),/* "id-aca-role" */
+&(nid_objs[176]),/* "id-ad" */
+&(nid_objs[262]),/* "id-alg" */
+&(nid_objs[323]),/* "id-alg-des40" */
+&(nid_objs[326]),/* "id-alg-dh-pop" */
+&(nid_objs[325]),/* "id-alg-dh-sig-hmac-sha1" */
+&(nid_objs[324]),/* "id-alg-noSignature" */
+&(nid_objs[268]),/* "id-cct" */
+&(nid_objs[361]),/* "id-cct-PKIData" */
+&(nid_objs[362]),/* "id-cct-PKIResponse" */
+&(nid_objs[360]),/* "id-cct-crs" */
+&(nid_objs[81]),/* "id-ce" */
+&(nid_objs[263]),/* "id-cmc" */
+&(nid_objs[334]),/* "id-cmc-addExtensions" */
+&(nid_objs[346]),/* "id-cmc-confirmCertAcceptance" */
+&(nid_objs[330]),/* "id-cmc-dataReturn" */
+&(nid_objs[336]),/* "id-cmc-decryptedPOP" */
+&(nid_objs[335]),/* "id-cmc-encryptedPOP" */
+&(nid_objs[339]),/* "id-cmc-getCRL" */
+&(nid_objs[338]),/* "id-cmc-getCert" */
+&(nid_objs[328]),/* "id-cmc-identification" */
+&(nid_objs[329]),/* "id-cmc-identityProof" */
+&(nid_objs[337]),/* "id-cmc-lraPOPWitness" */
+&(nid_objs[344]),/* "id-cmc-popLinkRandom" */
+&(nid_objs[345]),/* "id-cmc-popLinkWitness" */
+&(nid_objs[343]),/* "id-cmc-queryPending" */
+&(nid_objs[333]),/* "id-cmc-recipientNonce" */
+&(nid_objs[341]),/* "id-cmc-regInfo" */
+&(nid_objs[342]),/* "id-cmc-responseInfo" */
+&(nid_objs[340]),/* "id-cmc-revokeRequest" */
+&(nid_objs[332]),/* "id-cmc-senderNonce" */
+&(nid_objs[327]),/* "id-cmc-statusInfo" */
+&(nid_objs[331]),/* "id-cmc-transactionId" */
+&(nid_objs[408]),/* "id-ecPublicKey" */
+&(nid_objs[508]),/* "id-hex-multipart-message" */
+&(nid_objs[507]),/* "id-hex-partial-message" */
+&(nid_objs[260]),/* "id-it" */
+&(nid_objs[302]),/* "id-it-caKeyUpdateInfo" */
+&(nid_objs[298]),/* "id-it-caProtEncCert" */
+&(nid_objs[311]),/* "id-it-confirmWaitTime" */
+&(nid_objs[303]),/* "id-it-currentCRL" */
+&(nid_objs[300]),/* "id-it-encKeyPairTypes" */
+&(nid_objs[310]),/* "id-it-implicitConfirm" */
+&(nid_objs[308]),/* "id-it-keyPairParamRep" */
+&(nid_objs[307]),/* "id-it-keyPairParamReq" */
+&(nid_objs[312]),/* "id-it-origPKIMessage" */
+&(nid_objs[301]),/* "id-it-preferredSymmAlg" */
+&(nid_objs[309]),/* "id-it-revPassphrase" */
+&(nid_objs[299]),/* "id-it-signKeyPairTypes" */
+&(nid_objs[305]),/* "id-it-subscriptionRequest" */
+&(nid_objs[306]),/* "id-it-subscriptionResponse" */
+&(nid_objs[304]),/* "id-it-unsupportedOIDs" */
+&(nid_objs[128]),/* "id-kp" */
+&(nid_objs[280]),/* "id-mod-attribute-cert" */
+&(nid_objs[274]),/* "id-mod-cmc" */
+&(nid_objs[277]),/* "id-mod-cmp" */
+&(nid_objs[284]),/* "id-mod-cmp2000" */
+&(nid_objs[273]),/* "id-mod-crmf" */
+&(nid_objs[283]),/* "id-mod-dvcs" */
+&(nid_objs[275]),/* "id-mod-kea-profile-88" */
+&(nid_objs[276]),/* "id-mod-kea-profile-93" */
+&(nid_objs[282]),/* "id-mod-ocsp" */
+&(nid_objs[278]),/* "id-mod-qualified-cert-88" */
+&(nid_objs[279]),/* "id-mod-qualified-cert-93" */
+&(nid_objs[281]),/* "id-mod-timestamp-protocol" */
+&(nid_objs[264]),/* "id-on" */
+&(nid_objs[347]),/* "id-on-personalData" */
+&(nid_objs[265]),/* "id-pda" */
+&(nid_objs[352]),/* "id-pda-countryOfCitizenship" */
+&(nid_objs[353]),/* "id-pda-countryOfResidence" */
+&(nid_objs[348]),/* "id-pda-dateOfBirth" */
+&(nid_objs[351]),/* "id-pda-gender" */
+&(nid_objs[349]),/* "id-pda-placeOfBirth" */
+&(nid_objs[175]),/* "id-pe" */
+&(nid_objs[261]),/* "id-pkip" */
+&(nid_objs[258]),/* "id-pkix-mod" */
+&(nid_objs[269]),/* "id-pkix1-explicit-88" */
+&(nid_objs[271]),/* "id-pkix1-explicit-93" */
+&(nid_objs[270]),/* "id-pkix1-implicit-88" */
+&(nid_objs[272]),/* "id-pkix1-implicit-93" */
+&(nid_objs[267]),/* "id-qcs" */
+&(nid_objs[359]),/* "id-qcs-pkixQCSyntax-v1" */
+&(nid_objs[259]),/* "id-qt" */
+&(nid_objs[313]),/* "id-regCtrl" */
+&(nid_objs[316]),/* "id-regCtrl-authenticator" */
+&(nid_objs[319]),/* "id-regCtrl-oldCertID" */
+&(nid_objs[318]),/* "id-regCtrl-pkiArchiveOptions" */
+&(nid_objs[317]),/* "id-regCtrl-pkiPublicationInfo" */
+&(nid_objs[320]),/* "id-regCtrl-protocolEncrKey" */
+&(nid_objs[315]),/* "id-regCtrl-regToken" */
+&(nid_objs[314]),/* "id-regInfo" */
+&(nid_objs[322]),/* "id-regInfo-certReq" */
+&(nid_objs[321]),/* "id-regInfo-utf8Pairs" */
+&(nid_objs[191]),/* "id-smime-aa" */
+&(nid_objs[215]),/* "id-smime-aa-contentHint" */
+&(nid_objs[218]),/* "id-smime-aa-contentIdentifier" */
+&(nid_objs[221]),/* "id-smime-aa-contentReference" */
+&(nid_objs[240]),/* "id-smime-aa-dvcs-dvc" */
+&(nid_objs[217]),/* "id-smime-aa-encapContentType" */
+&(nid_objs[222]),/* "id-smime-aa-encrypKeyPref" */
+&(nid_objs[220]),/* "id-smime-aa-equivalentLabels" */
+&(nid_objs[232]),/* "id-smime-aa-ets-CertificateRefs" */
+&(nid_objs[233]),/* "id-smime-aa-ets-RevocationRefs" */
+&(nid_objs[238]),/* "id-smime-aa-ets-archiveTimeStamp" */
+&(nid_objs[237]),/* "id-smime-aa-ets-certCRLTimestamp" */
+&(nid_objs[234]),/* "id-smime-aa-ets-certValues" */
+&(nid_objs[227]),/* "id-smime-aa-ets-commitmentType" */
+&(nid_objs[231]),/* "id-smime-aa-ets-contentTimestamp" */
+&(nid_objs[236]),/* "id-smime-aa-ets-escTimeStamp" */
+&(nid_objs[230]),/* "id-smime-aa-ets-otherSigCert" */
+&(nid_objs[235]),/* "id-smime-aa-ets-revocationValues" */
+&(nid_objs[226]),/* "id-smime-aa-ets-sigPolicyId" */
+&(nid_objs[229]),/* "id-smime-aa-ets-signerAttr" */
+&(nid_objs[228]),/* "id-smime-aa-ets-signerLocation" */
+&(nid_objs[219]),/* "id-smime-aa-macValue" */
+&(nid_objs[214]),/* "id-smime-aa-mlExpandHistory" */
+&(nid_objs[216]),/* "id-smime-aa-msgSigDigest" */
+&(nid_objs[212]),/* "id-smime-aa-receiptRequest" */
+&(nid_objs[213]),/* "id-smime-aa-securityLabel" */
+&(nid_objs[239]),/* "id-smime-aa-signatureType" */
+&(nid_objs[223]),/* "id-smime-aa-signingCertificate" */
+&(nid_objs[224]),/* "id-smime-aa-smimeEncryptCerts" */
+&(nid_objs[225]),/* "id-smime-aa-timeStampToken" */
+&(nid_objs[192]),/* "id-smime-alg" */
+&(nid_objs[243]),/* "id-smime-alg-3DESwrap" */
+&(nid_objs[246]),/* "id-smime-alg-CMS3DESwrap" */
+&(nid_objs[247]),/* "id-smime-alg-CMSRC2wrap" */
+&(nid_objs[245]),/* "id-smime-alg-ESDH" */
+&(nid_objs[241]),/* "id-smime-alg-ESDHwith3DES" */
+&(nid_objs[242]),/* "id-smime-alg-ESDHwithRC2" */
+&(nid_objs[244]),/* "id-smime-alg-RC2wrap" */
+&(nid_objs[193]),/* "id-smime-cd" */
+&(nid_objs[248]),/* "id-smime-cd-ldap" */
+&(nid_objs[190]),/* "id-smime-ct" */
+&(nid_objs[210]),/* "id-smime-ct-DVCSRequestData" */
+&(nid_objs[211]),/* "id-smime-ct-DVCSResponseData" */
+&(nid_objs[208]),/* "id-smime-ct-TDTInfo" */
+&(nid_objs[207]),/* "id-smime-ct-TSTInfo" */
+&(nid_objs[205]),/* "id-smime-ct-authData" */
+&(nid_objs[209]),/* "id-smime-ct-contentInfo" */
+&(nid_objs[206]),/* "id-smime-ct-publishCert" */
+&(nid_objs[204]),/* "id-smime-ct-receipt" */
+&(nid_objs[195]),/* "id-smime-cti" */
+&(nid_objs[255]),/* "id-smime-cti-ets-proofOfApproval" */
+&(nid_objs[256]),/* "id-smime-cti-ets-proofOfCreation" */
+&(nid_objs[253]),/* "id-smime-cti-ets-proofOfDelivery" */
+&(nid_objs[251]),/* "id-smime-cti-ets-proofOfOrigin" */
+&(nid_objs[252]),/* "id-smime-cti-ets-proofOfReceipt" */
+&(nid_objs[254]),/* "id-smime-cti-ets-proofOfSender" */
+&(nid_objs[189]),/* "id-smime-mod" */
+&(nid_objs[196]),/* "id-smime-mod-cms" */
+&(nid_objs[197]),/* "id-smime-mod-ess" */
+&(nid_objs[202]),/* "id-smime-mod-ets-eSigPolicy-88" */
+&(nid_objs[203]),/* "id-smime-mod-ets-eSigPolicy-97" */
+&(nid_objs[200]),/* "id-smime-mod-ets-eSignature-88" */
+&(nid_objs[201]),/* "id-smime-mod-ets-eSignature-97" */
+&(nid_objs[199]),/* "id-smime-mod-msg-v3" */
+&(nid_objs[198]),/* "id-smime-mod-oid" */
+&(nid_objs[194]),/* "id-smime-spq" */
+&(nid_objs[250]),/* "id-smime-spq-ets-sqt-unotice" */
+&(nid_objs[249]),/* "id-smime-spq-ets-sqt-uri" */
+&(nid_objs[34]),/* "idea-cbc" */
+&(nid_objs[35]),/* "idea-cfb" */
+&(nid_objs[36]),/* "idea-ecb" */
+&(nid_objs[46]),/* "idea-ofb" */
+&(nid_objs[461]),/* "info" */
+&(nid_objs[101]),/* "initials" */
+&(nid_objs[181]),/* "iso" */
+&(nid_objs[492]),/* "janetMailbox" */
+&(nid_objs[393]),/* "joint-iso-ccitt" */
+&(nid_objs[150]),/* "keyBag" */
+&(nid_objs[477]),/* "lastModifiedBy" */
+&(nid_objs[476]),/* "lastModifiedTime" */
+&(nid_objs[157]),/* "localKeyID" */
+&(nid_objs[15]),/* "localityName" */
+&(nid_objs[480]),/* "mXRecord" */
+&(nid_objs[493]),/* "mailPreferenceOption" */
+&(nid_objs[467]),/* "manager" */
+&(nid_objs[ 3]),/* "md2" */
+&(nid_objs[ 7]),/* "md2WithRSAEncryption" */
+&(nid_objs[257]),/* "md4" */
+&(nid_objs[396]),/* "md4WithRSAEncryption" */
+&(nid_objs[ 4]),/* "md5" */
+&(nid_objs[114]),/* "md5-sha1" */
+&(nid_objs[104]),/* "md5WithRSA" */
+&(nid_objs[ 8]),/* "md5WithRSAEncryption" */
+&(nid_objs[95]),/* "mdc2" */
+&(nid_objs[96]),/* "mdc2WithRSA" */
+&(nid_objs[51]),/* "messageDigest" */
+&(nid_objs[506]),/* "mime-mhs-bodies" */
+&(nid_objs[505]),/* "mime-mhs-headings" */
+&(nid_objs[488]),/* "mobileTelephoneNumber" */
+&(nid_objs[481]),/* "nSRecord" */
+&(nid_objs[173]),/* "name" */
+&(nid_objs[379]),/* "org" */
+&(nid_objs[17]),/* "organizationName" */
+&(nid_objs[491]),/* "organizationalStatus" */
+&(nid_objs[18]),/* "organizationalUnitName" */
+&(nid_objs[475]),/* "otherMailbox" */
+&(nid_objs[489]),/* "pagerTelephoneNumber" */
+&(nid_objs[374]),/* "path" */
+&(nid_objs[ 9]),/* "pbeWithMD2AndDES-CBC" */
+&(nid_objs[168]),/* "pbeWithMD2AndRC2-CBC" */
+&(nid_objs[112]),/* "pbeWithMD5AndCast5CBC" */
+&(nid_objs[10]),/* "pbeWithMD5AndDES-CBC" */
+&(nid_objs[169]),/* "pbeWithMD5AndRC2-CBC" */
+&(nid_objs[148]),/* "pbeWithSHA1And128BitRC2-CBC" */
+&(nid_objs[144]),/* "pbeWithSHA1And128BitRC4" */
+&(nid_objs[147]),/* "pbeWithSHA1And2-KeyTripleDES-CBC" */
+&(nid_objs[146]),/* "pbeWithSHA1And3-KeyTripleDES-CBC" */
+&(nid_objs[149]),/* "pbeWithSHA1And40BitRC2-CBC" */
+&(nid_objs[145]),/* "pbeWithSHA1And40BitRC4" */
+&(nid_objs[170]),/* "pbeWithSHA1AndDES-CBC" */
+&(nid_objs[68]),/* "pbeWithSHA1AndRC2-CBC" */
+&(nid_objs[499]),/* "personalSignature" */
+&(nid_objs[487]),/* "personalTitle" */
+&(nid_objs[464]),/* "photo" */
+&(nid_objs[437]),/* "pilot" */
+&(nid_objs[439]),/* "pilotAttributeSyntax" */
+&(nid_objs[438]),/* "pilotAttributeType" */
+&(nid_objs[479]),/* "pilotAttributeType27" */
+&(nid_objs[456]),/* "pilotDSA" */
+&(nid_objs[441]),/* "pilotGroups" */
+&(nid_objs[444]),/* "pilotObject" */
+&(nid_objs[440]),/* "pilotObjectClass" */
+&(nid_objs[455]),/* "pilotOrganization" */
+&(nid_objs[445]),/* "pilotPerson" */
+&(nid_objs[186]),/* "pkcs1" */
+&(nid_objs[27]),/* "pkcs3" */
+&(nid_objs[187]),/* "pkcs5" */
+&(nid_objs[20]),/* "pkcs7" */
+&(nid_objs[21]),/* "pkcs7-data" */
+&(nid_objs[25]),/* "pkcs7-digestData" */
+&(nid_objs[26]),/* "pkcs7-encryptedData" */
+&(nid_objs[23]),/* "pkcs7-envelopedData" */
+&(nid_objs[24]),/* "pkcs7-signedAndEnvelopedData" */
+&(nid_objs[22]),/* "pkcs7-signedData" */
+&(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
+&(nid_objs[47]),/* "pkcs9" */
+&(nid_objs[406]),/* "prime-field" */
+&(nid_objs[409]),/* "prime192v1" */
+&(nid_objs[410]),/* "prime192v2" */
+&(nid_objs[411]),/* "prime192v3" */
+&(nid_objs[412]),/* "prime239v1" */
+&(nid_objs[413]),/* "prime239v2" */
+&(nid_objs[414]),/* "prime239v3" */
+&(nid_objs[415]),/* "prime256v1" */
+&(nid_objs[435]),/* "pss" */
+&(nid_objs[286]),/* "qcStatements" */
+&(nid_objs[457]),/* "qualityLabelledData" */
+&(nid_objs[450]),/* "rFC822localPart" */
+&(nid_objs[98]),/* "rc2-40-cbc" */
+&(nid_objs[166]),/* "rc2-64-cbc" */
+&(nid_objs[37]),/* "rc2-cbc" */
+&(nid_objs[39]),/* "rc2-cfb" */
+&(nid_objs[38]),/* "rc2-ecb" */
+&(nid_objs[40]),/* "rc2-ofb" */
+&(nid_objs[ 5]),/* "rc4" */
+&(nid_objs[97]),/* "rc4-40" */
+&(nid_objs[120]),/* "rc5-cbc" */
+&(nid_objs[122]),/* "rc5-cfb" */
+&(nid_objs[121]),/* "rc5-ecb" */
+&(nid_objs[123]),/* "rc5-ofb" */
+&(nid_objs[460]),/* "rfc822Mailbox" */
+&(nid_objs[117]),/* "ripemd160" */
+&(nid_objs[119]),/* "ripemd160WithRSA" */
+&(nid_objs[400]),/* "role" */
+&(nid_objs[448]),/* "room" */
+&(nid_objs[463]),/* "roomNumber" */
+&(nid_objs[19]),/* "rsa" */
+&(nid_objs[ 6]),/* "rsaEncryption" */
+&(nid_objs[377]),/* "rsaSignature" */
+&(nid_objs[124]),/* "run length compression" */
+&(nid_objs[482]),/* "sOARecord" */
+&(nid_objs[155]),/* "safeContentsBag" */
+&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[154]),/* "secretBag" */
+&(nid_objs[474]),/* "secretary" */
+&(nid_objs[105]),/* "serialNumber" */
+&(nid_objs[41]),/* "sha" */
+&(nid_objs[64]),/* "sha1" */
+&(nid_objs[115]),/* "sha1WithRSA" */
+&(nid_objs[65]),/* "sha1WithRSAEncryption" */
+&(nid_objs[42]),/* "shaWithRSAEncryption" */
+&(nid_objs[52]),/* "signingTime" */
+&(nid_objs[454]),/* "simpleSecurityObject" */
+&(nid_objs[496]),/* "singleLevelQuality" */
+&(nid_objs[16]),/* "stateOrProvinceName" */
+&(nid_objs[498]),/* "subtreeMaximumQuality" */
+&(nid_objs[497]),/* "subtreeMinimumQuality" */
+&(nid_objs[100]),/* "surname" */
+&(nid_objs[459]),/* "textEncodedORAddress" */
+&(nid_objs[293]),/* "textNotice" */
+&(nid_objs[106]),/* "title" */
+&(nid_objs[436]),/* "ucl" */
+&(nid_objs[ 0]),/* "undefined" */
+&(nid_objs[55]),/* "unstructuredAddress" */
+&(nid_objs[49]),/* "unstructuredName" */
+&(nid_objs[465]),/* "userClass" */
+&(nid_objs[458]),/* "userId" */
+&(nid_objs[373]),/* "valid" */
+&(nid_objs[503]),/* "x500UniqueIdentifier" */
+&(nid_objs[158]),/* "x509Certificate" */
+&(nid_objs[160]),/* "x509Crl" */
+&(nid_objs[125]),/* "zlib compression" */
+};
+
+static ASN1_OBJECT *obj_objs[NUM_OBJ]={
+&(nid_objs[ 0]),/* OBJ_undef                        0 */
+&(nid_objs[404]),/* OBJ_ccitt                        0 */
+&(nid_objs[434]),/* OBJ_data                         0 9 */
+&(nid_objs[181]),/* OBJ_iso                          1 */
+&(nid_objs[182]),/* OBJ_member_body                  1 2 */
+&(nid_objs[379]),/* OBJ_org                          1 3 */
+&(nid_objs[393]),/* OBJ_joint_iso_ccitt              2 */
+&(nid_objs[11]),/* OBJ_X500                         2 5 */
+&(nid_objs[380]),/* OBJ_dod                          1 3 6 */
+&(nid_objs[12]),/* OBJ_X509                         2 5 4 */
+&(nid_objs[378]),/* OBJ_X500algorithms               2 5 8 */
+&(nid_objs[81]),/* OBJ_id_ce                        2 5 29 */
+&(nid_objs[435]),/* OBJ_pss                          0 9 2342 */
+&(nid_objs[183]),/* OBJ_ISO_US                       1 2 840 */
+&(nid_objs[381]),/* OBJ_iana                         1 3 6 1 */
+&(nid_objs[394]),/* OBJ_selected_attribute_types     2 5 1 5 */
+&(nid_objs[13]),/* OBJ_commonName                   2 5 4 3 */
+&(nid_objs[100]),/* OBJ_surname                      2 5 4 4 */
+&(nid_objs[105]),/* OBJ_serialNumber                 2 5 4 5 */
+&(nid_objs[14]),/* OBJ_countryName                  2 5 4 6 */
+&(nid_objs[15]),/* OBJ_localityName                 2 5 4 7 */
+&(nid_objs[16]),/* OBJ_stateOrProvinceName          2 5 4 8 */
+&(nid_objs[17]),/* OBJ_organizationName             2 5 4 10 */
+&(nid_objs[18]),/* OBJ_organizationalUnitName       2 5 4 11 */
+&(nid_objs[106]),/* OBJ_title                        2 5 4 12 */
+&(nid_objs[107]),/* OBJ_description                  2 5 4 13 */
+&(nid_objs[173]),/* OBJ_name                         2 5 4 41 */
+&(nid_objs[99]),/* OBJ_givenName                    2 5 4 42 */
+&(nid_objs[101]),/* OBJ_initials                     2 5 4 43 */
+&(nid_objs[509]),/* OBJ_generationQualifier          2 5 4 44 */
+&(nid_objs[503]),/* OBJ_x500UniqueIdentifier         2 5 4 45 */
+&(nid_objs[174]),/* OBJ_dnQualifier                  2 5 4 46 */
+&(nid_objs[400]),/* OBJ_role                         2 5 4 72 */
+&(nid_objs[82]),/* OBJ_subject_key_identifier       2 5 29 14 */
+&(nid_objs[83]),/* OBJ_key_usage                    2 5 29 15 */
+&(nid_objs[84]),/* OBJ_private_key_usage_period     2 5 29 16 */
+&(nid_objs[85]),/* OBJ_subject_alt_name             2 5 29 17 */
+&(nid_objs[86]),/* OBJ_issuer_alt_name              2 5 29 18 */
+&(nid_objs[87]),/* OBJ_basic_constraints            2 5 29 19 */
+&(nid_objs[88]),/* OBJ_crl_number                   2 5 29 20 */
+&(nid_objs[141]),/* OBJ_crl_reason                   2 5 29 21 */
+&(nid_objs[430]),/* OBJ_hold_instruction_code        2 5 29 23 */
+&(nid_objs[142]),/* OBJ_invalidity_date              2 5 29 24 */
+&(nid_objs[140]),/* OBJ_delta_crl                    2 5 29 27 */
+&(nid_objs[103]),/* OBJ_crl_distribution_points      2 5 29 31 */
+&(nid_objs[89]),/* OBJ_certificate_policies         2 5 29 32 */
+&(nid_objs[90]),/* OBJ_authority_key_identifier     2 5 29 35 */
+&(nid_objs[401]),/* OBJ_policy_constraints           2 5 29 36 */
+&(nid_objs[126]),/* OBJ_ext_key_usage                2 5 29 37 */
+&(nid_objs[402]),/* OBJ_target_information           2 5 29 55 */
+&(nid_objs[403]),/* OBJ_no_rev_avail                 2 5 29 56 */
+&(nid_objs[382]),/* OBJ_Directory                    1 3 6 1 1 */
+&(nid_objs[383]),/* OBJ_Management                   1 3 6 1 2 */
+&(nid_objs[384]),/* OBJ_Experimental                 1 3 6 1 3 */
+&(nid_objs[385]),/* OBJ_Private                      1 3 6 1 4 */
+&(nid_objs[386]),/* OBJ_Security                     1 3 6 1 5 */
+&(nid_objs[387]),/* OBJ_SNMPv2                       1 3 6 1 6 */
+&(nid_objs[388]),/* OBJ_Mail                         1 3 6 1 7 */
+&(nid_objs[376]),/* OBJ_algorithm                    1 3 14 3 2 */
+&(nid_objs[395]),/* OBJ_clearance                    2 5 1 5 55 */
+&(nid_objs[19]),/* OBJ_rsa                          2 5 8 1 1 */
+&(nid_objs[96]),/* OBJ_mdc2WithRSA                  2 5 8 3 100 */
+&(nid_objs[95]),/* OBJ_mdc2                         2 5 8 3 101 */
+&(nid_objs[184]),/* OBJ_X9_57                        1 2 840 10040 */
+&(nid_objs[405]),/* OBJ_ansi_X9_62                   1 2 840 10045 */
+&(nid_objs[389]),/* OBJ_Enterprises                  1 3 6 1 4 1 */
+&(nid_objs[504]),/* OBJ_mime_mhs                     1 3 6 1 7 1 */
+&(nid_objs[104]),/* OBJ_md5WithRSA                   1 3 14 3 2 3 */
+&(nid_objs[29]),/* OBJ_des_ecb                      1 3 14 3 2 6 */
+&(nid_objs[31]),/* OBJ_des_cbc                      1 3 14 3 2 7 */
+&(nid_objs[45]),/* OBJ_des_ofb64                    1 3 14 3 2 8 */
+&(nid_objs[30]),/* OBJ_des_cfb64                    1 3 14 3 2 9 */
+&(nid_objs[377]),/* OBJ_rsaSignature                 1 3 14 3 2 11 */
+&(nid_objs[67]),/* OBJ_dsa_2                        1 3 14 3 2 12 */
+&(nid_objs[66]),/* OBJ_dsaWithSHA                   1 3 14 3 2 13 */
+&(nid_objs[42]),/* OBJ_shaWithRSAEncryption         1 3 14 3 2 15 */
+&(nid_objs[32]),/* OBJ_des_ede_ecb                  1 3 14 3 2 17 */
+&(nid_objs[41]),/* OBJ_sha                          1 3 14 3 2 18 */
+&(nid_objs[64]),/* OBJ_sha1                         1 3 14 3 2 26 */
+&(nid_objs[70]),/* OBJ_dsaWithSHA1_2                1 3 14 3 2 27 */
+&(nid_objs[115]),/* OBJ_sha1WithRSA                  1 3 14 3 2 29 */
+&(nid_objs[117]),/* OBJ_ripemd160                    1 3 36 3 2 1 */
+&(nid_objs[143]),/* OBJ_sxnet                        1 3 101 1 4 1 */
+&(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
+&(nid_objs[125]),/* OBJ_zlib_compression             1 1 1 1 666 2 */
+&(nid_objs[ 1]),/* OBJ_rsadsi                       1 2 840 113549 */
+&(nid_objs[185]),/* OBJ_X9cm                         1 2 840 10040 4 */
+&(nid_objs[127]),/* OBJ_id_pkix                      1 3 6 1 5 5 7 */
+&(nid_objs[505]),/* OBJ_mime_mhs_headings            1 3 6 1 7 1 1 */
+&(nid_objs[506]),/* OBJ_mime_mhs_bodies              1 3 6 1 7 1 2 */
+&(nid_objs[119]),/* OBJ_ripemd160WithRSA             1 3 36 3 3 1 2 */
+&(nid_objs[436]),/* OBJ_ucl                          0 9 2342 19200300 */
+&(nid_objs[ 2]),/* OBJ_pkcs                         1 2 840 113549 1 */
+&(nid_objs[431]),/* OBJ_hold_instruction_none        1 2 840 10040 2 1 */
+&(nid_objs[432]),/* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
+&(nid_objs[433]),/* OBJ_hold_instruction_reject      1 2 840 10040 2 3 */
+&(nid_objs[116]),/* OBJ_dsa                          1 2 840 10040 4 1 */
+&(nid_objs[113]),/* OBJ_dsaWithSHA1                  1 2 840 10040 4 3 */
+&(nid_objs[406]),/* OBJ_X9_62_prime_field            1 2 840 10045 1 1 */
+&(nid_objs[407]),/* OBJ_X9_62_characteristic_two_field 1 2 840 10045 1 2 */
+&(nid_objs[408]),/* OBJ_X9_62_id_ecPublicKey         1 2 840 10045 2 1 */
+&(nid_objs[416]),/* OBJ_ecdsa_with_SHA1              1 2 840 10045 4 1 */
+&(nid_objs[258]),/* OBJ_id_pkix_mod                  1 3 6 1 5 5 7 0 */
+&(nid_objs[175]),/* OBJ_id_pe                        1 3 6 1 5 5 7 1 */
+&(nid_objs[259]),/* OBJ_id_qt                        1 3 6 1 5 5 7 2 */
+&(nid_objs[128]),/* OBJ_id_kp                        1 3 6 1 5 5 7 3 */
+&(nid_objs[260]),/* OBJ_id_it                        1 3 6 1 5 5 7 4 */
+&(nid_objs[261]),/* OBJ_id_pkip                      1 3 6 1 5 5 7 5 */
+&(nid_objs[262]),/* OBJ_id_alg                       1 3 6 1 5 5 7 6 */
+&(nid_objs[263]),/* OBJ_id_cmc                       1 3 6 1 5 5 7 7 */
+&(nid_objs[264]),/* OBJ_id_on                        1 3 6 1 5 5 7 8 */
+&(nid_objs[265]),/* OBJ_id_pda                       1 3 6 1 5 5 7 9 */
+&(nid_objs[266]),/* OBJ_id_aca                       1 3 6 1 5 5 7 10 */
+&(nid_objs[267]),/* OBJ_id_qcs                       1 3 6 1 5 5 7 11 */
+&(nid_objs[268]),/* OBJ_id_cct                       1 3 6 1 5 5 7 12 */
+&(nid_objs[176]),/* OBJ_id_ad                        1 3 6 1 5 5 7 48 */
+&(nid_objs[507]),/* OBJ_id_hex_partial_message       1 3 6 1 7 1 1 1 */
+&(nid_objs[508]),/* OBJ_id_hex_multipart_message     1 3 6 1 7 1 1 2 */
+&(nid_objs[57]),/* OBJ_netscape                     2 16 840 1 113730 */
+&(nid_objs[437]),/* OBJ_pilot                        0 9 2342 19200300 100 */
+&(nid_objs[186]),/* OBJ_pkcs1                        1 2 840 113549 1 1 */
+&(nid_objs[27]),/* OBJ_pkcs3                        1 2 840 113549 1 3 */
+&(nid_objs[187]),/* OBJ_pkcs5                        1 2 840 113549 1 5 */
+&(nid_objs[20]),/* OBJ_pkcs7                        1 2 840 113549 1 7 */
+&(nid_objs[47]),/* OBJ_pkcs9                        1 2 840 113549 1 9 */
+&(nid_objs[ 3]),/* OBJ_md2                          1 2 840 113549 2 2 */
+&(nid_objs[257]),/* OBJ_md4                          1 2 840 113549 2 4 */
+&(nid_objs[ 4]),/* OBJ_md5                          1 2 840 113549 2 5 */
+&(nid_objs[163]),/* OBJ_hmacWithSHA1                 1 2 840 113549 2 7 */
+&(nid_objs[37]),/* OBJ_rc2_cbc                      1 2 840 113549 3 2 */
+&(nid_objs[ 5]),/* OBJ_rc4                          1 2 840 113549 3 4 */
+&(nid_objs[44]),/* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
+&(nid_objs[120]),/* OBJ_rc5_cbc                      1 2 840 113549 3 8 */
+&(nid_objs[409]),/* OBJ_X9_62_prime192v1             1 2 840 10045 3 1 1 */
+&(nid_objs[410]),/* OBJ_X9_62_prime192v2             1 2 840 10045 3 1 2 */
+&(nid_objs[411]),/* OBJ_X9_62_prime192v3             1 2 840 10045 3 1 3 */
+&(nid_objs[412]),/* OBJ_X9_62_prime239v1             1 2 840 10045 3 1 4 */
+&(nid_objs[413]),/* OBJ_X9_62_prime239v2             1 2 840 10045 3 1 5 */
+&(nid_objs[414]),/* OBJ_X9_62_prime239v3             1 2 840 10045 3 1 6 */
+&(nid_objs[415]),/* OBJ_X9_62_prime256v1             1 2 840 10045 3 1 7 */
+&(nid_objs[269]),/* OBJ_id_pkix1_explicit_88         1 3 6 1 5 5 7 0 1 */
+&(nid_objs[270]),/* OBJ_id_pkix1_implicit_88         1 3 6 1 5 5 7 0 2 */
+&(nid_objs[271]),/* OBJ_id_pkix1_explicit_93         1 3 6 1 5 5 7 0 3 */
+&(nid_objs[272]),/* OBJ_id_pkix1_implicit_93         1 3 6 1 5 5 7 0 4 */
+&(nid_objs[273]),/* OBJ_id_mod_crmf                  1 3 6 1 5 5 7 0 5 */
+&(nid_objs[274]),/* OBJ_id_mod_cmc                   1 3 6 1 5 5 7 0 6 */
+&(nid_objs[275]),/* OBJ_id_mod_kea_profile_88        1 3 6 1 5 5 7 0 7 */
+&(nid_objs[276]),/* OBJ_id_mod_kea_profile_93        1 3 6 1 5 5 7 0 8 */
+&(nid_objs[277]),/* OBJ_id_mod_cmp                   1 3 6 1 5 5 7 0 9 */
+&(nid_objs[278]),/* OBJ_id_mod_qualified_cert_88     1 3 6 1 5 5 7 0 10 */
+&(nid_objs[279]),/* OBJ_id_mod_qualified_cert_93     1 3 6 1 5 5 7 0 11 */
+&(nid_objs[280]),/* OBJ_id_mod_attribute_cert        1 3 6 1 5 5 7 0 12 */
+&(nid_objs[281]),/* OBJ_id_mod_timestamp_protocol    1 3 6 1 5 5 7 0 13 */
+&(nid_objs[282]),/* OBJ_id_mod_ocsp                  1 3 6 1 5 5 7 0 14 */
+&(nid_objs[283]),/* OBJ_id_mod_dvcs                  1 3 6 1 5 5 7 0 15 */
+&(nid_objs[284]),/* OBJ_id_mod_cmp2000               1 3 6 1 5 5 7 0 16 */
+&(nid_objs[177]),/* OBJ_info_access                  1 3 6 1 5 5 7 1 1 */
+&(nid_objs[285]),/* OBJ_biometricInfo                1 3 6 1 5 5 7 1 2 */
+&(nid_objs[286]),/* OBJ_qcStatements                 1 3 6 1 5 5 7 1 3 */
+&(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
+&(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
+&(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
+&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
+&(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
+&(nid_objs[164]),/* OBJ_id_qt_cps                    1 3 6 1 5 5 7 2 1 */
+&(nid_objs[165]),/* OBJ_id_qt_unotice                1 3 6 1 5 5 7 2 2 */
+&(nid_objs[293]),/* OBJ_textNotice                   1 3 6 1 5 5 7 2 3 */
+&(nid_objs[129]),/* OBJ_server_auth                  1 3 6 1 5 5 7 3 1 */
+&(nid_objs[130]),/* OBJ_client_auth                  1 3 6 1 5 5 7 3 2 */
+&(nid_objs[131]),/* OBJ_code_sign                    1 3 6 1 5 5 7 3 3 */
+&(nid_objs[132]),/* OBJ_email_protect                1 3 6 1 5 5 7 3 4 */
+&(nid_objs[294]),/* OBJ_ipsecEndSystem               1 3 6 1 5 5 7 3 5 */
+&(nid_objs[295]),/* OBJ_ipsecTunnel                  1 3 6 1 5 5 7 3 6 */
+&(nid_objs[296]),/* OBJ_ipsecUser                    1 3 6 1 5 5 7 3 7 */
+&(nid_objs[133]),/* OBJ_time_stamp                   1 3 6 1 5 5 7 3 8 */
+&(nid_objs[180]),/* OBJ_OCSP_sign                    1 3 6 1 5 5 7 3 9 */
+&(nid_objs[297]),/* OBJ_dvcs                         1 3 6 1 5 5 7 3 10 */
+&(nid_objs[298]),/* OBJ_id_it_caProtEncCert          1 3 6 1 5 5 7 4 1 */
+&(nid_objs[299]),/* OBJ_id_it_signKeyPairTypes       1 3 6 1 5 5 7 4 2 */
+&(nid_objs[300]),/* OBJ_id_it_encKeyPairTypes        1 3 6 1 5 5 7 4 3 */
+&(nid_objs[301]),/* OBJ_id_it_preferredSymmAlg       1 3 6 1 5 5 7 4 4 */
+&(nid_objs[302]),/* OBJ_id_it_caKeyUpdateInfo        1 3 6 1 5 5 7 4 5 */
+&(nid_objs[303]),/* OBJ_id_it_currentCRL             1 3 6 1 5 5 7 4 6 */
+&(nid_objs[304]),/* OBJ_id_it_unsupportedOIDs        1 3 6 1 5 5 7 4 7 */
+&(nid_objs[305]),/* OBJ_id_it_subscriptionRequest    1 3 6 1 5 5 7 4 8 */
+&(nid_objs[306]),/* OBJ_id_it_subscriptionResponse   1 3 6 1 5 5 7 4 9 */
+&(nid_objs[307]),/* OBJ_id_it_keyPairParamReq        1 3 6 1 5 5 7 4 10 */
+&(nid_objs[308]),/* OBJ_id_it_keyPairParamRep        1 3 6 1 5 5 7 4 11 */
+&(nid_objs[309]),/* OBJ_id_it_revPassphrase          1 3 6 1 5 5 7 4 12 */
+&(nid_objs[310]),/* OBJ_id_it_implicitConfirm        1 3 6 1 5 5 7 4 13 */
+&(nid_objs[311]),/* OBJ_id_it_confirmWaitTime        1 3 6 1 5 5 7 4 14 */
+&(nid_objs[312]),/* OBJ_id_it_origPKIMessage         1 3 6 1 5 5 7 4 15 */
+&(nid_objs[313]),/* OBJ_id_regCtrl                   1 3 6 1 5 5 7 5 1 */
+&(nid_objs[314]),/* OBJ_id_regInfo                   1 3 6 1 5 5 7 5 2 */
+&(nid_objs[323]),/* OBJ_id_alg_des40                 1 3 6 1 5 5 7 6 1 */
+&(nid_objs[324]),/* OBJ_id_alg_noSignature           1 3 6 1 5 5 7 6 2 */
+&(nid_objs[325]),/* OBJ_id_alg_dh_sig_hmac_sha1      1 3 6 1 5 5 7 6 3 */
+&(nid_objs[326]),/* OBJ_id_alg_dh_pop                1 3 6 1 5 5 7 6 4 */
+&(nid_objs[327]),/* OBJ_id_cmc_statusInfo            1 3 6 1 5 5 7 7 1 */
+&(nid_objs[328]),/* OBJ_id_cmc_identification        1 3 6 1 5 5 7 7 2 */
+&(nid_objs[329]),/* OBJ_id_cmc_identityProof         1 3 6 1 5 5 7 7 3 */
+&(nid_objs[330]),/* OBJ_id_cmc_dataReturn            1 3 6 1 5 5 7 7 4 */
+&(nid_objs[331]),/* OBJ_id_cmc_transactionId         1 3 6 1 5 5 7 7 5 */
+&(nid_objs[332]),/* OBJ_id_cmc_senderNonce           1 3 6 1 5 5 7 7 6 */
+&(nid_objs[333]),/* OBJ_id_cmc_recipientNonce        1 3 6 1 5 5 7 7 7 */
+&(nid_objs[334]),/* OBJ_id_cmc_addExtensions         1 3 6 1 5 5 7 7 8 */
+&(nid_objs[335]),/* OBJ_id_cmc_encryptedPOP          1 3 6 1 5 5 7 7 9 */
+&(nid_objs[336]),/* OBJ_id_cmc_decryptedPOP          1 3 6 1 5 5 7 7 10 */
+&(nid_objs[337]),/* OBJ_id_cmc_lraPOPWitness         1 3 6 1 5 5 7 7 11 */
+&(nid_objs[338]),/* OBJ_id_cmc_getCert               1 3 6 1 5 5 7 7 15 */
+&(nid_objs[339]),/* OBJ_id_cmc_getCRL                1 3 6 1 5 5 7 7 16 */
+&(nid_objs[340]),/* OBJ_id_cmc_revokeRequest         1 3 6 1 5 5 7 7 17 */
+&(nid_objs[341]),/* OBJ_id_cmc_regInfo               1 3 6 1 5 5 7 7 18 */
+&(nid_objs[342]),/* OBJ_id_cmc_responseInfo          1 3 6 1 5 5 7 7 19 */
+&(nid_objs[343]),/* OBJ_id_cmc_queryPending          1 3 6 1 5 5 7 7 21 */
+&(nid_objs[344]),/* OBJ_id_cmc_popLinkRandom         1 3 6 1 5 5 7 7 22 */
+&(nid_objs[345]),/* OBJ_id_cmc_popLinkWitness        1 3 6 1 5 5 7 7 23 */
+&(nid_objs[346]),/* OBJ_id_cmc_confirmCertAcceptance 1 3 6 1 5 5 7 7 24 */
+&(nid_objs[347]),/* OBJ_id_on_personalData           1 3 6 1 5 5 7 8 1 */
+&(nid_objs[348]),/* OBJ_id_pda_dateOfBirth           1 3 6 1 5 5 7 9 1 */
+&(nid_objs[349]),/* OBJ_id_pda_placeOfBirth          1 3 6 1 5 5 7 9 2 */
+&(nid_objs[351]),/* OBJ_id_pda_gender                1 3 6 1 5 5 7 9 3 */
+&(nid_objs[352]),/* OBJ_id_pda_countryOfCitizenship  1 3 6 1 5 5 7 9 4 */
+&(nid_objs[353]),/* OBJ_id_pda_countryOfResidence    1 3 6 1 5 5 7 9 5 */
+&(nid_objs[354]),/* OBJ_id_aca_authenticationInfo    1 3 6 1 5 5 7 10 1 */
+&(nid_objs[355]),/* OBJ_id_aca_accessIdentity        1 3 6 1 5 5 7 10 2 */
+&(nid_objs[356]),/* OBJ_id_aca_chargingIdentity      1 3 6 1 5 5 7 10 3 */
+&(nid_objs[357]),/* OBJ_id_aca_group                 1 3 6 1 5 5 7 10 4 */
+&(nid_objs[358]),/* OBJ_id_aca_role                  1 3 6 1 5 5 7 10 5 */
+&(nid_objs[399]),/* OBJ_id_aca_encAttrs              1 3 6 1 5 5 7 10 6 */
+&(nid_objs[359]),/* OBJ_id_qcs_pkixQCSyntax_v1       1 3 6 1 5 5 7 11 1 */
+&(nid_objs[360]),/* OBJ_id_cct_crs                   1 3 6 1 5 5 7 12 1 */
+&(nid_objs[361]),/* OBJ_id_cct_PKIData               1 3 6 1 5 5 7 12 2 */
+&(nid_objs[362]),/* OBJ_id_cct_PKIResponse           1 3 6 1 5 5 7 12 3 */
+&(nid_objs[178]),/* OBJ_ad_OCSP                      1 3 6 1 5 5 7 48 1 */
+&(nid_objs[179]),/* OBJ_ad_ca_issuers                1 3 6 1 5 5 7 48 2 */
+&(nid_objs[363]),/* OBJ_ad_timeStamping              1 3 6 1 5 5 7 48 3 */
+&(nid_objs[364]),/* OBJ_ad_dvcs                      1 3 6 1 5 5 7 48 4 */
+&(nid_objs[58]),/* OBJ_netscape_cert_extension      2 16 840 1 113730 1 */
+&(nid_objs[59]),/* OBJ_netscape_data_type           2 16 840 1 113730 2 */
+&(nid_objs[438]),/* OBJ_pilotAttributeType           0 9 2342 19200300 100 1 */
+&(nid_objs[439]),/* OBJ_pilotAttributeSyntax         0 9 2342 19200300 100 3 */
+&(nid_objs[440]),/* OBJ_pilotObjectClass             0 9 2342 19200300 100 4 */
+&(nid_objs[441]),/* OBJ_pilotGroups                  0 9 2342 19200300 100 10 */
+&(nid_objs[108]),/* OBJ_cast5_cbc                    1 2 840 113533 7 66 10 */
+&(nid_objs[112]),/* OBJ_pbeWithMD5AndCast5_CBC       1 2 840 113533 7 66 12 */
+&(nid_objs[ 6]),/* OBJ_rsaEncryption                1 2 840 113549 1 1 1 */
+&(nid_objs[ 7]),/* OBJ_md2WithRSAEncryption         1 2 840 113549 1 1 2 */
+&(nid_objs[396]),/* OBJ_md4WithRSAEncryption         1 2 840 113549 1 1 3 */
+&(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption         1 2 840 113549 1 1 4 */
+&(nid_objs[65]),/* OBJ_sha1WithRSAEncryption        1 2 840 113549 1 1 5 */
+&(nid_objs[28]),/* OBJ_dhKeyAgreement               1 2 840 113549 1 3 1 */
+&(nid_objs[ 9]),/* OBJ_pbeWithMD2AndDES_CBC         1 2 840 113549 1 5 1 */
+&(nid_objs[10]),/* OBJ_pbeWithMD5AndDES_CBC         1 2 840 113549 1 5 3 */
+&(nid_objs[168]),/* OBJ_pbeWithMD2AndRC2_CBC         1 2 840 113549 1 5 4 */
+&(nid_objs[169]),/* OBJ_pbeWithMD5AndRC2_CBC         1 2 840 113549 1 5 6 */
+&(nid_objs[170]),/* OBJ_pbeWithSHA1AndDES_CBC        1 2 840 113549 1 5 10 */
+&(nid_objs[68]),/* OBJ_pbeWithSHA1AndRC2_CBC        1 2 840 113549 1 5 11 */
+&(nid_objs[69]),/* OBJ_id_pbkdf2                    1 2 840 113549 1 5 12 */
+&(nid_objs[161]),/* OBJ_pbes2                        1 2 840 113549 1 5 13 */
+&(nid_objs[162]),/* OBJ_pbmac1                       1 2 840 113549 1 5 14 */
+&(nid_objs[21]),/* OBJ_pkcs7_data                   1 2 840 113549 1 7 1 */
+&(nid_objs[22]),/* OBJ_pkcs7_signed                 1 2 840 113549 1 7 2 */
+&(nid_objs[23]),/* OBJ_pkcs7_enveloped              1 2 840 113549 1 7 3 */
+&(nid_objs[24]),/* OBJ_pkcs7_signedAndEnveloped     1 2 840 113549 1 7 4 */
+&(nid_objs[25]),/* OBJ_pkcs7_digest                 1 2 840 113549 1 7 5 */
+&(nid_objs[26]),/* OBJ_pkcs7_encrypted              1 2 840 113549 1 7 6 */
+&(nid_objs[48]),/* OBJ_pkcs9_emailAddress           1 2 840 113549 1 9 1 */
+&(nid_objs[49]),/* OBJ_pkcs9_unstructuredName       1 2 840 113549 1 9 2 */
+&(nid_objs[50]),/* OBJ_pkcs9_contentType            1 2 840 113549 1 9 3 */
+&(nid_objs[51]),/* OBJ_pkcs9_messageDigest          1 2 840 113549 1 9 4 */
+&(nid_objs[52]),/* OBJ_pkcs9_signingTime            1 2 840 113549 1 9 5 */
+&(nid_objs[53]),/* OBJ_pkcs9_countersignature       1 2 840 113549 1 9 6 */
+&(nid_objs[54]),/* OBJ_pkcs9_challengePassword      1 2 840 113549 1 9 7 */
+&(nid_objs[55]),/* OBJ_pkcs9_unstructuredAddress    1 2 840 113549 1 9 8 */
+&(nid_objs[56]),/* OBJ_pkcs9_extCertAttributes      1 2 840 113549 1 9 9 */
+&(nid_objs[172]),/* OBJ_ext_req                      1 2 840 113549 1 9 14 */
+&(nid_objs[167]),/* OBJ_SMIMECapabilities            1 2 840 113549 1 9 15 */
+&(nid_objs[188]),/* OBJ_SMIME                        1 2 840 113549 1 9 16 */
+&(nid_objs[156]),/* OBJ_friendlyName                 1 2 840 113549 1 9 20 */
+&(nid_objs[157]),/* OBJ_localKeyID                   1 2 840 113549 1 9 21 */
+&(nid_objs[417]),/* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
+&(nid_objs[390]),/* OBJ_dcObject                     1 3 6 1 4 1 1466 344 */
+&(nid_objs[91]),/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
+&(nid_objs[315]),/* OBJ_id_regCtrl_regToken          1 3 6 1 5 5 7 5 1 1 */
+&(nid_objs[316]),/* OBJ_id_regCtrl_authenticator     1 3 6 1 5 5 7 5 1 2 */
+&(nid_objs[317]),/* OBJ_id_regCtrl_pkiPublicationInfo 1 3 6 1 5 5 7 5 1 3 */
+&(nid_objs[318]),/* OBJ_id_regCtrl_pkiArchiveOptions 1 3 6 1 5 5 7 5 1 4 */
+&(nid_objs[319]),/* OBJ_id_regCtrl_oldCertID         1 3 6 1 5 5 7 5 1 5 */
+&(nid_objs[320]),/* OBJ_id_regCtrl_protocolEncrKey   1 3 6 1 5 5 7 5 1 6 */
+&(nid_objs[321]),/* OBJ_id_regInfo_utf8Pairs         1 3 6 1 5 5 7 5 2 1 */
+&(nid_objs[322]),/* OBJ_id_regInfo_certReq           1 3 6 1 5 5 7 5 2 2 */
+&(nid_objs[365]),/* OBJ_id_pkix_OCSP_basic           1 3 6 1 5 5 7 48 1 1 */
+&(nid_objs[366]),/* OBJ_id_pkix_OCSP_Nonce           1 3 6 1 5 5 7 48 1 2 */
+&(nid_objs[367]),/* OBJ_id_pkix_OCSP_CrlID           1 3 6 1 5 5 7 48 1 3 */
+&(nid_objs[368]),/* OBJ_id_pkix_OCSP_acceptableResponses 1 3 6 1 5 5 7 48 1 4 */
+&(nid_objs[369]),/* OBJ_id_pkix_OCSP_noCheck         1 3 6 1 5 5 7 48 1 5 */
+&(nid_objs[370]),/* OBJ_id_pkix_OCSP_archiveCutoff   1 3 6 1 5 5 7 48 1 6 */
+&(nid_objs[371]),/* OBJ_id_pkix_OCSP_serviceLocator  1 3 6 1 5 5 7 48 1 7 */
+&(nid_objs[372]),/* OBJ_id_pkix_OCSP_extendedStatus  1 3 6 1 5 5 7 48 1 8 */
+&(nid_objs[373]),/* OBJ_id_pkix_OCSP_valid           1 3 6 1 5 5 7 48 1 9 */
+&(nid_objs[374]),/* OBJ_id_pkix_OCSP_path            1 3 6 1 5 5 7 48 1 10 */
+&(nid_objs[375]),/* OBJ_id_pkix_OCSP_trustRoot       1 3 6 1 5 5 7 48 1 11 */
+&(nid_objs[418]),/* OBJ_aes_128_ecb                  2 16 840 1 101 3 4 1 1 */
+&(nid_objs[419]),/* OBJ_aes_128_cbc                  2 16 840 1 101 3 4 1 2 */
+&(nid_objs[420]),/* OBJ_aes_128_ofb128               2 16 840 1 101 3 4 1 3 */
+&(nid_objs[421]),/* OBJ_aes_128_cfb128               2 16 840 1 101 3 4 1 4 */
+&(nid_objs[422]),/* OBJ_aes_192_ecb                  2 16 840 1 101 3 4 1 21 */
+&(nid_objs[423]),/* OBJ_aes_192_cbc                  2 16 840 1 101 3 4 1 22 */
+&(nid_objs[424]),/* OBJ_aes_192_ofb128               2 16 840 1 101 3 4 1 23 */
+&(nid_objs[425]),/* OBJ_aes_192_cfb128               2 16 840 1 101 3 4 1 24 */
+&(nid_objs[426]),/* OBJ_aes_256_ecb                  2 16 840 1 101 3 4 1 41 */
+&(nid_objs[427]),/* OBJ_aes_256_cbc                  2 16 840 1 101 3 4 1 42 */
+&(nid_objs[428]),/* OBJ_aes_256_ofb128               2 16 840 1 101 3 4 1 43 */
+&(nid_objs[429]),/* OBJ_aes_256_cfb128               2 16 840 1 101 3 4 1 44 */
+&(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
+&(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
+&(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
+&(nid_objs[74]),/* OBJ_netscape_ca_revocation_url   2 16 840 1 113730 1 4 */
+&(nid_objs[75]),/* OBJ_netscape_renewal_url         2 16 840 1 113730 1 7 */
+&(nid_objs[76]),/* OBJ_netscape_ca_policy_url       2 16 840 1 113730 1 8 */
+&(nid_objs[77]),/* OBJ_netscape_ssl_server_name     2 16 840 1 113730 1 12 */
+&(nid_objs[78]),/* OBJ_netscape_comment             2 16 840 1 113730 1 13 */
+&(nid_objs[79]),/* OBJ_netscape_cert_sequence       2 16 840 1 113730 2 5 */
+&(nid_objs[139]),/* OBJ_ns_sgc                       2 16 840 1 113730 4 1 */
+&(nid_objs[458]),/* OBJ_userId                       0 9 2342 19200300 100 1 1 */
+&(nid_objs[459]),/* OBJ_textEncodedORAddress         0 9 2342 19200300 100 1 2 */
+&(nid_objs[460]),/* OBJ_rfc822Mailbox                0 9 2342 19200300 100 1 3 */
+&(nid_objs[461]),/* OBJ_info                         0 9 2342 19200300 100 1 4 */
+&(nid_objs[462]),/* OBJ_favouriteDrink               0 9 2342 19200300 100 1 5 */
+&(nid_objs[463]),/* OBJ_roomNumber                   0 9 2342 19200300 100 1 6 */
+&(nid_objs[464]),/* OBJ_photo                        0 9 2342 19200300 100 1 7 */
+&(nid_objs[465]),/* OBJ_userClass                    0 9 2342 19200300 100 1 8 */
+&(nid_objs[466]),/* OBJ_host                         0 9 2342 19200300 100 1 9 */
+&(nid_objs[467]),/* OBJ_manager                      0 9 2342 19200300 100 1 10 */
+&(nid_objs[468]),/* OBJ_documentIdentifier           0 9 2342 19200300 100 1 11 */
+&(nid_objs[469]),/* OBJ_documentTitle                0 9 2342 19200300 100 1 12 */
+&(nid_objs[470]),/* OBJ_documentVersion              0 9 2342 19200300 100 1 13 */
+&(nid_objs[471]),/* OBJ_documentAuthor               0 9 2342 19200300 100 1 14 */
+&(nid_objs[472]),/* OBJ_documentLocation             0 9 2342 19200300 100 1 15 */
+&(nid_objs[473]),/* OBJ_homeTelephoneNumber          0 9 2342 19200300 100 1 20 */
+&(nid_objs[474]),/* OBJ_secretary                    0 9 2342 19200300 100 1 21 */
+&(nid_objs[475]),/* OBJ_otherMailbox                 0 9 2342 19200300 100 1 22 */
+&(nid_objs[476]),/* OBJ_lastModifiedTime             0 9 2342 19200300 100 1 23 */
+&(nid_objs[477]),/* OBJ_lastModifiedBy               0 9 2342 19200300 100 1 24 */
+&(nid_objs[391]),/* OBJ_domainComponent              0 9 2342 19200300 100 1 25 */
+&(nid_objs[478]),/* OBJ_aRecord                      0 9 2342 19200300 100 1 26 */
+&(nid_objs[479]),/* OBJ_pilotAttributeType27         0 9 2342 19200300 100 1 27 */
+&(nid_objs[480]),/* OBJ_mXRecord                     0 9 2342 19200300 100 1 28 */
+&(nid_objs[481]),/* OBJ_nSRecord                     0 9 2342 19200300 100 1 29 */
+&(nid_objs[482]),/* OBJ_sOARecord                    0 9 2342 19200300 100 1 30 */
+&(nid_objs[483]),/* OBJ_cNAMERecord                  0 9 2342 19200300 100 1 31 */
+&(nid_objs[484]),/* OBJ_associatedDomain             0 9 2342 19200300 100 1 37 */
+&(nid_objs[485]),/* OBJ_associatedName               0 9 2342 19200300 100 1 38 */
+&(nid_objs[486]),/* OBJ_homePostalAddress            0 9 2342 19200300 100 1 39 */
+&(nid_objs[487]),/* OBJ_personalTitle                0 9 2342 19200300 100 1 40 */
+&(nid_objs[488]),/* OBJ_mobileTelephoneNumber        0 9 2342 19200300 100 1 41 */
+&(nid_objs[489]),/* OBJ_pagerTelephoneNumber         0 9 2342 19200300 100 1 42 */
+&(nid_objs[490]),/* OBJ_friendlyCountryName          0 9 2342 19200300 100 1 43 */
+&(nid_objs[491]),/* OBJ_organizationalStatus         0 9 2342 19200300 100 1 45 */
+&(nid_objs[492]),/* OBJ_janetMailbox                 0 9 2342 19200300 100 1 46 */
+&(nid_objs[493]),/* OBJ_mailPreferenceOption         0 9 2342 19200300 100 1 47 */
+&(nid_objs[494]),/* OBJ_buildingName                 0 9 2342 19200300 100 1 48 */
+&(nid_objs[495]),/* OBJ_dSAQuality                   0 9 2342 19200300 100 1 49 */
+&(nid_objs[496]),/* OBJ_singleLevelQuality           0 9 2342 19200300 100 1 50 */
+&(nid_objs[497]),/* OBJ_subtreeMinimumQuality        0 9 2342 19200300 100 1 51 */
+&(nid_objs[498]),/* OBJ_subtreeMaximumQuality        0 9 2342 19200300 100 1 52 */
+&(nid_objs[499]),/* OBJ_personalSignature            0 9 2342 19200300 100 1 53 */
+&(nid_objs[500]),/* OBJ_dITRedirect                  0 9 2342 19200300 100 1 54 */
+&(nid_objs[501]),/* OBJ_audio                        0 9 2342 19200300 100 1 55 */
+&(nid_objs[502]),/* OBJ_documentPublisher            0 9 2342 19200300 100 1 56 */
+&(nid_objs[442]),/* OBJ_iA5StringSyntax              0 9 2342 19200300 100 3 4 */
+&(nid_objs[443]),/* OBJ_caseIgnoreIA5StringSyntax    0 9 2342 19200300 100 3 5 */
+&(nid_objs[444]),/* OBJ_pilotObject                  0 9 2342 19200300 100 4 3 */
+&(nid_objs[445]),/* OBJ_pilotPerson                  0 9 2342 19200300 100 4 4 */
+&(nid_objs[446]),/* OBJ_account                      0 9 2342 19200300 100 4 5 */
+&(nid_objs[447]),/* OBJ_document                     0 9 2342 19200300 100 4 6 */
+&(nid_objs[448]),/* OBJ_room                         0 9 2342 19200300 100 4 7 */
+&(nid_objs[449]),/* OBJ_documentSeries               0 9 2342 19200300 100 4 9 */
+&(nid_objs[392]),/* OBJ_Domain                       0 9 2342 19200300 100 4 13 */
+&(nid_objs[450]),/* OBJ_rFC822localPart              0 9 2342 19200300 100 4 14 */
+&(nid_objs[451]),/* OBJ_dNSDomain                    0 9 2342 19200300 100 4 15 */
+&(nid_objs[452]),/* OBJ_domainRelatedObject          0 9 2342 19200300 100 4 17 */
+&(nid_objs[453]),/* OBJ_friendlyCountry              0 9 2342 19200300 100 4 18 */
+&(nid_objs[454]),/* OBJ_simpleSecurityObject         0 9 2342 19200300 100 4 19 */
+&(nid_objs[455]),/* OBJ_pilotOrganization            0 9 2342 19200300 100 4 20 */
+&(nid_objs[456]),/* OBJ_pilotDSA                     0 9 2342 19200300 100 4 21 */
+&(nid_objs[457]),/* OBJ_qualityLabelledData          0 9 2342 19200300 100 4 22 */
+&(nid_objs[189]),/* OBJ_id_smime_mod                 1 2 840 113549 1 9 16 0 */
+&(nid_objs[190]),/* OBJ_id_smime_ct                  1 2 840 113549 1 9 16 1 */
+&(nid_objs[191]),/* OBJ_id_smime_aa                  1 2 840 113549 1 9 16 2 */
+&(nid_objs[192]),/* OBJ_id_smime_alg                 1 2 840 113549 1 9 16 3 */
+&(nid_objs[193]),/* OBJ_id_smime_cd                  1 2 840 113549 1 9 16 4 */
+&(nid_objs[194]),/* OBJ_id_smime_spq                 1 2 840 113549 1 9 16 5 */
+&(nid_objs[195]),/* OBJ_id_smime_cti                 1 2 840 113549 1 9 16 6 */
+&(nid_objs[158]),/* OBJ_x509Certificate              1 2 840 113549 1 9 22 1 */
+&(nid_objs[159]),/* OBJ_sdsiCertificate              1 2 840 113549 1 9 22 2 */
+&(nid_objs[160]),/* OBJ_x509Crl                      1 2 840 113549 1 9 23 1 */
+&(nid_objs[144]),/* OBJ_pbe_WithSHA1And128BitRC4     1 2 840 113549 1 12 1 1 */
+&(nid_objs[145]),/* OBJ_pbe_WithSHA1And40BitRC4      1 2 840 113549 1 12 1 2 */
+&(nid_objs[146]),/* OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC 1 2 840 113549 1 12 1 3 */
+&(nid_objs[147]),/* OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC 1 2 840 113549 1 12 1 4 */
+&(nid_objs[148]),/* OBJ_pbe_WithSHA1And128BitRC2_CBC 1 2 840 113549 1 12 1 5 */
+&(nid_objs[149]),/* OBJ_pbe_WithSHA1And40BitRC2_CBC  1 2 840 113549 1 12 1 6 */
+&(nid_objs[171]),/* OBJ_ms_ext_req                   1 3 6 1 4 1 311 2 1 14 */
+&(nid_objs[134]),/* OBJ_ms_code_ind                  1 3 6 1 4 1 311 2 1 21 */
+&(nid_objs[135]),/* OBJ_ms_code_com                  1 3 6 1 4 1 311 2 1 22 */
+&(nid_objs[136]),/* OBJ_ms_ctl_sign                  1 3 6 1 4 1 311 10 3 1 */
+&(nid_objs[137]),/* OBJ_ms_sgc                       1 3 6 1 4 1 311 10 3 3 */
+&(nid_objs[138]),/* OBJ_ms_efs                       1 3 6 1 4 1 311 10 3 4 */
+&(nid_objs[196]),/* OBJ_id_smime_mod_cms             1 2 840 113549 1 9 16 0 1 */
+&(nid_objs[197]),/* OBJ_id_smime_mod_ess             1 2 840 113549 1 9 16 0 2 */
+&(nid_objs[198]),/* OBJ_id_smime_mod_oid             1 2 840 113549 1 9 16 0 3 */
+&(nid_objs[199]),/* OBJ_id_smime_mod_msg_v3          1 2 840 113549 1 9 16 0 4 */
+&(nid_objs[200]),/* OBJ_id_smime_mod_ets_eSignature_88 1 2 840 113549 1 9 16 0 5 */
+&(nid_objs[201]),/* OBJ_id_smime_mod_ets_eSignature_97 1 2 840 113549 1 9 16 0 6 */
+&(nid_objs[202]),/* OBJ_id_smime_mod_ets_eSigPolicy_88 1 2 840 113549 1 9 16 0 7 */
+&(nid_objs[203]),/* OBJ_id_smime_mod_ets_eSigPolicy_97 1 2 840 113549 1 9 16 0 8 */
+&(nid_objs[204]),/* OBJ_id_smime_ct_receipt          1 2 840 113549 1 9 16 1 1 */
+&(nid_objs[205]),/* OBJ_id_smime_ct_authData         1 2 840 113549 1 9 16 1 2 */
+&(nid_objs[206]),/* OBJ_id_smime_ct_publishCert      1 2 840 113549 1 9 16 1 3 */
+&(nid_objs[207]),/* OBJ_id_smime_ct_TSTInfo          1 2 840 113549 1 9 16 1 4 */
+&(nid_objs[208]),/* OBJ_id_smime_ct_TDTInfo          1 2 840 113549 1 9 16 1 5 */
+&(nid_objs[209]),/* OBJ_id_smime_ct_contentInfo      1 2 840 113549 1 9 16 1 6 */
+&(nid_objs[210]),/* OBJ_id_smime_ct_DVCSRequestData  1 2 840 113549 1 9 16 1 7 */
+&(nid_objs[211]),/* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */
+&(nid_objs[212]),/* OBJ_id_smime_aa_receiptRequest   1 2 840 113549 1 9 16 2 1 */
+&(nid_objs[213]),/* OBJ_id_smime_aa_securityLabel    1 2 840 113549 1 9 16 2 2 */
+&(nid_objs[214]),/* OBJ_id_smime_aa_mlExpandHistory  1 2 840 113549 1 9 16 2 3 */
+&(nid_objs[215]),/* OBJ_id_smime_aa_contentHint      1 2 840 113549 1 9 16 2 4 */
+&(nid_objs[216]),/* OBJ_id_smime_aa_msgSigDigest     1 2 840 113549 1 9 16 2 5 */
+&(nid_objs[217]),/* OBJ_id_smime_aa_encapContentType 1 2 840 113549 1 9 16 2 6 */
+&(nid_objs[218]),/* OBJ_id_smime_aa_contentIdentifier 1 2 840 113549 1 9 16 2 7 */
+&(nid_objs[219]),/* OBJ_id_smime_aa_macValue         1 2 840 113549 1 9 16 2 8 */
+&(nid_objs[220]),/* OBJ_id_smime_aa_equivalentLabels 1 2 840 113549 1 9 16 2 9 */
+&(nid_objs[221]),/* OBJ_id_smime_aa_contentReference 1 2 840 113549 1 9 16 2 10 */
+&(nid_objs[222]),/* OBJ_id_smime_aa_encrypKeyPref    1 2 840 113549 1 9 16 2 11 */
+&(nid_objs[223]),/* OBJ_id_smime_aa_signingCertificate 1 2 840 113549 1 9 16 2 12 */
+&(nid_objs[224]),/* OBJ_id_smime_aa_smimeEncryptCerts 1 2 840 113549 1 9 16 2 13 */
+&(nid_objs[225]),/* OBJ_id_smime_aa_timeStampToken   1 2 840 113549 1 9 16 2 14 */
+&(nid_objs[226]),/* OBJ_id_smime_aa_ets_sigPolicyId  1 2 840 113549 1 9 16 2 15 */
+&(nid_objs[227]),/* OBJ_id_smime_aa_ets_commitmentType 1 2 840 113549 1 9 16 2 16 */
+&(nid_objs[228]),/* OBJ_id_smime_aa_ets_signerLocation 1 2 840 113549 1 9 16 2 17 */
+&(nid_objs[229]),/* OBJ_id_smime_aa_ets_signerAttr   1 2 840 113549 1 9 16 2 18 */
+&(nid_objs[230]),/* OBJ_id_smime_aa_ets_otherSigCert 1 2 840 113549 1 9 16 2 19 */
+&(nid_objs[231]),/* OBJ_id_smime_aa_ets_contentTimestamp 1 2 840 113549 1 9 16 2 20 */
+&(nid_objs[232]),/* OBJ_id_smime_aa_ets_CertificateRefs 1 2 840 113549 1 9 16 2 21 */
+&(nid_objs[233]),/* OBJ_id_smime_aa_ets_RevocationRefs 1 2 840 113549 1 9 16 2 22 */
+&(nid_objs[234]),/* OBJ_id_smime_aa_ets_certValues   1 2 840 113549 1 9 16 2 23 */
+&(nid_objs[235]),/* OBJ_id_smime_aa_ets_revocationValues 1 2 840 113549 1 9 16 2 24 */
+&(nid_objs[236]),/* OBJ_id_smime_aa_ets_escTimeStamp 1 2 840 113549 1 9 16 2 25 */
+&(nid_objs[237]),/* OBJ_id_smime_aa_ets_certCRLTimestamp 1 2 840 113549 1 9 16 2 26 */
+&(nid_objs[238]),/* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */
+&(nid_objs[239]),/* OBJ_id_smime_aa_signatureType    1 2 840 113549 1 9 16 2 28 */
+&(nid_objs[240]),/* OBJ_id_smime_aa_dvcs_dvc         1 2 840 113549 1 9 16 2 29 */
+&(nid_objs[241]),/* OBJ_id_smime_alg_ESDHwith3DES    1 2 840 113549 1 9 16 3 1 */
+&(nid_objs[242]),/* OBJ_id_smime_alg_ESDHwithRC2     1 2 840 113549 1 9 16 3 2 */
+&(nid_objs[243]),/* OBJ_id_smime_alg_3DESwrap        1 2 840 113549 1 9 16 3 3 */
+&(nid_objs[244]),/* OBJ_id_smime_alg_RC2wrap         1 2 840 113549 1 9 16 3 4 */
+&(nid_objs[245]),/* OBJ_id_smime_alg_ESDH            1 2 840 113549 1 9 16 3 5 */
+&(nid_objs[246]),/* OBJ_id_smime_alg_CMS3DESwrap     1 2 840 113549 1 9 16 3 6 */
+&(nid_objs[247]),/* OBJ_id_smime_alg_CMSRC2wrap      1 2 840 113549 1 9 16 3 7 */
+&(nid_objs[248]),/* OBJ_id_smime_cd_ldap             1 2 840 113549 1 9 16 4 1 */
+&(nid_objs[249]),/* OBJ_id_smime_spq_ets_sqt_uri     1 2 840 113549 1 9 16 5 1 */
+&(nid_objs[250]),/* OBJ_id_smime_spq_ets_sqt_unotice 1 2 840 113549 1 9 16 5 2 */
+&(nid_objs[251]),/* OBJ_id_smime_cti_ets_proofOfOrigin 1 2 840 113549 1 9 16 6 1 */
+&(nid_objs[252]),/* OBJ_id_smime_cti_ets_proofOfReceipt 1 2 840 113549 1 9 16 6 2 */
+&(nid_objs[253]),/* OBJ_id_smime_cti_ets_proofOfDelivery 1 2 840 113549 1 9 16 6 3 */
+&(nid_objs[254]),/* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
+&(nid_objs[255]),/* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
+&(nid_objs[256]),/* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
+&(nid_objs[150]),/* OBJ_keyBag                       1 2 840 113549 1 12 10 1 1 */
+&(nid_objs[151]),/* OBJ_pkcs8ShroudedKeyBag          1 2 840 113549 1 12 10 1 2 */
+&(nid_objs[152]),/* OBJ_certBag                      1 2 840 113549 1 12 10 1 3 */
+&(nid_objs[153]),/* OBJ_crlBag                       1 2 840 113549 1 12 10 1 4 */
+&(nid_objs[154]),/* OBJ_secretBag                    1 2 840 113549 1 12 10 1 5 */
+&(nid_objs[155]),/* OBJ_safeContentsBag              1 2 840 113549 1 12 10 1 6 */
+&(nid_objs[34]),/* OBJ_idea_cbc                     1 3 6 1 4 1 188 7 1 1 2 */
+};
+
diff --git a/src/lib/libcrypto/objects/obj_dat.pl b/src/lib/libcrypto/objects/obj_dat.pl
index 11066df680..5dfb84ea00 100644
--- a/src/lib/libcrypto/objects/obj_dat.pl
+++ b/src/lib/libcrypto/objects/obj_dat.pl
@@ -164,7 +164,13 @@ foreach (sort obj_cmp @a)
         }
 
 print OUT <<'EOF';
-/* lib/obj/obj_dat.h */
+/* crypto/objects/obj_dat.h */
+
+/* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the
+ * following command:
+ * perl obj_dat.pl obj_mac.h obj_dat.h
+ */
+
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -222,11 +228,6 @@ print OUT <<'EOF';
  * [including the GNU Public Licence.]
  */
 
-/* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
- * following command:
- * perl obj_dat.pl objects.h obj_dat.h
- */
-
 EOF
 
 printf OUT "#define NUM_NID %d\n",$n;
diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c
index 7aec0ed47a..80ab6855af 100644
--- a/src/lib/libcrypto/objects/obj_err.c
+++ b/src/lib/libcrypto/objects/obj_err.c
@@ -63,7 +63,7 @@
 #include <openssl/objects.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA OBJ_str_functs[]=
         {
 {ERR_PACK(0,OBJ_F_OBJ_CREATE,0),        "OBJ_create"},
@@ -90,7 +90,7 @@ void ERR_load_OBJ_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_OBJ,OBJ_str_functs);
                 ERR_load_strings(ERR_LIB_OBJ,OBJ_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/objects/obj_lib.c b/src/lib/libcrypto/objects/obj_lib.c
index 0c71639eba..b0b0f2ff24 100644
--- a/src/lib/libcrypto/objects/obj_lib.c
+++ b/src/lib/libcrypto/objects/obj_lib.c
@@ -62,7 +62,7 @@
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 
-ASN1_OBJECT *OBJ_dup(ASN1_OBJECT *o)
+ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o)
         {
         ASN1_OBJECT *r;
         int i;
@@ -70,7 +70,8 @@ ASN1_OBJECT *OBJ_dup(ASN1_OBJECT *o)
 
         if (o == NULL) return(NULL);
         if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC))
-                return(o);
+                return((ASN1_OBJECT *)o); /* XXX: ugh! Why? What kind of
+                                             duplication is this??? */
 
         r=ASN1_OBJECT_new();
         if (r == NULL)
@@ -116,7 +117,7 @@ err:
         return(NULL);
         }
 
-int OBJ_cmp(ASN1_OBJECT *a, ASN1_OBJECT *b)
+int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b)
         {
         int ret;
 
diff --git a/src/lib/libcrypto/objects/obj_mac.h b/src/lib/libcrypto/objects/obj_mac.h
index 401b1e5a1b..6d77fcba3f 100644
--- a/src/lib/libcrypto/objects/obj_mac.h
+++ b/src/lib/libcrypto/objects/obj_mac.h
@@ -1,4 +1,10 @@
-/* lib/obj/obj_mac.h */
+/* crypto/objects/obj_mac.h */
+
+/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
+ * following command:
+ * perl objects.pl objects.txt obj_mac.num obj_mac.h
+ */
+
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,26 +62,40 @@
  * [including the GNU Public Licence.]
  */
 
-/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
- * following command:
- * perl objects.pl objects.txt obj_mac.num obj_mac.h
- */
-
 #define SN_undef                        "UNDEF"
 #define LN_undef                        "undefined"
 #define NID_undef                       0
 #define OBJ_undef                       0L
 
+#define SN_ccitt                "CCITT"
+#define LN_ccitt                "ccitt"
+#define NID_ccitt               404
+#define OBJ_ccitt               0L
+
 #define SN_iso          "ISO"
 #define LN_iso          "iso"
 #define NID_iso         181
 #define OBJ_iso         1L
 
+#define SN_joint_iso_ccitt              "JOINT-ISO-CCITT"
+#define LN_joint_iso_ccitt              "joint-iso-ccitt"
+#define NID_joint_iso_ccitt             393
+#define OBJ_joint_iso_ccitt             2L
+
 #define SN_member_body          "member-body"
 #define LN_member_body          "ISO Member Body"
 #define NID_member_body         182
 #define OBJ_member_body         OBJ_iso,2L
 
+#define SN_selected_attribute_types             "selected-attribute-types"
+#define LN_selected_attribute_types             "Selected Attribute Types"
+#define NID_selected_attribute_types            394
+#define OBJ_selected_attribute_types            OBJ_joint_iso_ccitt,5L,1L,5L
+
+#define SN_clearance            "clearance"
+#define NID_clearance           395
+#define OBJ_clearance           OBJ_selected_attribute_types,55L
+
 #define SN_ISO_US               "ISO-US"
 #define LN_ISO_US               "ISO US Member Body"
 #define NID_ISO_US              183
@@ -101,6 +121,67 @@
 #define NID_dsaWithSHA1         113
 #define OBJ_dsaWithSHA1         OBJ_X9cm,3L
 
+#define SN_ansi_X9_62           "ansi-X9-62"
+#define LN_ansi_X9_62           "ANSI X9.62"
+#define NID_ansi_X9_62          405
+#define OBJ_ansi_X9_62          OBJ_ISO_US,10045L
+
+#define OBJ_X9_62_id_fieldType          OBJ_ansi_X9_62,1L
+
+#define SN_X9_62_prime_field            "prime-field"
+#define NID_X9_62_prime_field           406
+#define OBJ_X9_62_prime_field           OBJ_X9_62_id_fieldType,1L
+
+#define SN_X9_62_characteristic_two_field               "characteristic-two-field"
+#define NID_X9_62_characteristic_two_field              407
+#define OBJ_X9_62_characteristic_two_field              OBJ_X9_62_id_fieldType,2L
+
+#define OBJ_X9_62_id_publicKeyType              OBJ_ansi_X9_62,2L
+
+#define SN_X9_62_id_ecPublicKey         "id-ecPublicKey"
+#define NID_X9_62_id_ecPublicKey                408
+#define OBJ_X9_62_id_ecPublicKey                OBJ_X9_62_id_publicKeyType,1L
+
+#define OBJ_X9_62_ellipticCurve         OBJ_ansi_X9_62,3L
+
+#define OBJ_X9_62_c_TwoCurve            OBJ_X9_62_ellipticCurve,0L
+
+#define OBJ_X9_62_primeCurve            OBJ_X9_62_ellipticCurve,1L
+
+#define SN_X9_62_prime192v1             "prime192v1"
+#define NID_X9_62_prime192v1            409
+#define OBJ_X9_62_prime192v1            OBJ_X9_62_primeCurve,1L
+
+#define SN_X9_62_prime192v2             "prime192v2"
+#define NID_X9_62_prime192v2            410
+#define OBJ_X9_62_prime192v2            OBJ_X9_62_primeCurve,2L
+
+#define SN_X9_62_prime192v3             "prime192v3"
+#define NID_X9_62_prime192v3            411
+#define OBJ_X9_62_prime192v3            OBJ_X9_62_primeCurve,3L
+
+#define SN_X9_62_prime239v1             "prime239v1"
+#define NID_X9_62_prime239v1            412
+#define OBJ_X9_62_prime239v1            OBJ_X9_62_primeCurve,4L
+
+#define SN_X9_62_prime239v2             "prime239v2"
+#define NID_X9_62_prime239v2            413
+#define OBJ_X9_62_prime239v2            OBJ_X9_62_primeCurve,5L
+
+#define SN_X9_62_prime239v3             "prime239v3"
+#define NID_X9_62_prime239v3            414
+#define OBJ_X9_62_prime239v3            OBJ_X9_62_primeCurve,6L
+
+#define SN_X9_62_prime256v1             "prime256v1"
+#define NID_X9_62_prime256v1            415
+#define OBJ_X9_62_prime256v1            OBJ_X9_62_primeCurve,7L
+
+#define OBJ_X9_62_id_ecSigType          OBJ_ansi_X9_62,4L
+
+#define SN_ecdsa_with_SHA1              "ecdsa-with-SHA1"
+#define NID_ecdsa_with_SHA1             416
+#define OBJ_ecdsa_with_SHA1             OBJ_X9_62_id_ecSigType,1L
+
 #define SN_cast5_cbc            "CAST5-CBC"
 #define LN_cast5_cbc            "cast5-cbc"
 #define NID_cast5_cbc           108
@@ -145,6 +226,11 @@
 #define NID_md2WithRSAEncryption                7
 #define OBJ_md2WithRSAEncryption                OBJ_pkcs1,2L
 
+#define SN_md4WithRSAEncryption         "RSA-MD4"
+#define LN_md4WithRSAEncryption         "md4WithRSAEncryption"
+#define NID_md4WithRSAEncryption                396
+#define OBJ_md4WithRSAEncryption                OBJ_pkcs1,3L
+
 #define SN_md5WithRSAEncryption         "RSA-MD5"
 #define LN_md5WithRSAEncryption         "md5WithRSAEncryption"
 #define NID_md5WithRSAEncryption                8
@@ -241,7 +327,6 @@
 #define NID_pkcs9               47
 #define OBJ_pkcs9               OBJ_pkcs,9L
 
-#define SN_pkcs9_emailAddress           "Email"
 #define LN_pkcs9_emailAddress           "emailAddress"
 #define NID_pkcs9_emailAddress          48
 #define OBJ_pkcs9_emailAddress          OBJ_pkcs9,1L
@@ -573,6 +658,11 @@
 #define NID_localKeyID          157
 #define OBJ_localKeyID          OBJ_pkcs9,21L
 
+#define SN_ms_csp_name          "CSPName"
+#define LN_ms_csp_name          "Microsoft CSP Name"
+#define NID_ms_csp_name         417
+#define OBJ_ms_csp_name         1L,3L,6L,1L,4L,1L,311L,17L,1L
+
 #define OBJ_certTypes           OBJ_pkcs9,22L
 
 #define LN_x509Certificate              "x509Certificate"
@@ -956,6 +1046,15 @@
 #define NID_sbqp_routerIdentifier               292
 #define OBJ_sbqp_routerIdentifier               OBJ_id_pe,9L
 
+#define SN_ac_proxying          "ac-proxying"
+#define NID_ac_proxying         397
+#define OBJ_ac_proxying         OBJ_id_pe,10L
+
+#define SN_sinfo_access         "subjectInfoAccess"
+#define LN_sinfo_access         "Subject Information Access"
+#define NID_sinfo_access                398
+#define OBJ_sinfo_access                OBJ_id_pe,11L
+
 #define SN_id_qt_cps            "id-qt-cps"
 #define LN_id_qt_cps            "Policy Qualifier CPS"
 #define NID_id_qt_cps           164
@@ -1228,21 +1327,17 @@
 #define NID_id_pda_placeOfBirth         349
 #define OBJ_id_pda_placeOfBirth         OBJ_id_pda,2L
 
-#define SN_id_pda_pseudonym             "id-pda-pseudonym"
-#define NID_id_pda_pseudonym            350
-#define OBJ_id_pda_pseudonym            OBJ_id_pda,3L
-
 #define SN_id_pda_gender                "id-pda-gender"
 #define NID_id_pda_gender               351
-#define OBJ_id_pda_gender               OBJ_id_pda,4L
+#define OBJ_id_pda_gender               OBJ_id_pda,3L
 
 #define SN_id_pda_countryOfCitizenship          "id-pda-countryOfCitizenship"
 #define NID_id_pda_countryOfCitizenship         352
-#define OBJ_id_pda_countryOfCitizenship         OBJ_id_pda,5L
+#define OBJ_id_pda_countryOfCitizenship         OBJ_id_pda,4L
 
 #define SN_id_pda_countryOfResidence            "id-pda-countryOfResidence"
 #define NID_id_pda_countryOfResidence           353
-#define OBJ_id_pda_countryOfResidence           OBJ_id_pda,6L
+#define OBJ_id_pda_countryOfResidence           OBJ_id_pda,5L
 
 #define SN_id_aca_authenticationInfo            "id-aca-authenticationInfo"
 #define NID_id_aca_authenticationInfo           354
@@ -1264,6 +1359,10 @@
 #define NID_id_aca_role         358
 #define OBJ_id_aca_role         OBJ_id_aca,5L
 
+#define SN_id_aca_encAttrs              "id-aca-encAttrs"
+#define NID_id_aca_encAttrs             399
+#define OBJ_id_aca_encAttrs             OBJ_id_aca,6L
+
 #define SN_id_qcs_pkixQCSyntax_v1               "id-qcs-pkixQCSyntax-v1"
 #define NID_id_qcs_pkixQCSyntax_v1              359
 #define OBJ_id_qcs_pkixQCSyntax_v1              OBJ_id_qcs,1L
@@ -1323,6 +1422,7 @@
 #define OBJ_id_pkix_OCSP_acceptableResponses            OBJ_id_pkix_OCSP,4L
 
 #define SN_id_pkix_OCSP_noCheck         "noCheck"
+#define LN_id_pkix_OCSP_noCheck         "OCSP No Check"
 #define NID_id_pkix_OCSP_noCheck                369
 #define OBJ_id_pkix_OCSP_noCheck                OBJ_id_pkix_OCSP,5L
 
@@ -1403,14 +1503,14 @@
 #define NID_shaWithRSAEncryption                42
 #define OBJ_shaWithRSAEncryption                OBJ_algorithm,15L
 
-#define SN_des_ede              "DES-EDE"
-#define LN_des_ede              "des-ede"
-#define NID_des_ede             32
-#define OBJ_des_ede             OBJ_algorithm,17L
+#define SN_des_ede_ecb          "DES-EDE"
+#define LN_des_ede_ecb          "des-ede"
+#define NID_des_ede_ecb         32
+#define OBJ_des_ede_ecb         OBJ_algorithm,17L
 
-#define SN_des_ede3             "DES-EDE3"
-#define LN_des_ede3             "des-ede3"
-#define NID_des_ede3            33
+#define SN_des_ede3_ecb         "DES-EDE3"
+#define LN_des_ede3_ecb         "des-ede3"
+#define NID_des_ede3_ecb                33
 
 #define SN_des_ede_cbc          "DES-EDE-CBC"
 #define LN_des_ede_cbc          "des-ede-cbc"
@@ -1485,12 +1585,11 @@
 #define NID_commonName          13
 #define OBJ_commonName          OBJ_X509,3L
 
-#define SN_surname              "S"
+#define SN_surname              "SN"
 #define LN_surname              "surname"
 #define NID_surname             100
 #define OBJ_surname             OBJ_X509,4L
 
-#define SN_serialNumber         "SN"
 #define LN_serialNumber         "serialNumber"
 #define NID_serialNumber                105
 #define OBJ_serialNumber                OBJ_X509,5L
@@ -1520,12 +1619,10 @@
 #define NID_organizationalUnitName              18
 #define OBJ_organizationalUnitName              OBJ_X509,11L
 
-#define SN_title                "T"
 #define LN_title                "title"
 #define NID_title               106
 #define OBJ_title               OBJ_X509,12L
 
-#define SN_description          "D"
 #define LN_description          "description"
 #define NID_description         107
 #define OBJ_description         OBJ_X509,13L
@@ -1535,26 +1632,33 @@
 #define NID_name                173
 #define OBJ_name                OBJ_X509,41L
 
-#define SN_givenName            "G"
+#define SN_givenName            "gn"
 #define LN_givenName            "givenName"
 #define NID_givenName           99
 #define OBJ_givenName           OBJ_X509,42L
 
-#define SN_initials             "I"
 #define LN_initials             "initials"
 #define NID_initials            101
 #define OBJ_initials            OBJ_X509,43L
 
-#define SN_uniqueIdentifier             "UID"
-#define LN_uniqueIdentifier             "uniqueIdentifier"
-#define NID_uniqueIdentifier            102
-#define OBJ_uniqueIdentifier            OBJ_X509,45L
+#define LN_generationQualifier          "generationQualifier"
+#define NID_generationQualifier         509
+#define OBJ_generationQualifier         OBJ_X509,44L
+
+#define LN_x500UniqueIdentifier         "x500UniqueIdentifier"
+#define NID_x500UniqueIdentifier                503
+#define OBJ_x500UniqueIdentifier                OBJ_X509,45L
 
 #define SN_dnQualifier          "dnQualifier"
 #define LN_dnQualifier          "dnQualifier"
 #define NID_dnQualifier         174
 #define OBJ_dnQualifier         OBJ_X509,46L
 
+#define SN_role         "role"
+#define LN_role         "role"
+#define NID_role                400
+#define OBJ_role                OBJ_X509,72L
+
 #define SN_X500algorithms               "X500algorithms"
 #define LN_X500algorithms               "directory services - algorithms"
 #define NID_X500algorithms              378
@@ -1644,11 +1748,26 @@
 #define NID_authority_key_identifier            90
 #define OBJ_authority_key_identifier            OBJ_id_ce,35L
 
+#define SN_policy_constraints           "policyConstraints"
+#define LN_policy_constraints           "X509v3 Policy Constraints"
+#define NID_policy_constraints          401
+#define OBJ_policy_constraints          OBJ_id_ce,36L
+
 #define SN_ext_key_usage                "extendedKeyUsage"
 #define LN_ext_key_usage                "X509v3 Extended Key Usage"
 #define NID_ext_key_usage               126
 #define OBJ_ext_key_usage               OBJ_id_ce,37L
 
+#define SN_target_information           "targetInformation"
+#define LN_target_information           "X509v3 AC Targeting"
+#define NID_target_information          402
+#define OBJ_target_information          OBJ_id_ce,55L
+
+#define SN_no_rev_avail         "noRevAvail"
+#define LN_no_rev_avail         "X509v3 No Revocation Available"
+#define NID_no_rev_avail                403
+#define OBJ_no_rev_avail                OBJ_id_ce,56L
+
 #define SN_netscape             "Netscape"
 #define LN_netscape             "Netscape Communications Corp."
 #define NID_netscape            57
@@ -1761,7 +1880,6 @@
 #define NID_SNMPv2              387
 #define OBJ_SNMPv2              OBJ_internet,6L
 
-#define SN_Mail         "mail"
 #define LN_Mail         "Mail"
 #define NID_Mail                388
 #define OBJ_Mail                OBJ_internet,7L
@@ -1769,22 +1887,37 @@
 #define SN_Enterprises          "enterprises"
 #define LN_Enterprises          "Enterprises"
 #define NID_Enterprises         389
-#define OBJ_Enterprises         OBJ_private,1L
+#define OBJ_Enterprises         OBJ_Private,1L
 
 #define SN_dcObject             "dcobject"
 #define LN_dcObject             "dcObject"
 #define NID_dcObject            390
-#define OBJ_dcObject            OBJ_enterprises,1466L,344L
+#define OBJ_dcObject            OBJ_Enterprises,1466L,344L
 
-#define SN_domainComponent              "DC"
-#define LN_domainComponent              "domainComponent"
-#define NID_domainComponent             391
-#define OBJ_domainComponent             0L,9L,2342L,19200300L,100L,1L,25L
+#define SN_mime_mhs             "mime-mhs"
+#define LN_mime_mhs             "MIME MHS"
+#define NID_mime_mhs            504
+#define OBJ_mime_mhs            OBJ_Mail,1L
 
-#define SN_Domain               "domain"
-#define LN_Domain               "Domain"
-#define NID_Domain              392
-#define OBJ_Domain              0L,9L,2342L,19200300L,100L,4L,13L
+#define SN_mime_mhs_headings            "mime-mhs-headings"
+#define LN_mime_mhs_headings            "mime-mhs-headings"
+#define NID_mime_mhs_headings           505
+#define OBJ_mime_mhs_headings           OBJ_mime_mhs,1L
+
+#define SN_mime_mhs_bodies              "mime-mhs-bodies"
+#define LN_mime_mhs_bodies              "mime-mhs-bodies"
+#define NID_mime_mhs_bodies             506
+#define OBJ_mime_mhs_bodies             OBJ_mime_mhs,2L
+
+#define SN_id_hex_partial_message               "id-hex-partial-message"
+#define LN_id_hex_partial_message               "id-hex-partial-message"
+#define NID_id_hex_partial_message              507
+#define OBJ_id_hex_partial_message              OBJ_mime_mhs_headings,1L
+
+#define SN_id_hex_multipart_message             "id-hex-multipart-message"
+#define LN_id_hex_multipart_message             "id-hex-multipart-message"
+#define NID_id_hex_multipart_message            508
+#define OBJ_id_hex_multipart_message            OBJ_mime_mhs_headings,2L
 
 #define SN_rle_compression              "RLE"
 #define LN_rle_compression              "run length compression"
@@ -1796,3 +1929,379 @@
 #define NID_zlib_compression            125
 #define OBJ_zlib_compression            1L,1L,1L,1L,666L,2L
 
+#define OBJ_csor                2L,16L,840L,1L,101L,3L
+
+#define OBJ_nistAlgorithms              OBJ_csor,4L
+
+#define OBJ_aes         OBJ_nistAlgorithms,1L
+
+#define SN_aes_128_ecb          "AES-128-ECB"
+#define LN_aes_128_ecb          "aes-128-ecb"
+#define NID_aes_128_ecb         418
+#define OBJ_aes_128_ecb         OBJ_aes,1L
+
+#define SN_aes_128_cbc          "AES-128-CBC"
+#define LN_aes_128_cbc          "aes-128-cbc"
+#define NID_aes_128_cbc         419
+#define OBJ_aes_128_cbc         OBJ_aes,2L
+
+#define SN_aes_128_ofb128               "AES-128-OFB"
+#define LN_aes_128_ofb128               "aes-128-ofb"
+#define NID_aes_128_ofb128              420
+#define OBJ_aes_128_ofb128              OBJ_aes,3L
+
+#define SN_aes_128_cfb128               "AES-128-CFB"
+#define LN_aes_128_cfb128               "aes-128-cfb"
+#define NID_aes_128_cfb128              421
+#define OBJ_aes_128_cfb128              OBJ_aes,4L
+
+#define SN_aes_192_ecb          "AES-192-ECB"
+#define LN_aes_192_ecb          "aes-192-ecb"
+#define NID_aes_192_ecb         422
+#define OBJ_aes_192_ecb         OBJ_aes,21L
+
+#define SN_aes_192_cbc          "AES-192-CBC"
+#define LN_aes_192_cbc          "aes-192-cbc"
+#define NID_aes_192_cbc         423
+#define OBJ_aes_192_cbc         OBJ_aes,22L
+
+#define SN_aes_192_ofb128               "AES-192-OFB"
+#define LN_aes_192_ofb128               "aes-192-ofb"
+#define NID_aes_192_ofb128              424
+#define OBJ_aes_192_ofb128              OBJ_aes,23L
+
+#define SN_aes_192_cfb128               "AES-192-CFB"
+#define LN_aes_192_cfb128               "aes-192-cfb"
+#define NID_aes_192_cfb128              425
+#define OBJ_aes_192_cfb128              OBJ_aes,24L
+
+#define SN_aes_256_ecb          "AES-256-ECB"
+#define LN_aes_256_ecb          "aes-256-ecb"
+#define NID_aes_256_ecb         426
+#define OBJ_aes_256_ecb         OBJ_aes,41L
+
+#define SN_aes_256_cbc          "AES-256-CBC"
+#define LN_aes_256_cbc          "aes-256-cbc"
+#define NID_aes_256_cbc         427
+#define OBJ_aes_256_cbc         OBJ_aes,42L
+
+#define SN_aes_256_ofb128               "AES-256-OFB"
+#define LN_aes_256_ofb128               "aes-256-ofb"
+#define NID_aes_256_ofb128              428
+#define OBJ_aes_256_ofb128              OBJ_aes,43L
+
+#define SN_aes_256_cfb128               "AES-256-CFB"
+#define LN_aes_256_cfb128               "aes-256-cfb"
+#define NID_aes_256_cfb128              429
+#define OBJ_aes_256_cfb128              OBJ_aes,44L
+
+#define SN_hold_instruction_code                "holdInstructionCode"
+#define LN_hold_instruction_code                "Hold Instruction Code"
+#define NID_hold_instruction_code               430
+#define OBJ_hold_instruction_code               OBJ_id_ce,23L
+
+#define OBJ_holdInstruction             OBJ_X9_57,2L
+
+#define SN_hold_instruction_none                "holdInstructionNone"
+#define LN_hold_instruction_none                "Hold Instruction None"
+#define NID_hold_instruction_none               431
+#define OBJ_hold_instruction_none               OBJ_holdInstruction,1L
+
+#define SN_hold_instruction_call_issuer         "holdInstructionCallIssuer"
+#define LN_hold_instruction_call_issuer         "Hold Instruction Call Issuer"
+#define NID_hold_instruction_call_issuer                432
+#define OBJ_hold_instruction_call_issuer                OBJ_holdInstruction,2L
+
+#define SN_hold_instruction_reject              "holdInstructionReject"
+#define LN_hold_instruction_reject              "Hold Instruction Reject"
+#define NID_hold_instruction_reject             433
+#define OBJ_hold_instruction_reject             OBJ_holdInstruction,3L
+
+#define SN_data         "data"
+#define NID_data                434
+#define OBJ_data                OBJ_ccitt,9L
+
+#define SN_pss          "pss"
+#define NID_pss         435
+#define OBJ_pss         OBJ_data,2342L
+
+#define SN_ucl          "ucl"
+#define NID_ucl         436
+#define OBJ_ucl         OBJ_pss,19200300L
+
+#define SN_pilot                "pilot"
+#define NID_pilot               437
+#define OBJ_pilot               OBJ_ucl,100L
+
+#define LN_pilotAttributeType           "pilotAttributeType"
+#define NID_pilotAttributeType          438
+#define OBJ_pilotAttributeType          OBJ_pilot,1L
+
+#define LN_pilotAttributeSyntax         "pilotAttributeSyntax"
+#define NID_pilotAttributeSyntax                439
+#define OBJ_pilotAttributeSyntax                OBJ_pilot,3L
+
+#define LN_pilotObjectClass             "pilotObjectClass"
+#define NID_pilotObjectClass            440
+#define OBJ_pilotObjectClass            OBJ_pilot,4L
+
+#define LN_pilotGroups          "pilotGroups"
+#define NID_pilotGroups         441
+#define OBJ_pilotGroups         OBJ_pilot,10L
+
+#define LN_iA5StringSyntax              "iA5StringSyntax"
+#define NID_iA5StringSyntax             442
+#define OBJ_iA5StringSyntax             OBJ_pilotAttributeSyntax,4L
+
+#define LN_caseIgnoreIA5StringSyntax            "caseIgnoreIA5StringSyntax"
+#define NID_caseIgnoreIA5StringSyntax           443
+#define OBJ_caseIgnoreIA5StringSyntax           OBJ_pilotAttributeSyntax,5L
+
+#define LN_pilotObject          "pilotObject"
+#define NID_pilotObject         444
+#define OBJ_pilotObject         OBJ_pilotObjectClass,3L
+
+#define LN_pilotPerson          "pilotPerson"
+#define NID_pilotPerson         445
+#define OBJ_pilotPerson         OBJ_pilotObjectClass,4L
+
+#define SN_account              "account"
+#define NID_account             446
+#define OBJ_account             OBJ_pilotObjectClass,5L
+
+#define SN_document             "document"
+#define NID_document            447
+#define OBJ_document            OBJ_pilotObjectClass,6L
+
+#define SN_room         "room"
+#define NID_room                448
+#define OBJ_room                OBJ_pilotObjectClass,7L
+
+#define LN_documentSeries               "documentSeries"
+#define NID_documentSeries              449
+#define OBJ_documentSeries              OBJ_pilotObjectClass,9L
+
+#define SN_Domain               "domain"
+#define LN_Domain               "Domain"
+#define NID_Domain              392
+#define OBJ_Domain              OBJ_pilotObjectClass,13L
+
+#define LN_rFC822localPart              "rFC822localPart"
+#define NID_rFC822localPart             450
+#define OBJ_rFC822localPart             OBJ_pilotObjectClass,14L
+
+#define LN_dNSDomain            "dNSDomain"
+#define NID_dNSDomain           451
+#define OBJ_dNSDomain           OBJ_pilotObjectClass,15L
+
+#define LN_domainRelatedObject          "domainRelatedObject"
+#define NID_domainRelatedObject         452
+#define OBJ_domainRelatedObject         OBJ_pilotObjectClass,17L
+
+#define LN_friendlyCountry              "friendlyCountry"
+#define NID_friendlyCountry             453
+#define OBJ_friendlyCountry             OBJ_pilotObjectClass,18L
+
+#define LN_simpleSecurityObject         "simpleSecurityObject"
+#define NID_simpleSecurityObject                454
+#define OBJ_simpleSecurityObject                OBJ_pilotObjectClass,19L
+
+#define LN_pilotOrganization            "pilotOrganization"
+#define NID_pilotOrganization           455
+#define OBJ_pilotOrganization           OBJ_pilotObjectClass,20L
+
+#define LN_pilotDSA             "pilotDSA"
+#define NID_pilotDSA            456
+#define OBJ_pilotDSA            OBJ_pilotObjectClass,21L
+
+#define LN_qualityLabelledData          "qualityLabelledData"
+#define NID_qualityLabelledData         457
+#define OBJ_qualityLabelledData         OBJ_pilotObjectClass,22L
+
+#define SN_userId               "UID"
+#define LN_userId               "userId"
+#define NID_userId              458
+#define OBJ_userId              OBJ_pilotAttributeType,1L
+
+#define LN_textEncodedORAddress         "textEncodedORAddress"
+#define NID_textEncodedORAddress                459
+#define OBJ_textEncodedORAddress                OBJ_pilotAttributeType,2L
+
+#define SN_rfc822Mailbox                "mail"
+#define LN_rfc822Mailbox                "rfc822Mailbox"
+#define NID_rfc822Mailbox               460
+#define OBJ_rfc822Mailbox               OBJ_pilotAttributeType,3L
+
+#define SN_info         "info"
+#define NID_info                461
+#define OBJ_info                OBJ_pilotAttributeType,4L
+
+#define LN_favouriteDrink               "favouriteDrink"
+#define NID_favouriteDrink              462
+#define OBJ_favouriteDrink              OBJ_pilotAttributeType,5L
+
+#define LN_roomNumber           "roomNumber"
+#define NID_roomNumber          463
+#define OBJ_roomNumber          OBJ_pilotAttributeType,6L
+
+#define SN_photo                "photo"
+#define NID_photo               464
+#define OBJ_photo               OBJ_pilotAttributeType,7L
+
+#define LN_userClass            "userClass"
+#define NID_userClass           465
+#define OBJ_userClass           OBJ_pilotAttributeType,8L
+
+#define SN_host         "host"
+#define NID_host                466
+#define OBJ_host                OBJ_pilotAttributeType,9L
+
+#define SN_manager              "manager"
+#define NID_manager             467
+#define OBJ_manager             OBJ_pilotAttributeType,10L
+
+#define LN_documentIdentifier           "documentIdentifier"
+#define NID_documentIdentifier          468
+#define OBJ_documentIdentifier          OBJ_pilotAttributeType,11L
+
+#define LN_documentTitle                "documentTitle"
+#define NID_documentTitle               469
+#define OBJ_documentTitle               OBJ_pilotAttributeType,12L
+
+#define LN_documentVersion              "documentVersion"
+#define NID_documentVersion             470
+#define OBJ_documentVersion             OBJ_pilotAttributeType,13L
+
+#define LN_documentAuthor               "documentAuthor"
+#define NID_documentAuthor              471
+#define OBJ_documentAuthor              OBJ_pilotAttributeType,14L
+
+#define LN_documentLocation             "documentLocation"
+#define NID_documentLocation            472
+#define OBJ_documentLocation            OBJ_pilotAttributeType,15L
+
+#define LN_homeTelephoneNumber          "homeTelephoneNumber"
+#define NID_homeTelephoneNumber         473
+#define OBJ_homeTelephoneNumber         OBJ_pilotAttributeType,20L
+
+#define SN_secretary            "secretary"
+#define NID_secretary           474
+#define OBJ_secretary           OBJ_pilotAttributeType,21L
+
+#define LN_otherMailbox         "otherMailbox"
+#define NID_otherMailbox                475
+#define OBJ_otherMailbox                OBJ_pilotAttributeType,22L
+
+#define LN_lastModifiedTime             "lastModifiedTime"
+#define NID_lastModifiedTime            476
+#define OBJ_lastModifiedTime            OBJ_pilotAttributeType,23L
+
+#define LN_lastModifiedBy               "lastModifiedBy"
+#define NID_lastModifiedBy              477
+#define OBJ_lastModifiedBy              OBJ_pilotAttributeType,24L
+
+#define SN_domainComponent              "DC"
+#define LN_domainComponent              "domainComponent"
+#define NID_domainComponent             391
+#define OBJ_domainComponent             OBJ_pilotAttributeType,25L
+
+#define LN_aRecord              "aRecord"
+#define NID_aRecord             478
+#define OBJ_aRecord             OBJ_pilotAttributeType,26L
+
+#define LN_pilotAttributeType27         "pilotAttributeType27"
+#define NID_pilotAttributeType27                479
+#define OBJ_pilotAttributeType27                OBJ_pilotAttributeType,27L
+
+#define LN_mXRecord             "mXRecord"
+#define NID_mXRecord            480
+#define OBJ_mXRecord            OBJ_pilotAttributeType,28L
+
+#define LN_nSRecord             "nSRecord"
+#define NID_nSRecord            481
+#define OBJ_nSRecord            OBJ_pilotAttributeType,29L
+
+#define LN_sOARecord            "sOARecord"
+#define NID_sOARecord           482
+#define OBJ_sOARecord           OBJ_pilotAttributeType,30L
+
+#define LN_cNAMERecord          "cNAMERecord"
+#define NID_cNAMERecord         483
+#define OBJ_cNAMERecord         OBJ_pilotAttributeType,31L
+
+#define LN_associatedDomain             "associatedDomain"
+#define NID_associatedDomain            484
+#define OBJ_associatedDomain            OBJ_pilotAttributeType,37L
+
+#define LN_associatedName               "associatedName"
+#define NID_associatedName              485
+#define OBJ_associatedName              OBJ_pilotAttributeType,38L
+
+#define LN_homePostalAddress            "homePostalAddress"
+#define NID_homePostalAddress           486
+#define OBJ_homePostalAddress           OBJ_pilotAttributeType,39L
+
+#define LN_personalTitle                "personalTitle"
+#define NID_personalTitle               487
+#define OBJ_personalTitle               OBJ_pilotAttributeType,40L
+
+#define LN_mobileTelephoneNumber                "mobileTelephoneNumber"
+#define NID_mobileTelephoneNumber               488
+#define OBJ_mobileTelephoneNumber               OBJ_pilotAttributeType,41L
+
+#define LN_pagerTelephoneNumber         "pagerTelephoneNumber"
+#define NID_pagerTelephoneNumber                489
+#define OBJ_pagerTelephoneNumber                OBJ_pilotAttributeType,42L
+
+#define LN_friendlyCountryName          "friendlyCountryName"
+#define NID_friendlyCountryName         490
+#define OBJ_friendlyCountryName         OBJ_pilotAttributeType,43L
+
+#define LN_organizationalStatus         "organizationalStatus"
+#define NID_organizationalStatus                491
+#define OBJ_organizationalStatus                OBJ_pilotAttributeType,45L
+
+#define LN_janetMailbox         "janetMailbox"
+#define NID_janetMailbox                492
+#define OBJ_janetMailbox                OBJ_pilotAttributeType,46L
+
+#define LN_mailPreferenceOption         "mailPreferenceOption"
+#define NID_mailPreferenceOption                493
+#define OBJ_mailPreferenceOption                OBJ_pilotAttributeType,47L
+
+#define LN_buildingName         "buildingName"
+#define NID_buildingName                494
+#define OBJ_buildingName                OBJ_pilotAttributeType,48L
+
+#define LN_dSAQuality           "dSAQuality"
+#define NID_dSAQuality          495
+#define OBJ_dSAQuality          OBJ_pilotAttributeType,49L
+
+#define LN_singleLevelQuality           "singleLevelQuality"
+#define NID_singleLevelQuality          496
+#define OBJ_singleLevelQuality          OBJ_pilotAttributeType,50L
+
+#define LN_subtreeMinimumQuality                "subtreeMinimumQuality"
+#define NID_subtreeMinimumQuality               497
+#define OBJ_subtreeMinimumQuality               OBJ_pilotAttributeType,51L
+
+#define LN_subtreeMaximumQuality                "subtreeMaximumQuality"
+#define NID_subtreeMaximumQuality               498
+#define OBJ_subtreeMaximumQuality               OBJ_pilotAttributeType,52L
+
+#define LN_personalSignature            "personalSignature"
+#define NID_personalSignature           499
+#define OBJ_personalSignature           OBJ_pilotAttributeType,53L
+
+#define LN_dITRedirect          "dITRedirect"
+#define NID_dITRedirect         500
+#define OBJ_dITRedirect         OBJ_pilotAttributeType,54L
+
+#define SN_audio                "audio"
+#define NID_audio               501
+#define OBJ_audio               OBJ_pilotAttributeType,55L
+
+#define LN_documentPublisher            "documentPublisher"
+#define NID_documentPublisher           502
+#define OBJ_documentPublisher           OBJ_pilotAttributeType,56L
+
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index d73a51370f..02b39062fe 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -30,8 +30,8 @@ dhKeyAgreement		28
 des_ecb         29
 des_cfb64               30
 des_cbc         31
-des_ede         32
-des_ede3                33
+des_ede_ecb             32
+des_ede3_ecb            33
 idea_cbc                34
 idea_cfb64              35
 idea_ecb                36
@@ -390,3 +390,120 @@ Enterprises		389
 dcObject                390
 domainComponent         391
 Domain          392
+joint_iso_ccitt         393
+selected_attribute_types                394
+clearance               395
+md4WithRSAEncryption            396
+ac_proxying             397
+sinfo_access            398
+id_aca_encAttrs         399
+role            400
+policy_constraints              401
+target_information              402
+no_rev_avail            403
+ccitt           404
+ansi_X9_62              405
+X9_62_prime_field               406
+X9_62_characteristic_two_field          407
+X9_62_id_ecPublicKey            408
+X9_62_prime192v1                409
+X9_62_prime192v2                410
+X9_62_prime192v3                411
+X9_62_prime239v1                412
+X9_62_prime239v2                413
+X9_62_prime239v3                414
+X9_62_prime256v1                415
+ecdsa_with_SHA1         416
+ms_csp_name             417
+aes_128_ecb             418
+aes_128_cbc             419
+aes_128_ofb128          420
+aes_128_cfb128          421
+aes_192_ecb             422
+aes_192_cbc             423
+aes_192_ofb128          424
+aes_192_cfb128          425
+aes_256_ecb             426
+aes_256_cbc             427
+aes_256_ofb128          428
+aes_256_cfb128          429
+hold_instruction_code           430
+hold_instruction_none           431
+hold_instruction_call_issuer            432
+hold_instruction_reject         433
+data            434
+pss             435
+ucl             436
+pilot           437
+pilotAttributeType              438
+pilotAttributeSyntax            439
+pilotObjectClass                440
+pilotGroups             441
+iA5StringSyntax         442
+caseIgnoreIA5StringSyntax               443
+pilotObject             444
+pilotPerson             445
+account         446
+document                447
+room            448
+documentSeries          449
+rFC822localPart         450
+dNSDomain               451
+domainRelatedObject             452
+friendlyCountry         453
+simpleSecurityObject            454
+pilotOrganization               455
+pilotDSA                456
+qualityLabelledData             457
+userId          458
+textEncodedORAddress            459
+rfc822Mailbox           460
+info            461
+favouriteDrink          462
+roomNumber              463
+photo           464
+userClass               465
+host            466
+manager         467
+documentIdentifier              468
+documentTitle           469
+documentVersion         470
+documentAuthor          471
+documentLocation                472
+homeTelephoneNumber             473
+secretary               474
+otherMailbox            475
+lastModifiedTime                476
+lastModifiedBy          477
+aRecord         478
+pilotAttributeType27            479
+mXRecord                480
+nSRecord                481
+sOARecord               482
+cNAMERecord             483
+associatedDomain                484
+associatedName          485
+homePostalAddress               486
+personalTitle           487
+mobileTelephoneNumber           488
+pagerTelephoneNumber            489
+friendlyCountryName             490
+organizationalStatus            491
+janetMailbox            492
+mailPreferenceOption            493
+buildingName            494
+dSAQuality              495
+singleLevelQuality              496
+subtreeMinimumQuality           497
+subtreeMaximumQuality           498
+personalSignature               499
+dITRedirect             500
+audio           501
+documentPublisher               502
+x500UniqueIdentifier            503
+mime_mhs                504
+mime_mhs_headings               505
+mime_mhs_bodies         506
+id_hex_partial_message          507
+id_hex_multipart_message                508
+generationQualifier             509
diff --git a/src/lib/libcrypto/objects/objects.h b/src/lib/libcrypto/objects/objects.h
index c099e2e84e..de10532813 100644
--- a/src/lib/libcrypto/objects/objects.h
+++ b/src/lib/libcrypto/objects/objects.h
@@ -452,54 +452,54 @@
 #define LN_desx_cbc                     "desx-cbc"
 #define NID_desx_cbc                    80
 
-#define SN_ld_ce                        "ld-ce"
-#define NID_ld_ce                       81
-#define OBJ_ld_ce                       2L,5L,29L
+#define SN_id_ce                        "id-ce"
+#define NID_id_ce                       81
+#define OBJ_id_ce                       2L,5L,29L
 
 #define SN_subject_key_identifier       "subjectKeyIdentifier"
 #define LN_subject_key_identifier       "X509v3 Subject Key Identifier"
 #define NID_subject_key_identifier      82
-#define OBJ_subject_key_identifier      OBJ_ld_ce,14L
+#define OBJ_subject_key_identifier      OBJ_id_ce,14L
 
 #define SN_key_usage                    "keyUsage"
 #define LN_key_usage                    "X509v3 Key Usage"
 #define NID_key_usage                   83
-#define OBJ_key_usage                   OBJ_ld_ce,15L
+#define OBJ_key_usage                   OBJ_id_ce,15L
 
 #define SN_private_key_usage_period     "privateKeyUsagePeriod"
 #define LN_private_key_usage_period     "X509v3 Private Key Usage Period"
 #define NID_private_key_usage_period    84
-#define OBJ_private_key_usage_period    OBJ_ld_ce,16L
+#define OBJ_private_key_usage_period    OBJ_id_ce,16L
 
 #define SN_subject_alt_name             "subjectAltName"
 #define LN_subject_alt_name             "X509v3 Subject Alternative Name"
 #define NID_subject_alt_name            85
-#define OBJ_subject_alt_name            OBJ_ld_ce,17L
+#define OBJ_subject_alt_name            OBJ_id_ce,17L
 
 #define SN_issuer_alt_name              "issuerAltName"
 #define LN_issuer_alt_name              "X509v3 Issuer Alternative Name"
 #define NID_issuer_alt_name             86
-#define OBJ_issuer_alt_name             OBJ_ld_ce,18L
+#define OBJ_issuer_alt_name             OBJ_id_ce,18L
 
 #define SN_basic_constraints            "basicConstraints"
 #define LN_basic_constraints            "X509v3 Basic Constraints"
 #define NID_basic_constraints           87
-#define OBJ_basic_constraints           OBJ_ld_ce,19L
+#define OBJ_basic_constraints           OBJ_id_ce,19L
 
 #define SN_crl_number                   "crlNumber"
 #define LN_crl_number                   "X509v3 CRL Number"
 #define NID_crl_number                  88
-#define OBJ_crl_number                  OBJ_ld_ce,20L
+#define OBJ_crl_number                  OBJ_id_ce,20L
 
 #define SN_certificate_policies         "certificatePolicies"
 #define LN_certificate_policies         "X509v3 Certificate Policies"
 #define NID_certificate_policies        89
-#define OBJ_certificate_policies        OBJ_ld_ce,32L
+#define OBJ_certificate_policies        OBJ_id_ce,32L
 
 #define SN_authority_key_identifier     "authorityKeyIdentifier"
 #define LN_authority_key_identifier     "X509v3 Authority Key Identifier"
 #define NID_authority_key_identifier    90
-#define OBJ_authority_key_identifier    OBJ_ld_ce,35L
+#define OBJ_authority_key_identifier    OBJ_id_ce,35L
 
 #define SN_bf_cbc                       "BF-CBC"
 #define LN_bf_cbc                       "bf-cbc"
@@ -560,7 +560,7 @@
 #define SN_crl_distribution_points      "crlDistributionPoints"
 #define LN_crl_distribution_points      "X509v3 CRL Distribution Points"
 #define NID_crl_distribution_points     103
-#define OBJ_crl_distribution_points     OBJ_ld_ce,31L
+#define OBJ_crl_distribution_points     OBJ_id_ce,31L
 
 #define SN_md5WithRSA                   "RSA-NP-MD5"
 #define LN_md5WithRSA                   "md5WithRSA"
@@ -677,7 +677,7 @@
 #define SN_ext_key_usage                "extendedKeyUsage"
 #define LN_ext_key_usage                "X509v3 Extended Key Usage"
 #define NID_ext_key_usage               126
-#define OBJ_ext_key_usage               OBJ_ld_ce,37
+#define OBJ_ext_key_usage               OBJ_id_ce,37
 
 #define SN_id_pkix                      "PKIX"
 #define NID_id_pkix                     127
@@ -751,17 +751,17 @@
 #define SN_delta_crl                    "deltaCRL"
 #define LN_delta_crl                    "X509v3 Delta CRL Indicator"
 #define NID_delta_crl                   140
-#define OBJ_delta_crl                   OBJ_ld_ce,27L
+#define OBJ_delta_crl                   OBJ_id_ce,27L
 
 #define SN_crl_reason                   "CRLReason"
 #define LN_crl_reason                   "CRL Reason Code"
 #define NID_crl_reason                  141
-#define OBJ_crl_reason                  OBJ_ld_ce,21L
+#define OBJ_crl_reason                  OBJ_id_ce,21L
 
 #define SN_invalidity_date              "invalidityDate"
 #define LN_invalidity_date              "Invalidity Date"
 #define NID_invalidity_date             142
-#define OBJ_invalidity_date             OBJ_ld_ce,24L
+#define OBJ_invalidity_date             OBJ_id_ce,24L
 
 #define SN_sxnet                        "SXNetID"
 #define LN_sxnet                        "Strong Extranet ID"
@@ -985,31 +985,35 @@ typedef struct obj_name_st
 
 
 int OBJ_NAME_init(void);
-int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),int (*cmp_func)(const void *, const void *),
-        void (*free_func)(const char *, int, const char *));
+int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
+                       int (*cmp_func)(const char *, const char *),
+                       void (*free_func)(const char *, int, const char *));
 const char *OBJ_NAME_get(const char *name,int type);
 int OBJ_NAME_add(const char *name,int type,const char *data);
 int OBJ_NAME_remove(const char *name,int type);
 void OBJ_NAME_cleanup(int type); /* -1 for everything */
+void OBJ_NAME_do_all(int type,void (*fn)(const OBJ_NAME *,void *arg),
+                     void *arg);
+void OBJ_NAME_do_all_sorted(int type,void (*fn)(const OBJ_NAME *,void *arg),
+                            void *arg);
 
-ASN1_OBJECT *   OBJ_dup(ASN1_OBJECT *o);
+ASN1_OBJECT *   OBJ_dup(const ASN1_OBJECT *o);
 ASN1_OBJECT *   OBJ_nid2obj(int n);
 const char *    OBJ_nid2ln(int n);
 const char *    OBJ_nid2sn(int n);
-int             OBJ_obj2nid(ASN1_OBJECT *o);
+int             OBJ_obj2nid(const ASN1_OBJECT *o);
 ASN1_OBJECT *   OBJ_txt2obj(const char *s, int no_name);
-int     OBJ_obj2txt(char *buf, int buf_len, ASN1_OBJECT *a, int no_name);
-int             OBJ_txt2nid(char *s);
+int     OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
+int             OBJ_txt2nid(const char *s);
 int             OBJ_ln2nid(const char *s);
 int             OBJ_sn2nid(const char *s);
-int             OBJ_cmp(ASN1_OBJECT *a,ASN1_OBJECT *b);
-char *          OBJ_bsearch(char *key,char *base,int num,int size,int (*cmp)(const void *, const void *));
-
-void            ERR_load_OBJ_strings(void );
+int             OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b);
+const char *    OBJ_bsearch(const char *key,const char *base,int num,int size,
+        int (*cmp)(const void *, const void *));
 
 int             OBJ_new_nid(int num);
-int             OBJ_add_object(ASN1_OBJECT *obj);
-int             OBJ_create(char *oid,char *sn,char *ln);
+int             OBJ_add_object(const ASN1_OBJECT *obj);
+int             OBJ_create(const char *oid,const char *sn,const char *ln);
 void            OBJ_cleanup(void );
 int             OBJ_create_objects(BIO *in);
 
@@ -1017,6 +1021,7 @@ int		OBJ_create_objects(BIO *in);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_OBJ_strings(void);
 
 /* Error codes for the OBJ functions. */
 
@@ -1035,4 +1040,3 @@ int		OBJ_create_objects(BIO *in);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/objects/objects.pl b/src/lib/libcrypto/objects/objects.pl
index c956bbb841..76c06cc8f9 100644
--- a/src/lib/libcrypto/objects/objects.pl
+++ b/src/lib/libcrypto/objects/objects.pl
@@ -9,7 +9,9 @@ while(<NUMIN>)
         $o++;
         s/#.*$//;
         next if /^\s*$/;
+        $_ = 'X'.$_;
         ($Cname,$mynum) = split;
+        $Cname =~ s/^X//;
         if (defined($nidn{$mynum}))
                 { die "$ARGV[1]:$o:There's already an object with NID ",$mynum," on line ",$order{$mynum},"\n"; }
         $nid{$Cname} = $mynum;
@@ -114,7 +116,13 @@ close NUMOUT;
 
 open (OUT,">$ARGV[2]") || die "Can't open output file $ARGV[2]";
 print OUT <<'EOF';
-/* lib/obj/obj_mac.h */
+/* crypto/objects/obj_mac.h */
+
+/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
+ * following command:
+ * perl objects.pl objects.txt obj_mac.num obj_mac.h
+ */
+
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -172,11 +180,6 @@ print OUT <<'EOF';
  * [including the GNU Public Licence.]
  */
 
-/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
- * following command:
- * perl objects.pl objects.txt obj_mac.num obj_mac.h
- */
-
 #define SN_undef                        "UNDEF"
 #define LN_undef                        "undefined"
 #define NID_undef                       0
@@ -207,6 +210,8 @@ sub process_oid
         if (!($a[0] =~ /^[0-9]+$/))
                 {
                 $a[0] =~ s/-/_/g;
+                if (!defined($obj{$a[0]}))
+                        { die "$ARGV[0]:$o:Undefined identifier ",$a[0],"\n"; }
                 $pref_oid = "OBJ_" . $a[0];
                 $pref_sep = ",";
                 shift @a;
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 3d443cf884..65d0b15629 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -1,7 +1,15 @@
+0                       : CCITT                 : ccitt
+
 1                       : ISO                   : iso
 
+2                       : JOINT-ISO-CCITT       : joint-iso-ccitt
+
 iso 2                   : member-body           : ISO Member Body
 
+joint-iso-ccitt 5 1 5   : selected-attribute-types      : Selected Attribute Types
+
+selected-attribute-types 55     : clearance
+
 member-body 840         : ISO-US                : ISO US Member Body
 ISO-US 10040            : X9-57                 : X9.57
 X9-57 4                 : X9cm                  : X9.57 CM ?
@@ -10,6 +18,32 @@ X9-57 4			: X9cm			: X9.57 CM ?
 X9cm 1                  : DSA                   : dsaEncryption
 X9cm 3                  : DSA-SHA1              : dsaWithSHA1
 
+
+ISO-US 10045            : ansi-X9-62            : ANSI X9.62
+!module X9-62
+!Alias id-fieldType ansi-X9-62 1
+X9-62_id-fieldType 1            : prime-field
+X9-62_id-fieldType 2            : characteristic-two-field
+# ... characteristic-two-field OID subtree
+!Alias id-publicKeyType ansi-X9-62 2
+X9-62_id-publicKeyType 1        : id-ecPublicKey
+!Alias ellipticCurve ansi-X9-62 3
+!Alias c-TwoCurve X9-62_ellipticCurve 0
+# ... characteristic 2 curve OIDs
+!Alias primeCurve X9-62_ellipticCurve 1
+X9-62_primeCurve 1              : prime192v1
+X9-62_primeCurve 2              : prime192v2
+X9-62_primeCurve 3              : prime192v3
+X9-62_primeCurve 4              : prime239v1
+X9-62_primeCurve 5              : prime239v2
+X9-62_primeCurve 6              : prime239v3
+X9-62_primeCurve 7              : prime256v1
+!Alias id-ecSigType ansi-X9-62 4
+!global
+X9-62_id-ecSigType 1            : ecdsa-with-SHA1
+
+
+
 ISO-US 113533 7 66 10   : CAST5-CBC             : cast5-cbc
                         : CAST5-ECB             : cast5-ecb
 !Cname cast5-cfb64
@@ -26,6 +60,7 @@ rsadsi 1		: pkcs			: RSA Data Security, Inc. PKCS
 pkcs 1                  : pkcs1
 pkcs1 1                 :                       : rsaEncryption
 pkcs1 2                 : RSA-MD2               : md2WithRSAEncryption
+pkcs1 3                 : RSA-MD4               : md4WithRSAEncryption
 pkcs1 4                 : RSA-MD5               : md5WithRSAEncryption
 pkcs1 5                 : RSA-SHA1              : sha1WithRSAEncryption
 
@@ -61,7 +96,7 @@ pkcs7 6			:			: pkcs7-encryptedData
 
 pkcs 9                  : pkcs9
 !module pkcs9
-pkcs9 1                 : Email                 : emailAddress
+pkcs9 1                 :                       : emailAddress
 pkcs9 2                 :                       : unstructuredName
 pkcs9 3                 :                       : contentType
 pkcs9 4                 :                       : messageDigest
@@ -173,6 +208,8 @@ id-smime-cti 6		: id-smime-cti-ets-proofOfCreation
 
 pkcs9 20                :                       : friendlyName
 pkcs9 21                :                       : localKeyID
+!Cname ms-csp-name
+1 3 6 1 4 1 311 17 1    : CSPName               : Microsoft CSP Name
 !Alias certTypes pkcs9 22
 certTypes 1             :                       : x509Certificate
 certTypes 2             :                       : sdsiCertificate
@@ -302,6 +339,9 @@ id-pe 6			: aaControls
 id-pe 7                 : sbqp-ipAddrBlock
 id-pe 8                 : sbqp-autonomousSysNum
 id-pe 9                 : sbqp-routerIdentifier
+id-pe 10                : ac-proxying
+!Cname sinfo-access
+id-pe 11                : subjectInfoAccess     : Subject Information Access
 
 # PKIX policyQualifiers for Internet policy qualifiers
 id-qt 1                 : id-qt-cps             : Policy Qualifier CPS
@@ -396,17 +436,18 @@ id-on 1			: id-on-personalData
 # personal data attributes
 id-pda 1                : id-pda-dateOfBirth
 id-pda 2                : id-pda-placeOfBirth
-id-pda 3                : id-pda-pseudonym
-id-pda 4                : id-pda-gender
-id-pda 5                : id-pda-countryOfCitizenship
-id-pda 6                : id-pda-countryOfResidence
+id-pda 3                : id-pda-gender
+id-pda 4                : id-pda-countryOfCitizenship
+id-pda 5                : id-pda-countryOfResidence
 
 # attribute certificate attributes
 id-aca 1                : id-aca-authenticationInfo
 id-aca 2                : id-aca-accessIdentity
 id-aca 3                : id-aca-chargingIdentity
 id-aca 4                : id-aca-group
+# attention : the following seems to be obsolete, replace by 'role'
 id-aca 5                : id-aca-role
+id-aca 6                : id-aca-encAttrs
 
 # qualified certificate statements
 id-qcs 1                : id-qcs-pkixQCSyntax-v1
@@ -434,7 +475,7 @@ id-pkix-OCSP 1		: basicOCSPResponse	: Basic OCSP Response
 id-pkix-OCSP 2          : Nonce                 : OCSP Nonce
 id-pkix-OCSP 3          : CrlID                 : OCSP CRL ID
 id-pkix-OCSP 4          : acceptableResponses   : Acceptable OCSP Responses
-id-pkix-OCSP 5          : noCheck
+id-pkix-OCSP 5          : noCheck               : OCSP No Check
 id-pkix-OCSP 6          : archiveCutoff         : OCSP Archive Cutoff
 id-pkix-OCSP 7          : serviceLocator        : OCSP Service Locator
 id-pkix-OCSP 8          : extendedStatus        : Extended OCSP Status
@@ -456,7 +497,9 @@ algorithm 11		: rsaSignature
 algorithm 12            : DSA-old               : dsaEncryption-old
 algorithm 13            : DSA-SHA               : dsaWithSHA
 algorithm 15            : RSA-SHA               : shaWithRSAEncryption
+!Cname des-ede-ecb
 algorithm 17            : DES-EDE               : des-ede
+!Cname des-ede3-ecb
                         : DES-EDE3              : des-ede3
                         : DES-EDE-CBC           : des-ede-cbc
 !Cname des-ede-cfb64
@@ -484,20 +527,22 @@ algorithm 29		: RSA-SHA1-2		: sha1WithRSA
 
 X500 4                  : X509
 X509 3                  : CN                    : commonName
-X509 4                  : S                     : surname
-X509 5                  : SN                    : serialNumber
+X509 4                  : SN                    : surname
+X509 5                  :                       : serialNumber
 X509 6                  : C                     : countryName
 X509 7                  : L                     : localityName
 X509 8                  : ST                    : stateOrProvinceName
 X509 10                 : O                     : organizationName
 X509 11                 : OU                    : organizationalUnitName
-X509 12                 : T                     : title
-X509 13                 : D                     : description
+X509 12                 :                       : title
+X509 13                 :                       : description
 X509 41                 : name                  : name
-X509 42                 : G                     : givenName
-X509 43                 : I                     : initials
-X509 45                 : UID                   : uniqueIdentifier
+X509 42                 : gn                    : givenName
+X509 43                 :                       : initials
+X509 44                 :                       : generationQualifier
+X509 45                 :                       : x500UniqueIdentifier
 X509 46                 : dnQualifier           : dnQualifier
+X509 72                 : role                  : role
 
 X500 8                  : X500algorithms        : directory services - algorithms
 X500algorithms 1 1      : RSA                   : rsa
@@ -531,8 +576,14 @@ id-ce 31		: crlDistributionPoints	: X509v3 CRL Distribution Points
 id-ce 32                : certificatePolicies   : X509v3 Certificate Policies
 !Cname authority-key-identifier
 id-ce 35                : authorityKeyIdentifier : X509v3 Authority Key Identifier
+!Cname policy-constraints
+id-ce 36                : policyConstraints     : X509v3 Policy Constraints
 !Cname ext-key-usage
 id-ce 37                : extendedKeyUsage      : X509v3 Extended Key Usage
+!Cname target-information
+id-ce 55                : targetInformation     : X509v3 AC Targeting
+!Cname no-rev-avail
+id-ce 56                : noRevAvail            : X509v3 No Revocation Available
 
 !Cname netscape
 2 16 840 1 113730       : Netscape              : Netscape Communications Corp.
@@ -573,17 +624,24 @@ internet 3		: experimental		: Experimental
 internet 4              : private               : Private
 internet 5              : security              : Security
 internet 6              : snmpv2                : SNMPv2
-internet 7              : mail                  : Mail
+# Documents refer to "internet 7" as "mail". This however leads to ambiguities
+# with RFC2798, Section 9.1.3, where "mail" is defined as the short name for
+# rfc822Mailbox. The short name is therefore here left out for a reason.
+# Subclasses of "mail", e.g. "MIME MHS" don't consitute a problem, as
+# references are realized via long name "Mail" (with capital M).
+internet 7              :                       : Mail
 
-private 1               : enterprises           : Enterprises
+Private 1               : enterprises           : Enterprises
 
 # RFC 2247
-enterprises 1466 344    : dcobject              : dcObject
+Enterprises 1466 344    : dcobject              : dcObject
 
-# Stray OIDs we don't know the full name of each step for
-# RFC 2247
-0 9 2342 19200300 100 1 25 : DC                 : domainComponent
-0 9 2342 19200300 100 4 13 : domain             : Domain
+# RFC 1495
+Mail 1                  : mime-mhs              : MIME MHS
+mime-mhs 1              : mime-mhs-headings     : mime-mhs-headings
+mime-mhs 2              : mime-mhs-bodies       : mime-mhs-bodies
+mime-mhs-headings 1     : id-hex-partial-message : id-hex-partial-message
+mime-mhs-headings 2     : id-hex-multipart-message : id-hex-multipart-message
 
 # What the hell are these OIDs, really?
 !Cname rle-compression
@@ -591,3 +649,116 @@ enterprises 1466 344	: dcobject		: dcObject
 !Cname zlib-compression
 1 1 1 1 666 2           : ZLIB                  : zlib compression
 
+# AES aka Rijndael
+
+!Alias csor 2 16 840 1 101 3
+!Alias nistAlgorithms csor 4
+!Alias aes nistAlgorithms 1
+
+aes 1                   : AES-128-ECB           : aes-128-ecb
+aes 2                   : AES-128-CBC           : aes-128-cbc
+!Cname aes-128-ofb128
+aes 3                   : AES-128-OFB           : aes-128-ofb
+!Cname aes-128-cfb128
+aes 4                   : AES-128-CFB           : aes-128-cfb
+
+aes 21                  : AES-192-ECB           : aes-192-ecb
+aes 22                  : AES-192-CBC           : aes-192-cbc
+!Cname aes-192-ofb128
+aes 23                  : AES-192-OFB           : aes-192-ofb
+!Cname aes-192-cfb128
+aes 24                  : AES-192-CFB           : aes-192-cfb
+
+aes 41                  : AES-256-ECB           : aes-256-ecb
+aes 42                  : AES-256-CBC           : aes-256-cbc
+!Cname aes-256-ofb128
+aes 43                  : AES-256-OFB           : aes-256-ofb
+!Cname aes-256-cfb128
+aes 44                  : AES-256-CFB           : aes-256-cfb
+
+# Hold instruction CRL entry extension
+!Cname hold-instruction-code
+id-ce 23                : holdInstructionCode   : Hold Instruction Code
+!Alias holdInstruction  X9-57 2
+!Cname hold-instruction-none
+holdInstruction 1       : holdInstructionNone   : Hold Instruction None
+!Cname hold-instruction-call-issuer
+holdInstruction 2       : holdInstructionCallIssuer : Hold Instruction Call Issuer
+!Cname hold-instruction-reject
+holdInstruction 3       : holdInstructionReject : Hold Instruction Reject
+
+# OID's from CCITT.  Most of this is defined in RFC 1274.  A couple of
+# them are also mentioned in RFC 2247
+ccitt 9                 : data
+data 2342               : pss
+pss 19200300            : ucl
+ucl 100                 : pilot
+pilot 1                 :                       : pilotAttributeType
+pilot 3                 :                       : pilotAttributeSyntax
+pilot 4                 :                       : pilotObjectClass
+pilot 10                :                       : pilotGroups
+pilotAttributeSyntax 4  :                       : iA5StringSyntax
+pilotAttributeSyntax 5  :                       : caseIgnoreIA5StringSyntax
+pilotObjectClass 3      :                       : pilotObject
+pilotObjectClass 4      :                       : pilotPerson
+pilotObjectClass 5      : account
+pilotObjectClass 6      : document
+pilotObjectClass 7      : room
+pilotObjectClass 9      :                       : documentSeries
+pilotObjectClass 13     : domain                : Domain
+pilotObjectClass 14     :                       : rFC822localPart
+pilotObjectClass 15     :                       : dNSDomain
+pilotObjectClass 17     :                       : domainRelatedObject
+pilotObjectClass 18     :                       : friendlyCountry
+pilotObjectClass 19     :                       : simpleSecurityObject
+pilotObjectClass 20     :                       : pilotOrganization
+pilotObjectClass 21     :                       : pilotDSA
+pilotObjectClass 22     :                       : qualityLabelledData
+pilotAttributeType 1    : UID                   : userId
+pilotAttributeType 2    :                       : textEncodedORAddress
+pilotAttributeType 3    : mail                  : rfc822Mailbox
+pilotAttributeType 4    : info
+pilotAttributeType 5    :                       : favouriteDrink
+pilotAttributeType 6    :                       : roomNumber
+pilotAttributeType 7    : photo
+pilotAttributeType 8    :                       : userClass
+pilotAttributeType 9    : host
+pilotAttributeType 10   : manager
+pilotAttributeType 11   :                       : documentIdentifier
+pilotAttributeType 12   :                       : documentTitle
+pilotAttributeType 13   :                       : documentVersion
+pilotAttributeType 14   :                       : documentAuthor
+pilotAttributeType 15   :                       : documentLocation
+pilotAttributeType 20   :                       : homeTelephoneNumber
+pilotAttributeType 21   : secretary
+pilotAttributeType 22   :                       : otherMailbox
+pilotAttributeType 23   :                       : lastModifiedTime
+pilotAttributeType 24   :                       : lastModifiedBy
+pilotAttributeType 25   : DC                    : domainComponent
+pilotAttributeType 26   :                       : aRecord
+pilotAttributeType 27   :                       : pilotAttributeType27
+pilotAttributeType 28   :                       : mXRecord
+pilotAttributeType 29   :                       : nSRecord
+pilotAttributeType 30   :                       : sOARecord
+pilotAttributeType 31   :                       : cNAMERecord
+pilotAttributeType 37   :                       : associatedDomain
+pilotAttributeType 38   :                       : associatedName
+pilotAttributeType 39   :                       : homePostalAddress
+pilotAttributeType 40   :                       : personalTitle
+pilotAttributeType 41   :                       : mobileTelephoneNumber
+pilotAttributeType 42   :                       : pagerTelephoneNumber
+pilotAttributeType 43   :                       : friendlyCountryName
+# The following clashes with 2.5.4.45, so commented away
+#pilotAttributeType 44  : uid                   : uniqueIdentifier
+pilotAttributeType 45   :                       : organizationalStatus
+pilotAttributeType 46   :                       : janetMailbox
+pilotAttributeType 47   :                       : mailPreferenceOption
+pilotAttributeType 48   :                       : buildingName
+pilotAttributeType 49   :                       : dSAQuality
+pilotAttributeType 50   :                       : singleLevelQuality
+pilotAttributeType 51   :                       : subtreeMinimumQuality
+pilotAttributeType 52   :                       : subtreeMaximumQuality
+pilotAttributeType 53   :                       : personalSignature
+pilotAttributeType 54   :                       : dITRedirect
+pilotAttributeType 55   : audio
+pilotAttributeType 56   :                       : documentPublisher
diff --git a/src/lib/libcrypto/ocsp/Makefile.ssl b/src/lib/libcrypto/ocsp/Makefile.ssl
new file mode 100644
index 0000000000..b69abdc1c7
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/Makefile.ssl
@@ -0,0 +1,221 @@
+#
+# OpenSSL/ocsp/Makefile.ssl
+#
+
+DIR=    ocsp
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
+        ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c
+
+LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \
+        ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ocsp.h
+HEADER= $(EXHEADER)
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB)
+        @touch lib
+
+files:
+        perl $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        $(TOP)/util/point.sh Makefile.ssl Makefile ;
+        $(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        $(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        $(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ocsp_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
+ocsp_asn.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ocsp_asn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_asn.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ocsp_asn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ocsp_asn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ocsp_asn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ocsp_asn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
+ocsp_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_asn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ocsp_asn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_asn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_asn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_asn.o: ../../include/openssl/x509v3.h ocsp_asn.c
+ocsp_cl.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_cl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ocsp_cl.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_cl.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ocsp_cl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ocsp_cl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_cl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ocsp_cl.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+ocsp_cl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ocsp_cl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+ocsp_cl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+ocsp_cl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+ocsp_cl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_cl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_cl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_cl.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_cl.c
+ocsp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ocsp_err.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+ocsp_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+ocsp_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ocsp_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ocsp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ocsp_err.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
+ocsp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ocsp_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_err.o: ../../include/openssl/x509v3.h ocsp_err.c
+ocsp_ext.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_ext.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ocsp_ext.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_ext.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ocsp_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ocsp_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ocsp_ext.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+ocsp_ext.o: ../../include/openssl/opensslconf.h
+ocsp_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+ocsp_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+ocsp_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_ext.o: ../cryptlib.h ocsp_ext.c
+ocsp_ht.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_ht.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ocsp_ht.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+ocsp_ht.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+ocsp_ht.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ocsp_ht.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ocsp_ht.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ocsp_ht.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
+ocsp_ht.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_ht.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ocsp_ht.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_ht.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_ht.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_ht.o: ../../include/openssl/x509v3.h ocsp_ht.c
+ocsp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ocsp_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ocsp_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ocsp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ocsp_lib.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+ocsp_lib.o: ../../include/openssl/opensslconf.h
+ocsp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+ocsp_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+ocsp_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+ocsp_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_lib.o: ../cryptlib.h ocsp_lib.c
+ocsp_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ocsp_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+ocsp_prn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+ocsp_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ocsp_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ocsp_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ocsp_prn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
+ocsp_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_prn.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+ocsp_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ocsp_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_prn.o: ../../include/openssl/x509v3.h ocsp_prn.c
+ocsp_srv.o: ../../e_os.h ../../include/openssl/asn1.h
+ocsp_srv.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+ocsp_srv.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+ocsp_srv.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+ocsp_srv.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+ocsp_srv.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ocsp_srv.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ocsp_srv.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+ocsp_srv.o: ../../include/openssl/opensslconf.h
+ocsp_srv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_srv.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+ocsp_srv.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+ocsp_srv.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+ocsp_srv.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ocsp_srv.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ocsp_srv.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+ocsp_srv.o: ../cryptlib.h ocsp_srv.c
+ocsp_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ocsp_vfy.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ocsp_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+ocsp_vfy.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+ocsp_vfy.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ocsp_vfy.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+ocsp_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ocsp_vfy.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
+ocsp_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ocsp_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+ocsp_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ocsp_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ocsp_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ocsp_vfy.o: ../../include/openssl/x509v3.h ocsp_vfy.c
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
new file mode 100644
index 0000000000..fab3c03182
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -0,0 +1,619 @@
+/* ocsp.h */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OCSP_H
+#define HEADER_OCSP_H
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* Various flags and values */
+
+#define OCSP_DEFAULT_NONCE_LENGTH       16
+
+#define OCSP_NOCERTS                    0x1
+#define OCSP_NOINTERN                   0x2
+#define OCSP_NOSIGS                     0x4
+#define OCSP_NOCHAIN                    0x8
+#define OCSP_NOVERIFY                   0x10
+#define OCSP_NOEXPLICIT                 0x20
+#define OCSP_NOCASIGN                   0x40
+#define OCSP_NODELEGATED                0x80
+#define OCSP_NOCHECKS                   0x100
+#define OCSP_TRUSTOTHER                 0x200
+#define OCSP_RESPID_KEY                 0x400
+#define OCSP_NOTIME                     0x800
+
+/*   CertID ::= SEQUENCE {
+ *       hashAlgorithm            AlgorithmIdentifier,
+ *       issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
+ *       issuerKeyHash      OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
+ *       serialNumber       CertificateSerialNumber }
+ */
+typedef struct ocsp_cert_id_st
+        {
+        X509_ALGOR *hashAlgorithm;
+        ASN1_OCTET_STRING *issuerNameHash;
+        ASN1_OCTET_STRING *issuerKeyHash;
+        ASN1_INTEGER *serialNumber;
+        } OCSP_CERTID;
+
+DECLARE_STACK_OF(OCSP_CERTID)
+
+/*   Request ::=     SEQUENCE {
+ *       reqCert                    CertID,
+ *       singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_one_request_st
+        {
+        OCSP_CERTID *reqCert;
+        STACK_OF(X509_EXTENSION) *singleRequestExtensions;
+        } OCSP_ONEREQ;
+
+DECLARE_STACK_OF(OCSP_ONEREQ)
+DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
+
+
+/*   TBSRequest      ::=     SEQUENCE {
+ *       version             [0] EXPLICIT Version DEFAULT v1,
+ *       requestorName       [1] EXPLICIT GeneralName OPTIONAL,
+ *       requestList             SEQUENCE OF Request,
+ *       requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_req_info_st
+        {
+        ASN1_INTEGER *version;
+        GENERAL_NAME *requestorName;
+        STACK_OF(OCSP_ONEREQ) *requestList;
+        STACK_OF(X509_EXTENSION) *requestExtensions;
+        } OCSP_REQINFO;
+
+/*   Signature       ::=     SEQUENCE {
+ *       signatureAlgorithm   AlgorithmIdentifier,
+ *       signature            BIT STRING,
+ *       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+typedef struct ocsp_signature_st
+        {
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_SIGNATURE;
+
+/*   OCSPRequest     ::=     SEQUENCE {
+ *       tbsRequest                  TBSRequest,
+ *       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }
+ */
+typedef struct ocsp_request_st
+        {
+        OCSP_REQINFO *tbsRequest;
+        OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
+        } OCSP_REQUEST;
+
+/*   OCSPResponseStatus ::= ENUMERATED {
+ *       successful            (0),      --Response has valid confirmations
+ *       malformedRequest      (1),      --Illegal confirmation request
+ *       internalError         (2),      --Internal error in issuer
+ *       tryLater              (3),      --Try again later
+ *                                       --(4) is not used
+ *       sigRequired           (5),      --Must sign the request
+ *       unauthorized          (6)       --Request unauthorized
+ *   }
+ */
+#define OCSP_RESPONSE_STATUS_SUCCESSFUL          0
+#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
+#define OCSP_RESPONSE_STATUS_INTERNALERROR        2
+#define OCSP_RESPONSE_STATUS_TRYLATER             3
+#define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
+#define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
+
+/*   ResponseBytes ::=       SEQUENCE {
+ *       responseType   OBJECT IDENTIFIER,
+ *       response       OCTET STRING }
+ */
+typedef struct ocsp_resp_bytes_st
+        {
+        ASN1_OBJECT *responseType;
+        ASN1_OCTET_STRING *response;
+        } OCSP_RESPBYTES;
+
+/*   OCSPResponse ::= SEQUENCE {
+ *      responseStatus         OCSPResponseStatus,
+ *      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
+ */
+typedef struct ocsp_response_st
+        {
+        ASN1_ENUMERATED *responseStatus;
+        OCSP_RESPBYTES  *responseBytes;
+        } OCSP_RESPONSE;
+
+/*   ResponderID ::= CHOICE {
+ *      byName   [1] Name,
+ *      byKey    [2] KeyHash }
+ */
+#define V_OCSP_RESPID_NAME 0
+#define V_OCSP_RESPID_KEY  1
+typedef struct ocsp_responder_id_st
+        {
+        int type;
+        union   {
+                X509_NAME* byName;
+                ASN1_OCTET_STRING *byKey;
+                } value;
+        } OCSP_RESPID;
+/*   KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
+ *                            --(excluding the tag and length fields)
+ */
+
+/*   RevokedInfo ::= SEQUENCE {
+ *       revocationTime              GeneralizedTime,
+ *       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
+ */
+typedef struct ocsp_revoked_info_st
+        {
+        ASN1_GENERALIZEDTIME *revocationTime;
+        ASN1_ENUMERATED *revocationReason;
+        } OCSP_REVOKEDINFO;
+
+/*   CertStatus ::= CHOICE {
+ *       good                [0]     IMPLICIT NULL,
+ *       revoked             [1]     IMPLICIT RevokedInfo,
+ *       unknown             [2]     IMPLICIT UnknownInfo }
+ */
+#define V_OCSP_CERTSTATUS_GOOD    0
+#define V_OCSP_CERTSTATUS_REVOKED 1
+#define V_OCSP_CERTSTATUS_UNKNOWN 2
+typedef struct ocsp_cert_status_st
+        {
+        int type;
+        union   {
+                ASN1_NULL *good;
+                OCSP_REVOKEDINFO *revoked;
+                ASN1_NULL *unknown;
+                } value;
+        } OCSP_CERTSTATUS;
+
+/*   SingleResponse ::= SEQUENCE {
+ *      certID                       CertID,
+ *      certStatus                   CertStatus,
+ *      thisUpdate                   GeneralizedTime,
+ *      nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
+ *      singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_single_response_st
+        {
+        OCSP_CERTID *certId;
+        OCSP_CERTSTATUS *certStatus;
+        ASN1_GENERALIZEDTIME *thisUpdate;
+        ASN1_GENERALIZEDTIME *nextUpdate;
+        STACK_OF(X509_EXTENSION) *singleExtensions;
+        } OCSP_SINGLERESP;
+
+DECLARE_STACK_OF(OCSP_SINGLERESP)
+DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
+
+/*   ResponseData ::= SEQUENCE {
+ *      version              [0] EXPLICIT Version DEFAULT v1,
+ *      responderID              ResponderID,
+ *      producedAt               GeneralizedTime,
+ *      responses                SEQUENCE OF SingleResponse,
+ *      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
+ */
+typedef struct ocsp_response_data_st
+        {
+        ASN1_INTEGER *version;
+        OCSP_RESPID  *responderId;
+        ASN1_GENERALIZEDTIME *producedAt;
+        STACK_OF(OCSP_SINGLERESP) *responses;
+        STACK_OF(X509_EXTENSION) *responseExtensions;
+        } OCSP_RESPDATA;
+
+/*   BasicOCSPResponse       ::= SEQUENCE {
+ *      tbsResponseData      ResponseData,
+ *      signatureAlgorithm   AlgorithmIdentifier,
+ *      signature            BIT STRING,
+ *      certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
+ */
+  /* Note 1:
+     The value for "signature" is specified in the OCSP rfc2560 as follows:
+     "The value for the signature SHALL be computed on the hash of the DER
+     encoding ResponseData."  This means that you must hash the DER-encoded
+     tbsResponseData, and then run it through a crypto-signing function, which
+     will (at least w/RSA) do a hash-'n'-private-encrypt operation.  This seems
+     a bit odd, but that's the spec.  Also note that the data structures do not
+     leave anywhere to independently specify the algorithm used for the initial
+     hash. So, we look at the signature-specification algorithm, and try to do
+     something intelligent.     -- Kathy Weinhold, CertCo */
+  /* Note 2:
+     It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
+     for interpretation.  I've done tests against another responder, and found
+     that it doesn't do the double hashing that the RFC seems to say one
+     should.  Therefore, all relevant functions take a flag saying which
+     variant should be used.    -- Richard Levitte, OpenSSL team and CeloCom */
+typedef struct ocsp_basic_response_st
+        {
+        OCSP_RESPDATA *tbsResponseData;
+        X509_ALGOR *signatureAlgorithm;
+        ASN1_BIT_STRING *signature;
+        STACK_OF(X509) *certs;
+        } OCSP_BASICRESP;
+
+/*
+ *   CRLReason ::= ENUMERATED {
+ *        unspecified             (0),
+ *        keyCompromise           (1),
+ *        cACompromise            (2),
+ *        affiliationChanged      (3),
+ *        superseded              (4),
+ *        cessationOfOperation    (5),
+ *        certificateHold         (6),
+ *        removeFromCRL           (8) }
+ */
+#define OCSP_REVOKED_STATUS_NOSTATUS               -1
+#define OCSP_REVOKED_STATUS_UNSPECIFIED             0
+#define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
+#define OCSP_REVOKED_STATUS_CACOMPROMISE            2
+#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
+#define OCSP_REVOKED_STATUS_SUPERSEDED              4
+#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
+#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
+#define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
+
+/* CrlID ::= SEQUENCE {
+ *     crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
+ *     crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
+ *     crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }
+ */
+typedef struct ocsp_crl_id_st
+        {
+        ASN1_IA5STRING *crlUrl;
+        ASN1_INTEGER *crlNum;
+        ASN1_GENERALIZEDTIME *crlTime;
+        } OCSP_CRLID;
+
+/* ServiceLocator ::= SEQUENCE {
+ *      issuer    Name,
+ *      locator   AuthorityInfoAccessSyntax OPTIONAL }
+ */
+typedef struct ocsp_service_locator_st
+        {
+        X509_NAME* issuer;
+        STACK_OF(ACCESS_DESCRIPTION) *locator;
+        } OCSP_SERVICELOC;
+ 
+#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
+#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
+
+#define d2i_OCSP_REQUEST_bio(bp,p) (OCSP_REQUEST*)ASN1_d2i_bio((char*(*)()) \
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_REQUEST, (bp),\
+                (unsigned char **)(p))
+
+#define d2i_OCSP_RESPONSE_bio(bp,p) (OCSP_RESPONSE*)ASN1_d2i_bio((char*(*)())\
+                OCSP_REQUEST_new,(char *(*)())d2i_OCSP_RESPONSE, (bp),\
+                (unsigned char **)(p))
+
+#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
+     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
+
+#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
+
+#define PEM_write_bio_OCSP_REQUEST(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
+    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
+                        bp,(char *)o, NULL,NULL,0,NULL,NULL)
+
+#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_RESPONSE,bp,\
+                (unsigned char *)o)
+
+#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_REQUEST,bp,\
+                (unsigned char *)o)
+
+#define OCSP_REQUEST_sign(o,pkey,md) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
+                o->optionalSignature->signatureAlgorithm,NULL,\
+                o->optionalSignature->signature,o->tbsRequest,pkey,md)
+
+#define OCSP_BASICRESP_sign(o,pkey,md,d) \
+        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
+                o->signature,o->tbsResponseData,pkey,md)
+
+#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
+        a->optionalSignature->signatureAlgorithm,\
+        a->optionalSignature->signature,a->tbsRequest,r)
+
+#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
+        a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
+
+#define ASN1_BIT_STRING_digest(data,type,md,len) \
+        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
+
+#define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
+                (char *(*)())d2i_OCSP_CERTID,(char *)(cid))
+
+#define OCSP_CERTSTATUS_dup(cs)\
+                (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
+                (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber);
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags);
+
+int OCSP_response_status(OCSP_RESPONSE *resp);
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
+
+int OCSP_resp_count(OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd);
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
+                        ASN1_GENERALIZEDTIME *nextupd,
+                        long sec, long maxsec);
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+int OCSP_request_is_signed(OCSP_REQUEST *req);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags);
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk);
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
+
+X509_EXTENSION *OCSP_accept_responses_new(char **oids);
+
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
+
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+
+DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
+DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
+DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
+DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
+DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
+DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
+
+char *OCSP_response_status_str(long s);
+char *OCSP_cert_status_str(long s);
+char *OCSP_crl_reason_str(long s);
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_OCSP_strings(void);
+
+/* Error codes for the OCSP functions. */
+
+/* Function codes. */
+#define OCSP_F_ASN1_STRING_ENCODE                        100
+#define OCSP_F_CERT_ID_NEW                               101
+#define OCSP_F_D2I_OCSP_NONCE                            102
+#define OCSP_F_OCSP_BASIC_ADD1_STATUS                    103
+#define OCSP_F_OCSP_BASIC_SIGN                           104
+#define OCSP_F_OCSP_BASIC_VERIFY                         105
+#define OCSP_F_OCSP_CHECK_DELEGATED                      106
+#define OCSP_F_OCSP_CHECK_IDS                            107
+#define OCSP_F_OCSP_CHECK_ISSUER                         108
+#define OCSP_F_OCSP_CHECK_VALIDITY                       115
+#define OCSP_F_OCSP_MATCH_ISSUERID                       109
+#define OCSP_F_OCSP_PARSE_URL                            114
+#define OCSP_F_OCSP_REQUEST_SIGN                         110
+#define OCSP_F_OCSP_REQUEST_VERIFY                       116
+#define OCSP_F_OCSP_RESPONSE_GET1_BASIC                  111
+#define OCSP_F_OCSP_SENDREQ_BIO                          112
+#define OCSP_F_REQUEST_VERIFY                            113
+
+/* Reason codes. */
+#define OCSP_R_BAD_DATA                                  100
+#define OCSP_R_CERTIFICATE_VERIFY_ERROR                  101
+#define OCSP_R_DIGEST_ERR                                102
+#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD                 122
+#define OCSP_R_ERROR_IN_THISUPDATE_FIELD                 123
+#define OCSP_R_ERROR_PARSING_URL                         121
+#define OCSP_R_MISSING_OCSPSIGNING_USAGE                 103
+#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE              124
+#define OCSP_R_NOT_BASIC_RESPONSE                        104
+#define OCSP_R_NO_CERTIFICATES_IN_CHAIN                  105
+#define OCSP_R_NO_CONTENT                                106
+#define OCSP_R_NO_PUBLIC_KEY                             107
+#define OCSP_R_NO_RESPONSE_DATA                          108
+#define OCSP_R_NO_REVOKED_TIME                           109
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE    110
+#define OCSP_R_REQUEST_NOT_SIGNED                        128
+#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA      111
+#define OCSP_R_ROOT_CA_NOT_TRUSTED                       112
+#define OCSP_R_SERVER_READ_ERROR                         113
+#define OCSP_R_SERVER_RESPONSE_ERROR                     114
+#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR               115
+#define OCSP_R_SERVER_WRITE_ERROR                        116
+#define OCSP_R_SIGNATURE_FAILURE                         117
+#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND              118
+#define OCSP_R_STATUS_EXPIRED                            125
+#define OCSP_R_STATUS_NOT_YET_VALID                      126
+#define OCSP_R_STATUS_TOO_OLD                            127
+#define OCSP_R_UNKNOWN_MESSAGE_DIGEST                    119
+#define OCSP_R_UNKNOWN_NID                               120
+#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE            129
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
new file mode 100644
index 0000000000..8c148cda6a
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -0,0 +1,182 @@
+/* ocsp_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/ocsp.h>
+
+ASN1_SEQUENCE(OCSP_SIGNATURE) = {
+        ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
+        ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
+
+ASN1_SEQUENCE(OCSP_CERTID) = {
+        ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
+        ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OCSP_CERTID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
+
+ASN1_SEQUENCE(OCSP_ONEREQ) = {
+        ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
+} ASN1_SEQUENCE_END(OCSP_ONEREQ)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
+
+ASN1_SEQUENCE(OCSP_REQINFO) = {
+        ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
+        ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
+        ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
+        ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
+} ASN1_SEQUENCE_END(OCSP_REQINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
+
+ASN1_SEQUENCE(OCSP_REQUEST) = {
+        ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
+        ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
+} ASN1_SEQUENCE_END(OCSP_REQUEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
+
+/* OCSP_RESPONSE templates */
+
+ASN1_SEQUENCE(OCSP_RESPBYTES) = {
+            ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
+            ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
+
+ASN1_SEQUENCE(OCSP_RESPONSE) = {
+        ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
+        ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
+} ASN1_SEQUENCE_END(OCSP_RESPONSE)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
+
+ASN1_CHOICE(OCSP_RESPID) = {
+           ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
+           ASN1_IMP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
+} ASN1_CHOICE_END(OCSP_RESPID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
+
+ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
+        ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
+        ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
+} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
+
+ASN1_CHOICE(OCSP_CERTSTATUS) = {
+        ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
+        ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
+        ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
+} ASN1_CHOICE_END(OCSP_CERTSTATUS)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
+
+ASN1_SEQUENCE(OCSP_SINGLERESP) = {
+           ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
+           ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
+           ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
+           ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
+
+ASN1_SEQUENCE(OCSP_RESPDATA) = {
+           ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
+           ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
+           ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
+           ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
+} ASN1_SEQUENCE_END(OCSP_RESPDATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
+
+ASN1_SEQUENCE(OCSP_BASICRESP) = {
+           ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
+           ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
+           ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
+           ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
+} ASN1_SEQUENCE_END(OCSP_BASICRESP)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
+
+ASN1_SEQUENCE(OCSP_CRLID) = {
+           ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
+           ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
+           ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
+} ASN1_SEQUENCE_END(OCSP_CRLID)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
+
+ASN1_SEQUENCE(OCSP_SERVICELOC) = {
+        ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
+        ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
+} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
+
+IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
new file mode 100644
index 0000000000..9b3e6dd8ca
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -0,0 +1,370 @@
+/* ocsp_cl.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <time.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP requests and extracting
+ * relevant information from the response.
+ */
+
+/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ 
+ * pointer: useful if we want to add extensions.
+ */
+
+OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
+        {
+        OCSP_ONEREQ *one = NULL;
+
+        if (!(one = OCSP_ONEREQ_new())) goto err;
+        if (one->reqCert) OCSP_CERTID_free(one->reqCert);
+        one->reqCert = cid;
+        if (req &&
+                !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
+                                goto err;
+        return one;
+err:
+        OCSP_ONEREQ_free(one);
+        return NULL;
+        }
+
+/* Set requestorName from an X509_NAME structure */
+
+int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
+        {
+        GENERAL_NAME *gen;
+        gen = GENERAL_NAME_new();
+        if (!X509_NAME_set(&gen->d.directoryName, nm))
+                {
+                GENERAL_NAME_free(gen);
+                return 0;
+                }
+        gen->type = GEN_DIRNAME;
+        if (req->tbsRequest->requestorName)
+                GENERAL_NAME_free(req->tbsRequest->requestorName);
+        req->tbsRequest->requestorName = gen;
+        return 1;
+        }
+        
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
+        {
+        OCSP_SIGNATURE *sig;
+        if (!req->optionalSignature)
+                req->optionalSignature = OCSP_SIGNATURE_new();
+        sig = req->optionalSignature;
+        if (!sig) return 0;
+        if (!cert) return 1;
+        if (!sig->certs && !(sig->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(sig->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+/* Sign an OCSP request set the requestorName to the subjec
+ * name of an optional signers certificate and include one
+ * or more optional certificates in the request. Behaves
+ * like PKCS7_sign().
+ */
+
+int OCSP_request_sign(OCSP_REQUEST   *req,
+                      X509           *signer,
+                      EVP_PKEY       *key,
+                      const EVP_MD   *dgst,
+                      STACK_OF(X509) *certs,
+                      unsigned long flags)
+        {
+        int i;
+        OCSP_SIGNATURE *sig;
+        X509 *x;
+
+        if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+                        goto err;
+
+        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
+        if (!dgst) dgst = EVP_sha1();
+        if (key)
+                {
+                if (!X509_check_private_key(signer, key))
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                        goto err;
+                        }
+                if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+                }
+
+        if (!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_request_add1_cert(req, signer)) goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        x = sk_X509_value(certs, i);
+                        if (!OCSP_request_add1_cert(req, x)) goto err;
+                        }
+                }
+
+        return 1;
+err:
+        OCSP_SIGNATURE_free(req->optionalSignature);
+        req->optionalSignature = NULL;
+        return 0;
+        }
+
+/* Get response status */
+
+int OCSP_response_status(OCSP_RESPONSE *resp)
+        {
+        return ASN1_ENUMERATED_get(resp->responseStatus);
+        }
+
+/* Extract basic response from OCSP_RESPONSE or NULL if
+ * no basic response present.
+ */
+ 
+
+OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
+        {
+        OCSP_RESPBYTES *rb;
+        rb = resp->responseBytes;
+        if (!rb)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
+                return NULL;
+                }
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
+                {
+                OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
+                return NULL;
+                }
+
+        return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
+        }
+
+/* Return number of OCSP_SINGLERESP reponses present in
+ * a basic response.
+ */
+
+int OCSP_resp_count(OCSP_BASICRESP *bs)
+        {
+        if (!bs) return -1;
+        return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
+        }
+
+/* Extract an OCSP_SINGLERESP response with a given index */
+
+OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
+        {
+        if (!bs) return NULL;
+        return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
+        }
+
+/* Look single response matching a given certificate ID */
+
+int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
+        {
+        int i;
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        OCSP_SINGLERESP *single;
+        if (!bs) return -1;
+        if (last < 0) last = 0;
+        else last++;
+        sresp = bs->tbsResponseData->responses;
+        for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                {
+                single = sk_OCSP_SINGLERESP_value(sresp, i);
+                if (!OCSP_id_cmp(id, single->certId)) return i;
+                }
+        return -1;
+        }
+
+/* Extract status information from an OCSP_SINGLERESP structure.
+ * Note: the revtime and reason values are only set if the 
+ * certificate status is revoked. Returns numerical value of
+ * status.
+ */
+
+int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int ret;
+        OCSP_CERTSTATUS *cst;
+        if(!single) return -1;
+        cst = single->certStatus;
+        ret = cst->type;
+        if (ret == V_OCSP_CERTSTATUS_REVOKED)
+                {
+                OCSP_REVOKEDINFO *rev = cst->value.revoked;
+                if (revtime) *revtime = rev->revocationTime;
+                if (reason) 
+                        {
+                        if(rev->revocationReason)
+                                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
+                        else *reason = -1;
+                        }
+                }
+        if(thisupd) *thisupd = single->thisUpdate;
+        if(nextupd) *nextupd = single->nextUpdate;
+        return ret;
+        }
+
+/* This function combines the previous ones: look up a certificate ID and
+ * if found extract status information. Return 0 is successful.
+ */
+
+int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
+                                int *reason,
+                                ASN1_GENERALIZEDTIME **revtime,
+                                ASN1_GENERALIZEDTIME **thisupd,
+                                ASN1_GENERALIZEDTIME **nextupd)
+        {
+        int i;
+        OCSP_SINGLERESP *single;
+        i = OCSP_resp_find(bs, id, -1);
+        /* Maybe check for multiple responses and give an error? */
+        if(i < 0) return 0;
+        single = OCSP_resp_get0(bs, i);
+        i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
+        if(status) *status = i;
+        return 1;
+        }
+
+/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
+ * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
+ * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
+ * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
+ * parameter specifies the maximum age the thisUpdate field can be.
+ */
+
+int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
+        {
+        int ret = 1;
+        time_t t_now, t_tmp;
+        time(&t_now);
+        /* Check thisUpdate is valid and not more than nsec in the future */
+        if (!ASN1_GENERALIZEDTIME_check(thisupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                        t_tmp = t_now + nsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) > 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
+                        ret = 0;
+                        }
+
+                /* If maxsec specified check thisUpdate is not more than maxsec in the past */
+                if (maxsec >= 0)
+                        {
+                        t_tmp = t_now - maxsec;
+                        if (X509_cmp_time(thisupd, &t_tmp) < 0)
+                                {
+                                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
+                                ret = 0;
+                                }
+                        }
+                }
+                
+
+        if (!nextupd) return ret;
+
+        /* Check nextUpdate is valid and not more than nsec in the past */
+        if (!ASN1_GENERALIZEDTIME_check(nextupd))
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
+                ret = 0;
+                }
+        else 
+                {
+                t_tmp = t_now - nsec;
+                if (X509_cmp_time(nextupd, &t_tmp) < 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
+                        ret = 0;
+                        }
+                }
+
+        /* Also don't allow nextUpdate to precede thisUpdate */
+        if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
+                ret = 0;
+                }
+
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
new file mode 100644
index 0000000000..4c4d8306f8
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -0,0 +1,139 @@
+/* crypto/ocsp/ocsp_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA OCSP_str_functs[]=
+        {
+{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0),       "ASN1_STRING_encode"},
+{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),      "CERT_ID_NEW"},
+{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),   "D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),   "OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),  "OCSP_basic_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),        "OCSP_basic_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),     "OCSP_CHECK_DELEGATED"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),   "OCSP_CHECK_IDS"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),        "OCSP_CHECK_ISSUER"},
+{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0),      "OCSP_check_validity"},
+{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),      "OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0),   "OCSP_parse_url"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),        "OCSP_request_sign"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0),      "OCSP_request_verify"},
+{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
+{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
+{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),   "REQUEST_VERIFY"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA OCSP_str_reasons[]=
+        {
+{OCSP_R_BAD_DATA                         ,"bad data"},
+{OCSP_R_CERTIFICATE_VERIFY_ERROR         ,"certificate verify error"},
+{OCSP_R_DIGEST_ERR                       ,"digest err"},
+{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD        ,"error in nextupdate field"},
+{OCSP_R_ERROR_IN_THISUPDATE_FIELD        ,"error in thisupdate field"},
+{OCSP_R_ERROR_PARSING_URL                ,"error parsing url"},
+{OCSP_R_MISSING_OCSPSIGNING_USAGE        ,"missing ocspsigning usage"},
+{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE     ,"nextupdate before thisupdate"},
+{OCSP_R_NOT_BASIC_RESPONSE               ,"not basic response"},
+{OCSP_R_NO_CERTIFICATES_IN_CHAIN         ,"no certificates in chain"},
+{OCSP_R_NO_CONTENT                       ,"no content"},
+{OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
+{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
+{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
+{OCSP_R_REQUEST_NOT_SIGNED               ,"request not signed"},
+{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
+{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
+{OCSP_R_SERVER_READ_ERROR                ,"server read error"},
+{OCSP_R_SERVER_RESPONSE_ERROR            ,"server response error"},
+{OCSP_R_SERVER_RESPONSE_PARSE_ERROR      ,"server response parse error"},
+{OCSP_R_SERVER_WRITE_ERROR               ,"server write error"},
+{OCSP_R_SIGNATURE_FAILURE                ,"signature failure"},
+{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND     ,"signer certificate not found"},
+{OCSP_R_STATUS_EXPIRED                   ,"status expired"},
+{OCSP_R_STATUS_NOT_YET_VALID             ,"status not yet valid"},
+{OCSP_R_STATUS_TOO_OLD                   ,"status too old"},
+{OCSP_R_UNKNOWN_MESSAGE_DIGEST           ,"unknown message digest"},
+{OCSP_R_UNKNOWN_NID                      ,"unknown nid"},
+{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE   ,"unsupported requestorname type"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_OCSP_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
+                ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
new file mode 100644
index 0000000000..d6c8899f58
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -0,0 +1,528 @@
+/* ocsp_ext.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/ocsp.h>
+#include <openssl/rand.h>
+#include <openssl/x509v3.h>
+
+/* Standard wrapper functions for extensions */
+
+/* OCSP request extensions */
+
+int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
+        {
+        return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
+        }
+
+int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
+        }
+
+int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
+        }
+
+void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
+        }
+
+int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
+        }
+
+/* Single extensions */
+
+int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
+        {
+        return(X509v3_get_ext_count(x->singleRequestExtensions));
+        }
+
+int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
+        }
+
+int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleRequestExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleRequestExtensions,loc));
+        }
+
+void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
+        }
+
+int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP Basic response */
+
+int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
+        {
+        return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
+        }
+
+int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
+        }
+
+int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
+        }
+
+void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
+        }
+
+int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
+        }
+
+/* OCSP single response extensions */
+
+int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
+        {
+        return(X509v3_get_ext_count(x->singleExtensions));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
+        {
+        return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
+        {
+        return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
+        }
+
+int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
+        {
+        return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_get_ext(x->singleExtensions,loc));
+        }
+
+X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
+        {
+        return(X509v3_delete_ext(x->singleExtensions,loc));
+        }
+
+void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
+        {
+        return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
+        }
+
+int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+        {
+        return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
+        }
+
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+        {
+        return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
+        }
+
+/* also CRL Entry Extensions */
+
+ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
+                                char *data, STACK_OF(ASN1_OBJECT) *sk)
+        {
+        int i;
+        unsigned char *p, *b = NULL;
+
+        if (data)
+                {
+                if ((i=i2d(data,NULL)) <= 0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d(data, &p) <= 0) goto err;
+                }
+        else if (sk)
+                {
+                if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
+                                   V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
+                if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
+                        goto err;
+                if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
+                                 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
+                }
+        else
+                {
+                OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
+                goto err;
+                }
+        if (!s && !(s = ASN1_STRING_new())) goto err;
+        if (!(ASN1_STRING_set(s, b, i))) goto err;
+        OPENSSL_free(b);
+        return s;
+err:
+        if (b) OPENSSL_free(b);
+        return NULL;
+        }
+
+/* Nonce handling functions */
+
+/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
+ * a random nonce will be generated.
+ */
+
+static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
+        {
+        unsigned char *tmpval;
+        ASN1_OCTET_STRING os;
+        int ret = 0;
+        if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
+        if (val) tmpval = val;
+        else
+                {
+                if (!(tmpval = OPENSSL_malloc(len))) goto err;
+                RAND_pseudo_bytes(tmpval, len);
+                }
+        os.data = tmpval;
+        os.length = len;
+        if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
+                        &os, 0, X509V3_ADD_REPLACE))
+                                goto err;
+        ret = 1;
+        err:
+        if(!val) OPENSSL_free(tmpval);
+        return ret;
+        }
+
+
+/* Add nonce to an OCSP request */
+
+int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
+        }
+
+/* Same as above but for a response */
+
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
+        {
+        return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+        }
+
+/* Check nonce validity in a request and response.
+ * Return value reflects result:
+ *  1: nonces present and equal.
+ *  2: nonces both absent.
+ *  3: nonce present in response only.
+ *  0: nonces both present and not equal.
+ * -1: nonce in request only.
+ *
+ *  For most responders clients can check return > 0.
+ *  If responder doesn't handle nonces return != 0 may be
+ *  necessary. return == 0 is always an error.
+ */
+
+int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
+        {
+        /*
+         * Since we are only interested in the presence or absence of
+         * the nonce and comparing its value there is no need to use
+         * the X509V3 routines: this way we can avoid them allocating an
+         * ASN1_OCTET_STRING structure for the value which would be
+         * freed immediately anyway.
+         */
+
+        int req_idx, resp_idx;
+        X509_EXTENSION *req_ext, *resp_ext;
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
+        /* Check both absent */
+        if((req_idx < 0) && (resp_idx < 0))
+                return 2;
+        /* Check in request only */
+        if((req_idx >= 0) && (resp_idx < 0))
+                return -1;
+        /* Check in response but not request */
+        if((req_idx < 0) && (resp_idx >= 0))
+                return 3;
+        /* Otherwise nonce in request and response so retrieve the extensions */
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
+        if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
+                return 0;
+        return 1;
+        }
+
+/* Copy the nonce value (if any) from an OCSP request to 
+ * a response.
+ */
+
+int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
+        {
+        X509_EXTENSION *req_ext;
+        int req_idx;
+        /* Check for nonce in request */
+        req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
+        /* If no nonce that's OK */
+        if (req_idx < 0) return 2;
+        req_ext = OCSP_REQUEST_get_ext(req, req_idx);
+        return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
+        }
+
+X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
+        {
+        X509_EXTENSION *x = NULL;
+        OCSP_CRLID *cid = NULL;
+        
+        if (!(cid = OCSP_CRLID_new())) goto err;
+        if (url)
+                {
+                if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
+                if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
+                }
+        if (n)
+                {
+                if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
+                if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
+                }
+        if (tim)
+                {
+                if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
+                if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) 
+                        goto err;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
+                goto err;
+        OCSP_CRLID_free(cid);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (cid) OCSP_CRLID_free(cid);
+        return NULL;
+        }
+
+/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
+X509_EXTENSION *OCSP_accept_responses_new(char **oids)
+        {
+        int nid;
+        STACK_OF(ASN1_OBJECT) *sk = NULL;
+        ASN1_OBJECT *o = NULL;
+        X509_EXTENSION *x = NULL;
+
+        if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
+        while (oids && *oids)
+                {
+                if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) 
+                        sk_ASN1_OBJECT_push(sk, o);
+                oids++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
+                goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
+                goto err;
+        sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
+        return NULL;
+        }
+
+/*  ArchiveCutoff ::= GeneralizedTime */
+X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
+        {
+        X509_EXTENSION *x=NULL;
+        ASN1_GENERALIZEDTIME *gt = NULL;
+
+        if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
+        if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
+        if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
+                                 (char*)gt,NULL))) goto err;
+        ASN1_GENERALIZEDTIME_free(gt);
+        return x;
+err:
+        if (gt) ASN1_GENERALIZEDTIME_free(gt);
+        if (x) X509_EXTENSION_free(x);
+        return NULL;
+        }
+
+/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
+ * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This
+ * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
+ */
+X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
+        {
+        X509_EXTENSION *x = NULL;
+        ASN1_IA5STRING *ia5 = NULL;
+        OCSP_SERVICELOC *sloc = NULL;
+        ACCESS_DESCRIPTION *ad = NULL;
+        
+        if (!(sloc = OCSP_SERVICELOC_new())) goto err;
+        if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
+        if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
+        while (urls && *urls)
+                {
+                if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
+                if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
+                if (!(ad->location = GENERAL_NAME_new())) goto err;
+                if (!(ia5 = ASN1_IA5STRING_new())) goto err;
+                if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
+                ad->location->type = GEN_URI;
+                ad->location->d.ia5 = ia5;
+                if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
+                urls++;
+                }
+        if (!(x = X509_EXTENSION_new())) goto err;
+        if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) 
+                goto err;
+        if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
+                                 (char*)sloc, NULL))) goto err;
+        OCSP_SERVICELOC_free(sloc);
+        return x;
+err:
+        if (x) X509_EXTENSION_free(x);
+        if (sloc) OCSP_SERVICELOC_free(sloc);
+        return NULL;
+        }
+
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
new file mode 100644
index 0000000000..b78cd37092
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -0,0 +1,164 @@
+/* ocsp_ht.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/asn1.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <openssl/buffer.h>
+
+/* Quick and dirty HTTP OCSP request handler.
+ * Could make this a bit cleverer by adding
+ * support for non blocking BIOs and a few
+ * other refinements.
+ */
+
+OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+{
+        BIO *mem = NULL;
+        char tmpbuf[1024];
+        OCSP_RESPONSE *resp = NULL;
+        char *p, *q, *r;
+        int len, retcode;
+        static char req_txt[] =
+"POST %s HTTP/1.0\r\n\
+Content-Type: application/ocsp-request\r\n\
+Content-Length: %d\r\n\r\n";
+
+        len = i2d_OCSP_REQUEST(req, NULL);
+        if(BIO_printf(b, req_txt, path, len) < 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(i2d_OCSP_REQUEST_bio(b, req) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
+                goto err;
+        }
+        if(!(mem = BIO_new(BIO_s_mem()))) goto err;
+        /* Copy response to a memory BIO: socket bios can't do gets! */
+        while ((len = BIO_read(b, tmpbuf, 1024))) {
+                if(len < 0) {
+                        OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
+                        goto err;
+                }
+                BIO_write(mem, tmpbuf, len);
+        }
+        if(BIO_gets(mem, tmpbuf, 512) <= 0) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Parse the HTTP response. This will look like this:
+         * "HTTP/1.0 200 OK". We need to obtain the numeric code and
+         * informational message.
+         */
+
+        /* Skip to first white space (passed protocol info) */
+        for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Skip past white space to start of response code */
+        while(*p && isspace((unsigned char)*p)) p++;
+        if(!*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Find end of response code: first whitespace after start of code */
+        for(q = p; *q && !isspace((unsigned char)*q); q++) continue;
+        if(!*q) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
+                goto err;
+        }
+        /* Set end of response code and start of message */ 
+        *q++ = 0;
+        /* Attempt to parse numeric code */
+        retcode = strtoul(p, &r, 10);
+        if(*r) goto err;
+        /* Skip over any leading white space in message */
+        while(*q && isspace((unsigned char)*q))  q++;
+        if(!*q) goto err;
+        /* Finally zap any trailing white space in message (include CRLF) */
+        /* We know q has a non white space character so this is OK */
+        for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
+        if(retcode != 200) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
+                ERR_add_error_data(4, "Code=", p, ",Reason=", q);
+                goto err;
+        }
+        /* Find blank line marking beginning of content */      
+        while(BIO_gets(mem, tmpbuf, 512) > 0)
+        {
+                for(p = tmpbuf; *p && isspace((unsigned char)*p); p++) continue;
+                if(!*p) break;
+        }
+        if(*p) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT);
+                goto err;
+        }
+        if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
+                OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR);
+                goto err;
+        }
+        err:
+        BIO_free(mem);
+        return resp;
+}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
new file mode 100644
index 0000000000..3875af165c
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -0,0 +1,261 @@
+/* ocsp_lib.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was transfered to Richard Levitte from CertCo by Kathy
+   Weinhold in mid-spring 2000 to be included in OpenSSL or released
+   as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Convert a certificate and its issuer to an OCSP_CERTID */
+
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+{
+        X509_NAME *iname;
+        ASN1_INTEGER *serial;
+        ASN1_BIT_STRING *ikey;
+#ifndef OPENSSL_NO_SHA1
+        if(!dgst) dgst = EVP_sha1();
+#endif
+        if (subject)
+                {
+                iname = X509_get_issuer_name(subject);
+                serial = X509_get_serialNumber(subject);
+                }
+        else
+                {
+                iname = X509_get_subject_name(issuer);
+                serial = NULL;
+                }
+        ikey = X509_get0_pubkey_bitstr(issuer);
+        return OCSP_cert_id_new(dgst, iname, ikey, serial);
+}
+
+
+OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, 
+                              X509_NAME *issuerName, 
+                              ASN1_BIT_STRING* issuerKey, 
+                              ASN1_INTEGER *serialNumber)
+        {
+        int nid;
+        unsigned int i;
+        X509_ALGOR *alg;
+        OCSP_CERTID *cid = NULL;
+        unsigned char md[EVP_MAX_MD_SIZE];
+
+        if (!(cid = OCSP_CERTID_new())) goto err;
+
+        alg = cid->hashAlgorithm;
+        if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
+        if ((nid = EVP_MD_type(dgst)) == NID_undef)
+                {
+                OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
+                goto err;
+                }
+        if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
+        if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
+        alg->parameter->type=V_ASN1_NULL;
+
+        if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
+        if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
+
+        /* Calculate the issuerKey hash, excluding tag and length */
+        EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
+
+        if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
+
+        if (serialNumber)
+                {
+                ASN1_INTEGER_free(cid->serialNumber);
+                if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
+                }
+        return cid;
+digerr:
+        OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
+err:
+        if (cid) OCSP_CERTID_free(cid);
+        return NULL;
+        }
+
+int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
+        if (ret) return ret;
+        ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
+        if (ret) return ret;
+        return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
+        }
+
+int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
+        {
+        int ret;
+        ret = OCSP_id_issuer_cmp(a, b);
+        if (ret) return ret;
+        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
+        }
+
+
+/* Parse a URL and split it up into host, port and path components and whether
+ * it is SSL.
+ */
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+        {
+        char *p, *buf;
+
+        char *host, *port;
+
+        /* dup the buffer since we are going to mess with it */
+        buf = BUF_strdup(url);
+        if (!buf) goto mem_err;
+
+        *phost = NULL;
+        *pport = NULL;
+        *ppath = NULL;
+
+        /* Check for initial colon */
+        p = strchr(buf, ':');
+
+        if (!p) goto parse_err;
+
+        *(p++) = '\0';
+
+        if (!strcmp(buf, "http"))
+                {
+                *pssl = 0;
+                port = "80";
+                }
+        else if (!strcmp(buf, "https"))
+                {
+                *pssl = 1;
+                port = "443";
+                }
+        else
+                goto parse_err;
+
+        /* Check for double slash */
+        if ((p[0] != '/') || (p[1] != '/'))
+                goto parse_err;
+
+        p += 2;
+
+        host = p;
+
+        /* Check for trailing part of path */
+
+        p = strchr(p, '/');
+
+        if (!p) 
+                *ppath = BUF_strdup("/");
+        else
+                {
+                *ppath = BUF_strdup(p);
+                /* Set start of path to 0 so hostname is valid */
+                *p = '\0';
+                }
+
+        if (!*ppath) goto mem_err;
+
+        /* Look for optional ':' for port number */
+        if ((p = strchr(host, ':')))
+                {
+                *p = 0;
+                port = p + 1;
+                }
+        else
+                {
+                /* Not found: set default port */
+                if (*pssl) port = "443";
+                else port = "80";
+                }
+
+        *pport = BUF_strdup(port);
+        if (!*pport) goto mem_err;
+
+        *phost = BUF_strdup(host);
+
+        if (!*phost) goto mem_err;
+
+        OPENSSL_free(buf);
+
+        return 1;
+
+        mem_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
+        goto err;
+
+        parse_err:
+        OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+
+
+        err:
+        if (*ppath) OPENSSL_free(*ppath);
+        if (*pport) OPENSSL_free(*pport);
+        if (*phost) OPENSSL_free(*phost);
+        return 0;
+
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
new file mode 100644
index 0000000000..4b7bc28769
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -0,0 +1,291 @@
+/* ocsp_prn.c */
+/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
+ * project. */
+
+/* History:
+   This file was originally part of ocsp.c and was transfered to Richard
+   Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
+   in OpenSSL or released as a patch kit. */
+
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+#include <openssl/pem.h>
+
+static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
+        {
+        BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
+        indent += 2;
+        BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
+        i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
+        BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+        i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
+        BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
+        i2a_ASN1_INTEGER(bp, a->serialNumber);
+        BIO_printf(bp, "\n");
+        return 1;
+        }
+
+typedef struct
+        {
+        long t;
+        char *m;
+        } OCSP_TBLSTR;
+
+static char *table2string(long s, OCSP_TBLSTR *ts, int len)
+{
+        OCSP_TBLSTR *p;
+        for (p=ts; p < ts + len; p++)
+                if (p->t == s)
+                         return p->m;
+        return "(UNKNOWN)";
+}
+
+char *OCSP_response_status_str(long s)
+        {
+        static OCSP_TBLSTR rstat_tbl[] = {
+                { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
+                { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
+                { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
+                { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
+                { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
+                { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
+        return table2string(s, rstat_tbl, 6);
+        } 
+
+char *OCSP_cert_status_str(long s)
+        {
+        static OCSP_TBLSTR cstat_tbl[] = {
+                { V_OCSP_CERTSTATUS_GOOD, "good" },
+                { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
+                { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
+        return table2string(s, cstat_tbl, 3);
+        } 
+
+char *OCSP_crl_reason_str(long s)
+        {
+        OCSP_TBLSTR reason_tbl[] = {
+          { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
+          { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
+          { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
+          { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
+          { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
+          { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
+          { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
+          { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
+        return table2string(s, reason_tbl, 8);
+        } 
+
+int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
+        {
+        int i;
+        long l;
+        OCSP_CERTID* cid = NULL;
+        OCSP_ONEREQ *one = NULL;
+        OCSP_REQINFO *inf = o->tbsRequest;
+        OCSP_SIGNATURE *sig = o->optionalSignature;
+
+        if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
+        l=ASN1_INTEGER_get(inf->version);
+        if (BIO_printf(bp,"    Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
+        if (inf->requestorName != NULL)
+                {
+                if (BIO_write(bp,"\n    Requestor Name: ",21) <= 0) 
+                        goto err;
+                GENERAL_NAME_print(bp, inf->requestorName);
+                }
+        if (BIO_write(bp,"\n    Requestor List:\n",21) <= 0) goto err;
+        for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
+                {
+                one = sk_OCSP_ONEREQ_value(inf->requestList, i);
+                cid = one->reqCert;
+                ocsp_certid_print(bp, cid, 8);
+                if (!X509V3_extensions_print(bp,
+                                        "Request Single Extensions",
+                                        one->singleRequestExtensions, flags, 8))
+                                                        goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Request Extensions",
+                        inf->requestExtensions, flags, 4))
+                                                        goto err;
+        if (sig)
+                {
+                X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
+                for (i=0; i<sk_X509_num(sig->certs); i++)
+                        {
+                        X509_print(bp, sk_X509_value(sig->certs,i));
+                        PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
+                        }
+                }
+        return 1;
+err:
+        return 0;
+        }
+
+int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
+        {
+        int i, ret = 0;
+        long l;
+        unsigned char *p;
+        OCSP_CERTID *cid = NULL;
+        OCSP_BASICRESP *br = NULL;
+        OCSP_RESPID *rid = NULL;
+        OCSP_RESPDATA  *rd = NULL;
+        OCSP_CERTSTATUS *cst = NULL;
+        OCSP_REVOKEDINFO *rev = NULL;
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_RESPBYTES *rb = o->responseBytes;
+
+        if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
+        l=ASN1_ENUMERATED_get(o->responseStatus);
+        if (BIO_printf(bp,"    OCSP Response Status: %s (0x%x)\n",
+                       OCSP_response_status_str(l), l) <= 0) goto err;
+        if (rb == NULL) return 1;
+        if (BIO_puts(bp,"    Response Type: ") <= 0)
+                goto err;
+        if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
+                goto err;
+        if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
+                {
+                BIO_puts(bp," (unknown response type)\n");
+                return 1;
+                }
+
+        p = ASN1_STRING_data(rb->response);
+        i = ASN1_STRING_length(rb->response);
+        if (!(br = OCSP_response_get1_basic(o))) goto err;
+        rd = br->tbsResponseData;
+        l=ASN1_INTEGER_get(rd->version);
+        if (BIO_printf(bp,"\n    Version: %lu (0x%lx)\n",
+                       l+1,l) <= 0) goto err;
+        if (BIO_puts(bp,"    Responder Id: ") <= 0) goto err;
+
+        rid =  rd->responderId;
+        switch (rid->type)
+                {
+                case V_OCSP_RESPID_NAME:
+                        X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
+                        break;
+                case V_OCSP_RESPID_KEY:
+                        i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
+                        break;
+                }
+
+        if (BIO_printf(bp,"\n    Produced At: ")<=0) goto err;
+        if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
+        if (BIO_printf(bp,"\n    Responses:\n") <= 0) goto err;
+        for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
+                {
+                if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
+                single = sk_OCSP_SINGLERESP_value(rd->responses, i);
+                cid = single->certId;
+                if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
+                cst = single->certStatus;
+                if (BIO_printf(bp,"    Cert Status: %s",
+                               OCSP_cert_status_str(cst->type)) <= 0)
+                        goto err;
+                if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
+                        {
+                        rev = cst->value.revoked;
+                        if (BIO_printf(bp, "\n    Revocation Time: ") <= 0) 
+                                goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp, 
+                                                        rev->revocationTime)) 
+                                goto err;
+                        if (rev->revocationReason) 
+                                {
+                                l=ASN1_ENUMERATED_get(rev->revocationReason);
+                                if (BIO_printf(bp, 
+                                         "\n    Revocation Reason: %s (0x%x)",
+                                               OCSP_crl_reason_str(l), l) <= 0)
+                                        goto err;
+                                }
+                        }
+                if (BIO_printf(bp,"\n    This Update: ") <= 0) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate)) 
+                        goto err;
+                if (single->nextUpdate)
+                        {
+                        if (BIO_printf(bp,"\n    Next Update: ") <= 0)goto err;
+                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
+                                goto err;
+                        }
+                if (!BIO_write(bp,"\n",1)) goto err;
+                if (!X509V3_extensions_print(bp,
+                                        "Response Single Extensions",
+                                        single->singleExtensions, flags, 8))
+                                                        goto err;
+                if (!BIO_write(bp,"\n",1)) goto err;
+                }
+        if (!X509V3_extensions_print(bp, "Response Extensions",
+                                        rd->responseExtensions, flags, 4))
+        if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
+                                                        goto err;
+
+        for (i=0; i<sk_X509_num(br->certs); i++)
+                {
+                X509_print(bp, sk_X509_value(br->certs,i));
+                PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
+                }
+
+        ret = 1;
+err:
+        OCSP_BASICRESP_free(br);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
new file mode 100644
index 0000000000..fffa134e75
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -0,0 +1,264 @@
+/* ocsp_srv.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP responses and extracting
+ * relevant information from the request.
+ */
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req)
+        {
+        return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
+        }
+
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+        {
+        return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
+        }
+
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+        {
+        return one->reqCert;
+        }
+
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                        ASN1_OCTET_STRING **pikeyHash,
+                        ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+        {
+        if (!cid) return 0;
+        if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+        if(piNameHash) *piNameHash = cid->issuerNameHash;
+        if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+        if (pserial) *pserial = cid->serialNumber;
+        return 1;
+        }
+
+int OCSP_request_is_signed(OCSP_REQUEST *req)
+        {
+        if(req->optionalSignature) return 1;
+        return 0;
+        }
+
+/* Create an OCSP response and encode an optional basic response */
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+        {
+        OCSP_RESPONSE *rsp = NULL;
+
+        if (!(rsp = OCSP_RESPONSE_new())) goto err;
+        if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+        if (!bs) return rsp;
+        if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+        rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
+        if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
+                                goto err;
+        return rsp;
+err:
+        if (rsp) OCSP_RESPONSE_free(rsp);
+        return NULL;
+        }
+
+
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                                OCSP_CERTID *cid,
+                                                int status, int reason,
+                                                ASN1_TIME *revtime,
+                                        ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+        {
+        OCSP_SINGLERESP *single = NULL;
+        OCSP_CERTSTATUS *cs;
+        OCSP_REVOKEDINFO *ri;
+
+        if(!rsp->tbsResponseData->responses &&
+            !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
+                goto err;
+
+        if (!(single = OCSP_SINGLERESP_new()))
+                goto err;
+
+
+
+        if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
+                goto err;
+        if (nextupd &&
+                !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+                goto err;
+
+        OCSP_CERTID_free(single->certId);
+
+        if(!(single->certId = OCSP_CERTID_dup(cid)))
+                goto err;
+
+        cs = single->certStatus;
+        switch(cs->type = status)
+                {
+        case V_OCSP_CERTSTATUS_REVOKED:
+                if (!revtime)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                        goto err;
+                        }
+                if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
+                if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
+                        goto err;       
+                if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                        {
+                        if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
+                                goto err;
+                        if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                                                  reason)))
+                                goto err;       
+                        }
+                break;
+
+        case V_OCSP_CERTSTATUS_GOOD:
+                cs->value.good = ASN1_NULL_new();
+                break;
+
+        case V_OCSP_CERTSTATUS_UNKNOWN:
+                cs->value.unknown = ASN1_NULL_new();
+                break;
+
+        default:
+                goto err;
+
+                }
+        if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
+                goto err;
+        return single;
+err:
+        OCSP_SINGLERESP_free(single);
+        return NULL;
+        }
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+        {
+        if (!resp->certs && !(resp->certs = sk_X509_new_null()))
+                return 0;
+
+        if(!sk_X509_push(resp->certs, cert)) return 0;
+        CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+        return 1;
+        }
+
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                        STACK_OF(X509) *certs, unsigned long flags)
+        {
+        int i;
+        OCSP_RESPID *rid;
+
+        if (!X509_check_private_key(signer, key))
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                goto err;
+                }
+
+        if(!(flags & OCSP_NOCERTS))
+                {
+                if(!OCSP_basic_add1_cert(brsp, signer))
+                        goto err;
+                for (i = 0; i < sk_X509_num(certs); i++)
+                        {
+                        X509 *tmpcert = sk_X509_value(certs, i);
+                        if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                                goto err;
+                        }
+                }
+
+        rid = brsp->tbsResponseData->responderId;
+        if (flags & OCSP_RESPID_KEY)
+                {
+                unsigned char md[SHA_DIGEST_LENGTH];
+                X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+                if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
+                        goto err;
+                if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_KEY;
+                }
+        else
+                {
+                if (!X509_NAME_set(&rid->value.byName,
+                                        X509_get_subject_name(signer)))
+                                goto err;
+                rid->type = V_OCSP_RESPID_NAME;
+                }
+
+        if (!(flags & OCSP_NOTIME) &&
+                !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+                goto err;
+
+        /* Right now, I think that not doing double hashing is the right
+           thing.       -- Richard Levitte */
+
+        if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
new file mode 100644
index 0000000000..1f5fda7ca3
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -0,0 +1,444 @@
+/* ocsp_vfy.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/ocsp.h>
+#include <openssl/err.h>
+#include <string.h>
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
+static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags);
+
+/* Verify a basic response message */
+
+int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer, *x;
+        STACK_OF(X509) *chain = NULL;
+        X509_STORE_CTX ctx;
+        int i, ret = 0;
+        ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+        if (!ret)
+                {
+                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                goto end;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_BASICRESP_verify(bs, skey, 0);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        goto end;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                        goto end;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                ret = X509_verify_cert(&ctx);
+                chain = X509_STORE_CTX_get1_chain(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        i = X509_STORE_CTX_get_error(&ctx);     
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(i));
+                        goto end;
+                        }
+                if(flags & OCSP_NOCHECKS)
+                        {
+                        ret = 1;
+                        goto end;
+                        }
+                /* At this point we have a valid certificate chain
+                 * need to verify it against the OCSP issuer criteria.
+                 */
+                ret = ocsp_check_issuer(bs, chain, flags);
+
+                /* If fatal error or valid match then finish */
+                if (ret != 0) goto end;
+
+                /* Easy case: explicitly trusted. Get root CA and
+                 * check for explicit trust
+                 */
+                if(flags & OCSP_NOEXPLICIT) goto end;
+
+                x = sk_X509_value(chain, sk_X509_num(chain) - 1);
+                if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
+                        {
+                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
+                        goto end;
+                        }
+                ret = 1;
+                }
+
+
+
+        end:
+        if(chain) sk_X509_pop_free(chain, X509_free);
+        return ret;
+        }
+
+
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+        if ((signer = ocsp_find_signer_sk(certs, rid)))
+                {
+                *psigner = signer;
+                return 2;
+                }
+        if(!(flags & OCSP_NOINTERN) &&
+            (signer = ocsp_find_signer_sk(bs->certs, rid)))
+                {
+                *psigner = signer;
+                return 1;
+                }
+        /* Maybe lookup from store if by subject name */
+
+        *psigner = NULL;
+        return 0;
+        }
+
+
+static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+        {
+        int i;
+        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
+        X509 *x;
+
+        /* Easy if lookup by name */
+        if (id->type == V_OCSP_RESPID_NAME)
+                return X509_find_by_subject(certs, id->value.byName);
+
+        /* Lookup by key hash */
+
+        /* If key hash isn't SHA1 length then forget it */
+        if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
+        keyhash = id->value.byKey->data;
+        /* Calculate hash of each key and compare */
+        for (i = 0; i < sk_X509_num(certs); i++)
+                {
+                x = sk_X509_value(certs, i);
+                X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
+                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
+                        return x;
+                }
+        return NULL;
+        }
+
+
+static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
+        {
+        STACK_OF(OCSP_SINGLERESP) *sresp;
+        X509 *signer, *sca;
+        OCSP_CERTID *caid = NULL;
+        int i;
+        sresp = bs->tbsResponseData->responses;
+
+        if (sk_X509_num(chain) <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+                return -1;
+                }
+
+        /* See if the issuer IDs match. */
+        i = ocsp_check_ids(sresp, &caid);
+
+        /* If ID mismatch or other error then return */
+        if (i <= 0) return i;
+
+        signer = sk_X509_value(chain, 0);
+        /* Check to see if OCSP responder CA matches request CA */
+        if (sk_X509_num(chain) > 1)
+                {
+                sca = sk_X509_value(chain, 1);
+                i = ocsp_match_issuerid(sca, caid, sresp);
+                if (i < 0) return i;
+                if (i)
+                        {
+                        /* We have a match, if extensions OK then success */
+                        if (ocsp_check_delegated(signer, flags)) return 1;
+                        return 0;
+                        }
+                }
+
+        /* Otherwise check if OCSP request signed directly by request CA */
+        return ocsp_match_issuerid(signer, caid, sresp);
+        }
+
+
+/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
+ * algorithm then there's no point trying to match any certificates against the issuer.
+ * If the issuer IDs all match then we just need to check equality against one of them.
+ */
+        
+static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
+        {
+        OCSP_CERTID *tmpid, *cid;
+        int i, idcount;
+
+        idcount = sk_OCSP_SINGLERESP_num(sresp);
+        if (idcount <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+                return -1;
+                }
+
+        cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+
+        *ret = NULL;
+
+        for (i = 1; i < idcount; i++)
+                {
+                tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                /* Check to see if IDs match */
+                if (OCSP_id_issuer_cmp(cid, tmpid))
+                        {
+                        /* If algoritm mismatch let caller deal with it */
+                        if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
+                                        cid->hashAlgorithm->algorithm))
+                                        return 2;
+                        /* Else mismatch */
+                        return 0;
+                        }
+                }
+
+        /* All IDs match: only need to check one ID */
+        *ret = cid;
+        return 1;
+        }
+
+
+static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
+                        STACK_OF(OCSP_SINGLERESP) *sresp)
+        {
+        /* If only one ID to match then do it */
+        if(cid)
+                {
+                const EVP_MD *dgst;
+                X509_NAME *iname;
+                int mdlen;
+                unsigned char md[EVP_MAX_MD_SIZE];
+                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
+                        {
+                        OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+                        return -1;
+                        }
+
+                mdlen = EVP_MD_size(dgst);
+                if ((cid->issuerNameHash->length != mdlen) ||
+                   (cid->issuerKeyHash->length != mdlen))
+                        return 0;
+                iname = X509_get_subject_name(cert);
+                if (!X509_NAME_digest(iname, dgst, md, NULL))
+                        return -1;
+                if (memcmp(md, cid->issuerNameHash->data, mdlen))
+                        return 0;
+                X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
+                if (memcmp(md, cid->issuerKeyHash->data, mdlen))
+                        return 0;
+
+                return 1;
+
+                }
+        else
+                {
+                /* We have to match the whole lot */
+                int i, ret;
+                OCSP_CERTID *tmpid;
+                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
+                        {
+                        tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
+                        if (ret <= 0) return ret;
+                        }
+                return 1;
+                }
+                        
+        }
+
+static int ocsp_check_delegated(X509 *x, int flags)
+        {
+        X509_check_purpose(x, -1, 0);
+        if ((x->ex_flags & EXFLAG_XKUSAGE) &&
+            (x->ex_xkusage & XKU_OCSP_SIGN))
+                return 1;
+        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
+        return 0;
+        }
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * response verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+        X509 *signer;
+        X509_NAME *nm;
+        GENERAL_NAME *gen;
+        int ret;
+        X509_STORE_CTX ctx;
+        if (!req->optionalSignature) 
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+                return 0;
+                }
+        gen = req->tbsRequest->requestorName;
+        if (gen->type != GEN_DIRNAME)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+                return 0;
+                }
+        nm = gen->d.directoryName;
+        ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+        if (ret <= 0)
+                {
+                OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+                return 0;
+                }
+        if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+                flags |= OCSP_NOVERIFY;
+        if (!(flags & OCSP_NOSIGS))
+                {
+                EVP_PKEY *skey;
+                skey = X509_get_pubkey(signer);
+                ret = OCSP_REQUEST_verify(req, skey);
+                EVP_PKEY_free(skey);
+                if(ret <= 0)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                        return 0;
+                        }
+                }
+        if (!(flags & OCSP_NOVERIFY))
+                {
+                int init_res;
+                if(flags & OCSP_NOCHAIN)
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+                else
+                        init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                                        req->optionalSignature->certs);
+                if(!init_res)
+                        {
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+                        return 0;
+                        }
+
+                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+                ret = X509_verify_cert(&ctx);
+                X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                        {
+                        ret = X509_STORE_CTX_get_error(&ctx);   
+                        OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                        ERR_add_error_data(2, "Verify error:",
+                                        X509_verify_cert_error_string(ret));
+                        return 0;
+                        }
+                }
+        return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                                X509_STORE *st, unsigned long flags)
+        {
+        X509 *signer;
+        if(!(flags & OCSP_NOINTERN))
+                {
+                signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+                *psigner = signer;
+                return 1;
+                }
+
+        signer = X509_find_by_subject(certs, nm);
+        if (signer)
+                {
+                *psigner = signer;
+                return 2;
+                }
+        return 0;
+        }
diff --git a/src/lib/libcrypto/opensslconf.h.in b/src/lib/libcrypto/opensslconf.h.in
index 1b85ae5989..9082a16c46 100644
--- a/src/lib/libcrypto/opensslconf.h.in
+++ b/src/lib/libcrypto/opensslconf.h.in
@@ -9,8 +9,11 @@
 #endif
 #endif
 
+#undef OPENSSL_UNISTD
 #define OPENSSL_UNISTD <unistd.h>
 
+#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
+
 #if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
 #define IDEA_INT unsigned int
 #endif
@@ -44,7 +47,7 @@
 #endif
 #endif
 
-#if defined(HEADER_DES_H) && !defined(DES_LONG)
+#if (defined(HEADER_DES_H) || defined(HEADER_DES_OLD_H)) && !defined(DES_LONG)
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
@@ -144,7 +147,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 #  define DES_PTR
 #  define DES_RISC2
 #  define DES_UNROLL
-#elif defined( i386 )           /* x86 boxes, should be gcc */
+#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
 #  define DES_PTR
 #  define DES_RISC1
 #  define DES_UNROLL
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 4b25018e49..f45afe09f3 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090602fL
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.6b [engine] 9 Jul 2001"
+#define OPENSSL_VERSION_NUMBER  0x00907000L
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.7-dev XX xxx XXXX"
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
 
@@ -44,13 +44,13 @@
  *
  *      libcrypto.so.0
  *
- * On True64 it works a little bit differently.  There, the shared library
- * version is stored in the file, and is actually a series of versions,
- * separated by colons.  The rightmost version present in the library when
- * linking an application is stored in the application to be matched at
- * run time.  When the application is run, a check is done to see if the
- * library version stored in the application matches any of the versions
- * in the version string of the library itself.
+ * On Tru64 and IRIX 6.x it works a little bit differently.  There, the
+ * shared library version is stored in the file, and is actually a series
+ * of versions, separated by colons.  The rightmost version present in the
+ * library when linking an application is stored in the application to be
+ * matched at run time.  When the application is run, a check is done to
+ * see if the library version stored in the application matches any of the
+ * versions in the version string of the library itself.
  * This version string can be constructed in any way, depending on what
  * kind of matching is desired.  However, to implement the same scheme as
  * the one used in the other unixen, all compatible versions, from lowest
@@ -73,13 +73,13 @@
  * However, it's nice and more understandable if it actually does.
  * The current library version is stored in the macro SHLIB_VERSION_NUMBER,
  * which is just a piece of text in the format "M.m.e" (Major, minor, edit).
- * For the sake of True64 and any other OS that behaves in similar ways,
+ * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
  * we need to keep a history of version numbers, which is done in the
  * macro SHLIB_VERSION_HISTORY.  The numbers are separated by colons and
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "0.9.6"
+#define SHLIB_VERSION_NUMBER "0.9.7"
 
 
 #endif /* HEADER_OPENSSLV_H */
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
new file mode 100644
index 0000000000..6bd42aee4d
--- /dev/null
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -0,0 +1,120 @@
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_OPENSSL_TYPES_H
+#define HEADER_OPENSSL_TYPES_H
+
+#ifdef NO_ASN1_TYPEDEFS
+#define ASN1_INTEGER            ASN1_STRING
+#define ASN1_ENUMERATED         ASN1_STRING
+#define ASN1_BIT_STRING         ASN1_STRING
+#define ASN1_OCTET_STRING       ASN1_STRING
+#define ASN1_PRINTABLESTRING    ASN1_STRING
+#define ASN1_T61STRING          ASN1_STRING
+#define ASN1_IA5STRING          ASN1_STRING
+#define ASN1_UTCTIME            ASN1_STRING
+#define ASN1_GENERALIZEDTIME    ASN1_STRING
+#define ASN1_TIME               ASN1_STRING
+#define ASN1_GENERALSTRING      ASN1_STRING
+#define ASN1_UNIVERSALSTRING    ASN1_STRING
+#define ASN1_BMPSTRING          ASN1_STRING
+#define ASN1_VISIBLESTRING      ASN1_STRING
+#define ASN1_UTF8STRING         ASN1_STRING
+#define ASN1_BOOLEAN            int
+#define ASN1_NULL               int
+#else
+typedef struct asn1_string_st ASN1_INTEGER;
+typedef struct asn1_string_st ASN1_ENUMERATED;
+typedef struct asn1_string_st ASN1_BIT_STRING;
+typedef struct asn1_string_st ASN1_OCTET_STRING;
+typedef struct asn1_string_st ASN1_PRINTABLESTRING;
+typedef struct asn1_string_st ASN1_T61STRING;
+typedef struct asn1_string_st ASN1_IA5STRING;
+typedef struct asn1_string_st ASN1_GENERALSTRING;
+typedef struct asn1_string_st ASN1_UNIVERSALSTRING;
+typedef struct asn1_string_st ASN1_BMPSTRING;
+typedef struct asn1_string_st ASN1_UTCTIME;
+typedef struct asn1_string_st ASN1_TIME;
+typedef struct asn1_string_st ASN1_GENERALIZEDTIME;
+typedef struct asn1_string_st ASN1_VISIBLESTRING;
+typedef struct asn1_string_st ASN1_UTF8STRING;
+typedef int ASN1_BOOLEAN;
+typedef int ASN1_NULL;
+#endif
+
+#ifdef OPENSSL_SYS_WIN32
+#undef X509_NAME
+#undef PKCS7_ISSUER_AND_SERIAL
+#endif
+
+typedef struct evp_cipher_st EVP_CIPHER;
+typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;
+typedef struct env_md_st EVP_MD;
+typedef struct env_md_ctx_st EVP_MD_CTX;
+typedef struct evp_pkey_st EVP_PKEY;
+
+typedef struct x509_st X509;
+typedef struct X509_algor_st X509_ALGOR;
+typedef struct X509_crl_st X509_CRL;
+typedef struct X509_name_st X509_NAME;
+typedef struct x509_store_st X509_STORE;
+typedef struct x509_store_ctx_st X509_STORE_CTX;
+
+typedef struct engine_st ENGINE;
+
+  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
+#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
+#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
+
+#endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/src/lib/libcrypto/pem/Makefile.ssl b/src/lib/libcrypto/pem/Makefile.ssl
index 31db6b65a1..2153723509 100644
--- a/src/lib/libcrypto/pem/Makefile.ssl
+++ b/src/lib/libcrypto/pem/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    pem
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,9 +23,11 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c
+LIBSRC= pem_sign.c pem_seal.c pem_info.c pem_lib.c pem_all.c pem_err.c \
+        pem_x509.c pem_xaux.c pem_oth.c pem_pk8.c pem_pkey.c
 
-LIBOBJ= pem_sign.o pem_seal.o pem_info.o pem_lib.o pem_all.o pem_err.o
+LIBOBJ= pem_sign.o pem_seal.o pem_info.o pem_lib.o pem_all.o pem_err.o \
+        pem_x509.o pem_xaux.o pem_oth.o pem_pk8.o pem_pkey.o
 
 SRC= $(LIBSRC)
 
@@ -40,8 +43,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,125 +82,169 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-pem_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_all.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_all.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pem_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_all.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-pem_all.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pem_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_all.o: ../cryptlib.h
+pem_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_all.c
 pem_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pem_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pem_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pem_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pem_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pem_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pem_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+pem_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pem_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pem_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pem_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pem_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-pem_err.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pem_err.o: ../../include/openssl/x509_vfy.h
-pem_info.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_info.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_err.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pem_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_err.o: pem_err.c
+pem_info.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_info.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_info.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pem_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pem_info.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_info.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_info.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_info.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_info.o: ../../include/openssl/opensslconf.h
-pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-pem_info.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_info.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pem_info.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-pem_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_info.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_info.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_info.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pem_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_info.o: ../cryptlib.h pem_info.c
+pem_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_lib.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 pem_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pem_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-pem_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-pem_lib.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-pem_lib.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pem_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_lib.o: ../cryptlib.h
-pem_seal.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_seal.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_seal.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+pem_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+pem_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+pem_lib.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+pem_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_lib.c
+pem_oth.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_oth.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_oth.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_oth.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_oth.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_oth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_oth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_oth.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+pem_oth.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+pem_oth.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+pem_oth.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+pem_oth.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_oth.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_oth.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_oth.o: ../cryptlib.h pem_oth.c
+pem_pk8.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_pk8.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_pk8.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_pk8.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_pk8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_pk8.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_pk8.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_pk8.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+pem_pk8.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+pem_pk8.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
+pem_pk8.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_pk8.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_pk8.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_pk8.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_pk8.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_pk8.c
+pem_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_pkey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_pkey.o: ../../include/openssl/opensslconf.h
+pem_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_pkey.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_pkey.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+pem_pkey.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+pem_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_pkey.o: ../cryptlib.h pem_pkey.c
+pem_seal.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_seal.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_seal.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pem_seal.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_seal.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pem_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_seal.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_seal.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_seal.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_seal.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_seal.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_seal.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_seal.o: ../../include/openssl/opensslconf.h
-pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-pem_seal.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_seal.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pem_seal.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_seal.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_seal.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_seal.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_seal.o: ../cryptlib.h
-pem_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pem_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pem_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pem_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_seal.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_seal.c
+pem_sign.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pem_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pem_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pem_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pem_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pem_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pem_sign.o: ../../include/openssl/opensslconf.h
-pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-pem_sign.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_sign.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pem_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pem_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pem_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pem_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pem_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pem_sign.o: ../cryptlib.h
+pem_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_sign.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pem_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pem_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pem_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pem_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_sign.c
+pem_x509.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_x509.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_x509.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_x509.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_x509.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_x509.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_x509.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_x509.o: ../../include/openssl/opensslconf.h
+pem_x509.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_x509.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_x509.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pem_x509.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_x509.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_x509.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_x509.o: ../cryptlib.h pem_x509.c
+pem_xaux.o: ../../e_os.h ../../include/openssl/asn1.h
+pem_xaux.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pem_xaux.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+pem_xaux.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pem_xaux.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pem_xaux.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+pem_xaux.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pem_xaux.o: ../../include/openssl/opensslconf.h
+pem_xaux.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_xaux.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_xaux.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pem_xaux.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_xaux.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_xaux.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_xaux.o: ../cryptlib.h pem_xaux.c
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 6d3c446577..3785fca77d 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -59,15 +59,16 @@
 #ifndef HEADER_PEM_H
 #define HEADER_PEM_H
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
-#ifndef NO_STACK
+#ifndef OPENSSL_NO_STACK
 #include <openssl/stack.h>
 #endif
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem2.h>
+#include <openssl/e_os2.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -126,7 +127,8 @@ extern "C" {
 #define PEM_STRING_SSL_SESSION  "SSL SESSION PARAMETERS"
 #define PEM_STRING_DSAPARAMS    "DSA PARAMETERS"
 
-
+  /* Note that this structure is initialised by PEM_SealInit and cleaned up
+     by PEM_SealFinal (at least for now) */
 typedef struct PEM_Encode_Seal_st
         {
         EVP_ENCODE_CTX encode;
@@ -171,7 +173,7 @@ typedef struct pem_ctx_st
         int num_recipient;
         PEM_USER **recipient;
 
-#ifndef NO_STACK
+#ifndef OPENSSL_NO_STACK
         STACK *x509_chain;      /* certificate chain */
 #else
         char *x509_chain;       /* certificate chain */
@@ -198,7 +200,7 @@ typedef struct pem_ctx_st
  * IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...)
  */
 
-#ifdef NO_FP_API
+#ifdef OPENSSL_NO_FP_API
 
 #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/
 #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/
@@ -275,7 +277,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 /* These are the same except they are for the declarations */
 
-#if defined(WIN16) || defined(NO_FP_API)
+#if defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_NO_FP_API)
 
 #define DECLARE_PEM_read_fp(name, type) /**/
 #define DECLARE_PEM_write_fp(name, type) /**/
@@ -295,7 +297,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \
 
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #define DECLARE_PEM_read_bio(name, type) \
         type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u);
 
@@ -483,11 +485,13 @@ int	PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher);
 int     PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len,
         pem_password_cb *callback,void *u);
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 int     PEM_read_bio(BIO *bp, char **name, char **header,
                 unsigned char **data,long *len);
 int     PEM_write_bio(BIO *bp,const char *name,char *hdr,unsigned char *data,
                 long len);
+int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp,
+             pem_password_cb *cb, void *u);
 char *  PEM_ASN1_read_bio(char *(*d2i)(),const char *name,BIO *bp,char **x,
                 pem_password_cb *cb, void *u);
 int     PEM_ASN1_write_bio(int (*i2d)(),const char *name,BIO *bp,char *x,
@@ -498,7 +502,7 @@ int	PEM_X509_INFO_write_bio(BIO *bp,X509_INFO *xi, EVP_CIPHER *enc,
                 unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 
-#ifndef WIN16
+#ifndef OPENSSL_SYS_WIN16
 int     PEM_read(FILE *fp, char **name, char **header,
                 unsigned char **data,long *len);
 int     PEM_write(FILE *fp,char *name,char *hdr,unsigned char *data,long len);
@@ -524,8 +528,7 @@ void    PEM_SignUpdate(EVP_MD_CTX *ctx,unsigned char *d,unsigned int cnt);
 int     PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
                 unsigned int *siglen, EVP_PKEY *pkey);
 
-void    ERR_load_PEM_strings(void);
-
+int     PEM_def_callback(char *buf, int num, int w, void *key);
 void    PEM_proc_type(char *buf, int type);
 void    PEM_dek_info(char *buf, const char *type, int len, char *str);
 
@@ -550,7 +553,7 @@ DECLARE_PEM_rw(PKCS8, X509_SIG)
 
 DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 
 DECLARE_PEM_rw_cb(RSAPrivateKey, RSA)
 
@@ -559,7 +562,7 @@ DECLARE_PEM_rw(RSA_PUBKEY, RSA)
 
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 
 DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
 
@@ -569,7 +572,7 @@ DECLARE_PEM_rw(DSAparams, DSA)
 
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 
 DECLARE_PEM_rw(DHparams, DH)
 
@@ -614,6 +617,7 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_PEM_strings(void);
 
 /* Error codes for the PEM functions. */
 
@@ -664,4 +668,3 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index dc9c35b4b4..e72b7134ce 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -65,17 +65,13 @@
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa);
 #endif
 
-IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
-
-IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
-
 IMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)
 
 IMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)
@@ -87,11 +83,8 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
 IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
                                         PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
 
-IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
-IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
-                                                         PKCS8_PRIV_KEY_INFO)
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 
 /* We treat RSA or DSA private keys as a special case.
  *
@@ -123,7 +116,7 @@ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
         return pkey_get_rsa(pktmp, rsa);
 }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 
 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
                                                                 void *u)
@@ -141,7 +134,7 @@ IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 
 static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa)
 {
@@ -168,7 +161,7 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
 IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 
 DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb,
                                                                 void *u)
@@ -184,7 +177,7 @@ IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
 
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 
 IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
 
@@ -197,7 +190,7 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
  * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
  * appropriate.)
  */
-IMPLEMENT_PEM_read(PrivateKey, EVP_PKEY, PEM_STRING_EVP_PKEY, PrivateKey)
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)
 
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
+
diff --git a/src/lib/libcrypto/pem/pem_err.c b/src/lib/libcrypto/pem/pem_err.c
index 8b1789b11c..3b39b84d66 100644
--- a/src/lib/libcrypto/pem/pem_err.c
+++ b/src/lib/libcrypto/pem/pem_err.c
@@ -63,7 +63,7 @@
 #include <openssl/pem.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA PEM_str_functs[]=
         {
 {ERR_PACK(0,PEM_F_D2I_PKCS8PRIVATEKEY_BIO,0),   "d2i_PKCS8PrivateKey_bio"},
@@ -122,7 +122,7 @@ void ERR_load_PEM_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_PEM,PEM_str_functs);
                 ERR_load_strings(ERR_LIB_PEM,PEM_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index f1694f1125..9a6dffb45c 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -64,7 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u)
         {
         BIO *b;
@@ -111,7 +111,7 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pe
                 i=PEM_read_bio(bp,&name,&header,&data,&len);
                 if (i == 0)
                         {
-                        error=ERR_GET_REASON(ERR_peek_error());
+                        error=ERR_GET_REASON(ERR_peek_last_error());
                         if (error == PEM_R_NO_START_LINE)
                                 {
                                 ERR_clear_error();
@@ -155,7 +155,7 @@ start:
                         pp=(char **)&(xi->crl);
                         }
                 else
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                         if (strcmp(name,PEM_STRING_RSA) == 0)
                         {
                         d2i=(char *(*)())d2i_RSAPrivateKey;
@@ -179,7 +179,7 @@ start:
                         }
                 else
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                         if (strcmp(name,PEM_STRING_DSA) == 0)
                         {
                         d2i=(char *(*)())d2i_DSAPrivateKey;
@@ -326,7 +326,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                         /* create the right magic header stuff */
                         buf[0]='\0';
                         PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf,objstr,8,(char *)iv);
+                        PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
 
                         /* use the normal code to write things out */
                         i=PEM_write_bio(bp,PEM_STRING_RSA,buf,data,i);
@@ -335,7 +335,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                 else
                         {
                         /* Add DSA/DH */
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
                         /* normal optionally encrypted stuff */
                         if (PEM_write_bio_RSAPrivateKey(bp,
                                 xi->x_pkey->dec_pkey->pkey.rsa,
@@ -346,7 +346,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
                 }
 
         /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) || (PEM_write_bio_X509(bp,xi->x509) <= 0))
+        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp,xi->x509) <= 0))
                 goto err;
 
         /* we are ignoring anything else that is loaded into the X509_INFO
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index a17c3ed57f..18b751a91a 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -65,7 +65,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
 #endif
 
@@ -73,21 +73,12 @@ const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT;
 
 #define MIN_LENGTH      4
 
-static int def_callback(char *buf, int num, int w, void *userdata);
 static int load_iv(unsigned char **fromp,unsigned char *to, int num);
 static int check_pem(const char *nm, const char *name);
-static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
-                                int nid, const EVP_CIPHER *enc,
-                                char *kstr, int klen,
-                                pem_password_cb *cb, void *u);
-static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
-                                int nid, const EVP_CIPHER *enc,
-                                char *kstr, int klen,
-                                pem_password_cb *cb, void *u);
-
-static int def_callback(char *buf, int num, int w, void *key)
+
+int PEM_def_callback(char *buf, int num, int w, void *key)
         {
-#ifdef NO_FP_API
+#ifdef OPENSSL_NO_FP_API
         /* We should not ever call the default callback routine from
          * windows. */
         PEMerr(PEM_F_DEF_CALLBACK,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -164,7 +155,7 @@ void PEM_dek_info(char *buf, const char *type, int len, char *str)
         buf[j+i*2+1]='\0';
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 char *PEM_ASN1_read(char *(*d2i)(), const char *name, FILE *fp, char **x,
              pem_password_cb *cb, void *u)
         {
@@ -224,14 +215,14 @@ static int check_pem(const char *nm, const char *name)
         return 0;
 }
 
-char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
+int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp,
              pem_password_cb *cb, void *u)
         {
         EVP_CIPHER_INFO cipher;
         char *nm=NULL,*header=NULL;
-        unsigned char *p=NULL,*data=NULL;
+        unsigned char *data=NULL;
         long len;
-        char *ret=NULL;
+        int ret = 0;
 
         for (;;)
                 {
@@ -239,7 +230,7 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
                         if(ERR_GET_REASON(ERR_peek_error()) ==
                                 PEM_R_NO_START_LINE)
                                 ERR_add_error_data(2, "Expecting: ", name);
-                        return(NULL);
+                        return 0;
                 }
                 if(check_pem(nm, name)) break;
                 OPENSSL_free(nm);
@@ -248,54 +239,23 @@ char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
                 }
         if (!PEM_get_EVP_CIPHER_INFO(header,&cipher)) goto err;
         if (!PEM_do_header(&cipher,data,&len,cb,u)) goto err;
-        p=data;
-        if (strcmp(name,PEM_STRING_EVP_PKEY) == 0) {
-                if (strcmp(nm,PEM_STRING_RSA) == 0)
-                        ret=d2i(EVP_PKEY_RSA,x,&p,len);
-                else if (strcmp(nm,PEM_STRING_DSA) == 0)
-                        ret=d2i(EVP_PKEY_DSA,x,&p,len);
-                else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
-                        PKCS8_PRIV_KEY_INFO *p8inf;
-                        p8inf=d2i_PKCS8_PRIV_KEY_INFO(
-                                        (PKCS8_PRIV_KEY_INFO **) x, &p, len);
-                        ret = (char *)EVP_PKCS82PKEY(p8inf);
-                        PKCS8_PRIV_KEY_INFO_free(p8inf);
-                } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
-                        PKCS8_PRIV_KEY_INFO *p8inf;
-                        X509_SIG *p8;
-                        int klen;
-                        char psbuf[PEM_BUFSIZE];
-                        p8 = d2i_X509_SIG(NULL, &p, len);
-                        if(!p8) goto p8err;
-                        if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
-                        else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
-                        if (klen <= 0) {
-                                PEMerr(PEM_F_PEM_ASN1_READ_BIO,
-                                                PEM_R_BAD_PASSWORD_READ);
-                                goto err;
-                        }
-                        p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
-                        X509_SIG_free(p8);
-                        if(!p8inf) goto p8err;
-                        ret = (char *)EVP_PKCS82PKEY(p8inf);
-                        if(x) {
-                                if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
-                                *x = ret;
-                        }
-                        PKCS8_PRIV_KEY_INFO_free(p8inf);
-                }
-        } else  ret=d2i(x,&p,len);
-p8err:
-        if (ret == NULL)
-                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+
+        *pdata = data;
+        *plen = len;
+
+        if (pnm)
+                *pnm = nm;
+
+        ret = 1;
+
 err:
-        OPENSSL_free(nm);
+        if (!pnm) OPENSSL_free(nm);
         OPENSSL_free(header);
-        OPENSSL_free(data);
-        return(ret);
+        if (!ret) OPENSSL_free(data);
+        return ret;
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int PEM_ASN1_write(int (*i2d)(), const char *name, FILE *fp, char *x,
              const EVP_CIPHER *enc, unsigned char *kstr, int klen,
              pem_password_cb *callback, void *u)
@@ -358,7 +318,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                 if (kstr == NULL)
                         {
                         if (callback == NULL)
-                                klen=def_callback(buf,PEM_BUFSIZE,1,u);
+                                klen=PEM_def_callback(buf,PEM_BUFSIZE,1,u);
                         else
                                 klen=(*callback)(buf,PEM_BUFSIZE,1,u);
                         if (klen <= 0)
@@ -373,7 +333,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
                         kstr=(unsigned char *)buf;
                         }
                 RAND_add(data,i,0);/* put in the RSA key. */
-                if (RAND_pseudo_bytes(iv,8) < 0)        /* Generate a salt */
+                if (RAND_pseudo_bytes(iv,enc->iv_len) < 0) /* Generate a salt */
                         goto err;
                 /* The 'iv' is used as the iv and as a salt.  It is
                  * NOT taken from the BytesToKey function */
@@ -383,12 +343,14 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x,
 
                 buf[0]='\0';
                 PEM_proc_type(buf,PEM_TYPE_ENCRYPTED);
-                PEM_dek_info(buf,objstr,8,(char *)iv);
+                PEM_dek_info(buf,objstr,enc->iv_len,(char *)iv);
                 /* k=strlen(buf); */
-        
-                EVP_EncryptInit(&ctx,enc,key,iv);
+
+                EVP_CIPHER_CTX_init(&ctx);
+                EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
                 EVP_EncryptUpdate(&ctx,data,&j,data,i);
-                EVP_EncryptFinal(&ctx,&(data[j]),&i);
+                EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
+                EVP_CIPHER_CTX_cleanup(&ctx);
                 i+=j;
                 ret=1;
                 }
@@ -422,7 +384,7 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 
         if (cipher->cipher == NULL) return(1);
         if (callback == NULL)
-                klen=def_callback(buf,PEM_BUFSIZE,0,u);
+                klen=PEM_def_callback(buf,PEM_BUFSIZE,0,u);
         else
                 klen=callback(buf,PEM_BUFSIZE,0,u);
         if (klen <= 0)
@@ -439,9 +401,10 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
                 (unsigned char *)buf,klen,1,key,NULL);
 
         j=(int)len;
-        EVP_DecryptInit(&ctx,cipher->cipher,key,&(cipher->iv[0]));
+        EVP_CIPHER_CTX_init(&ctx);
+        EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
         EVP_DecryptUpdate(&ctx,data,&i,data,j);
-        o=EVP_DecryptFinal(&ctx,&(data[i]),&j);
+        o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
         EVP_CIPHER_CTX_cleanup(&ctx);
         memset((char *)buf,0,sizeof(buf));
         memset((char *)key,0,sizeof(key));
@@ -506,7 +469,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
                 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO,PEM_R_UNSUPPORTED_ENCRYPTION);
                 return(0);
                 }
-        if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),8)) return(0);
+        if (!load_iv((unsigned char **)&header,&(cipher->iv[0]),enc->iv_len)) return(0);
 
         return(1);
         }
@@ -540,7 +503,7 @@ static int load_iv(unsigned char **fromp, unsigned char *to, int num)
         return(1);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int PEM_write(FILE *fp, char *name, char *header, unsigned char *data,
              long len)
         {
@@ -614,7 +577,7 @@ err:
         return(0);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,
              long *len)
         {
@@ -794,170 +757,3 @@ err:
         BUF_MEM_free(dataB);
         return(0);
         }
-
-/* These functions write a private key in PKCS#8 format: it is a "drop in"
- * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
- * is NULL then it uses the unencrypted private key form. The 'nid' versions
- * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
- */
-
-int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
-}
-
-int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
-}
-
-int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
-}
-
-int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
-}
-
-static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        X509_SIG *p8;
-        PKCS8_PRIV_KEY_INFO *p8inf;
-        char buf[PEM_BUFSIZE];
-        int ret;
-        if(!(p8inf = EVP_PKEY2PKCS8(x))) {
-                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
-                                        PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
-                return 0;
-        }
-        if(enc || (nid != -1)) {
-                if(!kstr) {
-                        if(!cb) klen = def_callback(buf, PEM_BUFSIZE, 1, u);
-                        else klen = cb(buf, PEM_BUFSIZE, 1, u);
-                        if(klen <= 0) {
-                                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
-                                                                PEM_R_READ_KEY);
-                                PKCS8_PRIV_KEY_INFO_free(p8inf);
-                                return 0;
-                        }
-                                
-                        kstr = buf;
-                }
-                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
-                if(kstr == buf) memset(buf, 0, klen);
-                PKCS8_PRIV_KEY_INFO_free(p8inf);
-                if(isder) ret = i2d_PKCS8_bio(bp, p8);
-                else ret = PEM_write_bio_PKCS8(bp, p8);
-                X509_SIG_free(p8);
-                return ret;
-        } else {
-                if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
-                else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
-                PKCS8_PRIV_KEY_INFO_free(p8inf);
-                return ret;
-        }
-}
-
-/* Finally the DER version to read PKCS#8 encrypted private keys. It has to be
- * here to access the default callback.
- */
-
-EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
-{
-        PKCS8_PRIV_KEY_INFO *p8inf = NULL;
-        X509_SIG *p8 = NULL;
-        int klen;
-        EVP_PKEY *ret;
-        char psbuf[PEM_BUFSIZE];
-        p8 = d2i_PKCS8_bio(bp, NULL);
-        if(!p8) return NULL;
-        if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
-        else klen=def_callback(psbuf,PEM_BUFSIZE,0,u);
-        if (klen <= 0) {
-                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
-                X509_SIG_free(p8);
-                return NULL;    
-        }
-        p8inf = M_PKCS8_decrypt(p8, psbuf, klen);
-        X509_SIG_free(p8);
-        if(!p8inf) return NULL;
-        ret = EVP_PKCS82PKEY(p8inf);
-        PKCS8_PRIV_KEY_INFO_free(p8inf);
-        if(!ret) return NULL;
-        if(x) {
-                if(*x) EVP_PKEY_free(*x);
-                *x = ret;
-        }
-        return ret;
-}
-
-#ifndef NO_FP_API
-
-int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
-}
-
-int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
-}
-
-int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
-}
-
-int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
-                              char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
-}
-
-static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
-                                  char *kstr, int klen,
-                                  pem_password_cb *cb, void *u)
-{
-        BIO *bp;
-        int ret;
-        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
-                PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
-                return(0);
-        }
-        ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
-        BIO_free(bp);
-        return ret;
-}
-
-EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
-{
-        BIO *bp;
-        EVP_PKEY *ret;
-        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
-                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
-                return NULL;
-        }
-        ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
-        BIO_free(bp);
-        return ret;
-}
-
-#endif
diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c
new file mode 100644
index 0000000000..8d9064ea7c
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -0,0 +1,85 @@
+/* crypto/pem/pem_oth.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+/* Handle 'other' PEMs: not private keys */
+
+char *PEM_ASN1_read_bio(char *(*d2i)(), const char *name, BIO *bp, char **x,
+             pem_password_cb *cb, void *u)
+        {
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        char *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, NULL, name, bp, cb, u))
+                return NULL;
+        p = data;
+        ret=d2i(x,&p,len);
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+        OPENSSL_free(data);
+        return(ret);
+        }
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
new file mode 100644
index 0000000000..f44182ffb5
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -0,0 +1,243 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder,
+                                int nid, const EVP_CIPHER *enc,
+                                char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+
+/* These functions write a private key in PKCS#8 format: it is a "drop in"
+ * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+ * is NULL then it uses the unencrypted private key form. The 'nid' versions
+ * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
+ */
+
+int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        X509_SIG *p8;
+        PKCS8_PRIV_KEY_INFO *p8inf;
+        char buf[PEM_BUFSIZE];
+        int ret;
+        if(!(p8inf = EVP_PKEY2PKCS8(x))) {
+                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                        PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+                return 0;
+        }
+        if(enc || (nid != -1)) {
+                if(!kstr) {
+                        if(!cb) klen = PEM_def_callback(buf, PEM_BUFSIZE, 1, u);
+                        else klen = cb(buf, PEM_BUFSIZE, 1, u);
+                        if(klen <= 0) {
+                                PEMerr(PEM_F_PEM_WRITE_BIO_PKCS8PRIVATEKEY,
+                                                                PEM_R_READ_KEY);
+                                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                                return 0;
+                        }
+                                
+                        kstr = buf;
+                }
+                p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf);
+                if(kstr == buf) memset(buf, 0, klen);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                if(isder) ret = i2d_PKCS8_bio(bp, p8);
+                else ret = PEM_write_bio_PKCS8(bp, p8);
+                X509_SIG_free(p8);
+                return ret;
+        } else {
+                if(isder) ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);
+                else ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+                return ret;
+        }
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+        X509_SIG *p8 = NULL;
+        int klen;
+        EVP_PKEY *ret;
+        char psbuf[PEM_BUFSIZE];
+        p8 = d2i_PKCS8_bio(bp, NULL);
+        if(!p8) return NULL;
+        if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+        else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+        if (klen <= 0) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_BIO, PEM_R_BAD_PASSWORD_READ);
+                X509_SIG_free(p8);
+                return NULL;    
+        }
+        p8inf = PKCS8_decrypt(p8, psbuf, klen);
+        X509_SIG_free(p8);
+        if(!p8inf) return NULL;
+        ret = EVP_PKCS82PKEY(p8inf);
+        PKCS8_PRIV_KEY_INFO_free(p8inf);
+        if(!ret) return NULL;
+        if(x) {
+                if(*x) EVP_PKEY_free(*x);
+                *x = ret;
+        }
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+
+int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u);
+}
+
+int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u);
+}
+
+int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                              char *kstr, int klen, pem_password_cb *cb, void *u)
+{
+        return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u);
+}
+
+static int do_pk8pkey_fp(FILE *fp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc,
+                                  char *kstr, int klen,
+                                  pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        int ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_PEM_F_DO_PK8KEY_FP,ERR_R_BUF_LIB);
+                return(0);
+        }
+        ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+{
+        BIO *bp;
+        EVP_PKEY *ret;
+        if(!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {
+                PEMerr(PEM_F_D2I_PKCS8PRIVATEKEY_FP,ERR_R_BUF_LIB);
+                return NULL;
+        }
+        ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);
+        BIO_free(bp);
+        return ret;
+}
+
+#endif
+
+IMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)
+IMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,
+                                                         PKCS8_PRIV_KEY_INFO)
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
new file mode 100644
index 0000000000..270892d72b
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -0,0 +1,139 @@
+/* crypto/pem/pem_pkey.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs12.h>
+#include <openssl/pem.h>
+
+
+EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        char *nm=NULL;
+        unsigned char *p=NULL,*data=NULL;
+        long len;
+        EVP_PKEY *ret=NULL;
+
+        if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u))
+                return NULL;
+        p = data;
+
+        if (strcmp(nm,PEM_STRING_RSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_RSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_DSA) == 0)
+                ret=d2i_PrivateKey(EVP_PKEY_DSA,x,&p,len);
+        else if (strcmp(nm,PEM_STRING_PKCS8INF) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
+                ret = EVP_PKCS82PKEY(p8inf);
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) {
+                PKCS8_PRIV_KEY_INFO *p8inf;
+                X509_SIG *p8;
+                int klen;
+                char psbuf[PEM_BUFSIZE];
+                p8 = d2i_X509_SIG(NULL, &p, len);
+                if(!p8) goto p8err;
+                if (cb) klen=cb(psbuf,PEM_BUFSIZE,0,u);
+                else klen=PEM_def_callback(psbuf,PEM_BUFSIZE,0,u);
+                if (klen <= 0) {
+                        PEMerr(PEM_F_PEM_ASN1_READ_BIO,
+                                        PEM_R_BAD_PASSWORD_READ);
+                        goto err;
+                }
+                p8inf = PKCS8_decrypt(p8, psbuf, klen);
+                X509_SIG_free(p8);
+                if(!p8inf) goto p8err;
+                ret = EVP_PKCS82PKEY(p8inf);
+                if(x) {
+                        if(*x) EVP_PKEY_free((EVP_PKEY *)*x);
+                        *x = ret;
+                }
+                PKCS8_PRIV_KEY_INFO_free(p8inf);
+        }
+p8err:
+        if (ret == NULL)
+                PEMerr(PEM_F_PEM_ASN1_READ_BIO,ERR_R_ASN1_LIB);
+err:
+        OPENSSL_free(nm);
+        OPENSSL_free(data);
+        return(ret);
+        }
+
+#ifndef OPENSSL_NO_FP_API
+EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u)
+        {
+        BIO *b;
+        EVP_PKEY *ret;
+
+        if ((b=BIO_new(BIO_s_file())) == NULL)
+                {
+                PEMerr(PEM_F_PEM_ASN1_READ,ERR_R_BUF_LIB);
+                return(0);
+                }
+        BIO_set_fp(b,fp,BIO_NOCLOSE);
+        ret=PEM_read_bio_PrivateKey(b,x,cb,u);
+        BIO_free(b);
+        return(ret);
+        }
+#endif
diff --git a/src/lib/libcrypto/pem/pem_seal.c b/src/lib/libcrypto/pem/pem_seal.c
index 2a6c513348..ae463a301d 100644
--- a/src/lib/libcrypto/pem/pem_seal.c
+++ b/src/lib/libcrypto/pem/pem_seal.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
@@ -91,10 +91,13 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
                 goto err;
                 }
 
-        EVP_EncodeInit(&(ctx->encode));
-        EVP_SignInit(&(ctx->md),md_type);
+        EVP_EncodeInit(&ctx->encode);
 
-        ret=EVP_SealInit(&(ctx->cipher),type,ek,ekl,iv,pubk,npubk);
+        EVP_MD_CTX_init(&ctx->md);
+        EVP_SignInit(&ctx->md,md_type);
+
+        EVP_CIPHER_CTX_init(&ctx->cipher);
+        ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
         if (!ret) goto err;
 
         /* base64 encode the keys */
@@ -120,7 +123,7 @@ void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
         int i,j;
 
         *outl=0;
-        EVP_SignUpdate(&(ctx->md),in,inl);
+        EVP_SignUpdate(&ctx->md,in,inl);
         for (;;)
                 {
                 if (inl <= 0) break;
@@ -128,8 +131,8 @@ void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl,
                         i=1200;
                 else
                         i=inl;
-                EVP_EncryptUpdate(&(ctx->cipher),buffer,&j,in,i);
-                EVP_EncodeUpdate(&(ctx->encode),out,&j,buffer,j);
+                EVP_EncryptUpdate(&ctx->cipher,buffer,&j,in,i);
+                EVP_EncodeUpdate(&ctx->encode,out,&j,buffer,j);
                 *outl+=j;
                 out+=j;
                 in+=i;
@@ -158,24 +161,24 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
                 goto err;
                 }
 
-        EVP_EncryptFinal(&(ctx->cipher),s,(int *)&i);
-        EVP_EncodeUpdate(&(ctx->encode),out,&j,s,i);
+        EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i);
+        EVP_EncodeUpdate(&ctx->encode,out,&j,s,i);
         *outl=j;
         out+=j;
-        EVP_EncodeFinal(&(ctx->encode),out,&j);
+        EVP_EncodeFinal(&ctx->encode,out,&j);
         *outl+=j;
 
-        if (!EVP_SignFinal(&(ctx->md),s,&i,priv)) goto err;
+        if (!EVP_SignFinal(&ctx->md,s,&i,priv)) goto err;
         *sigl=EVP_EncodeBlock(sig,s,i);
 
         ret=1;
 err:
-        memset((char *)&(ctx->md),0,sizeof(ctx->md));
-        memset((char *)&(ctx->cipher),0,sizeof(ctx->cipher));
+        EVP_MD_CTX_cleanup(&ctx->md);
+        EVP_CIPHER_CTX_cleanup(&ctx->cipher);
         if (s != NULL) OPENSSL_free(s);
         return(ret);
         }
-#else /* !NO_RSA */
+#else /* !OPENSSL_NO_RSA */
 
 # if PEDANTIC
 static void *dummy=&dummy;
diff --git a/src/lib/libcrypto/pem/pem_sign.c b/src/lib/libcrypto/pem/pem_sign.c
index 42d598dd78..c3b9808cb2 100644
--- a/src/lib/libcrypto/pem/pem_sign.c
+++ b/src/lib/libcrypto/pem/pem_sign.c
@@ -66,7 +66,7 @@
 
 void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
         {
-        EVP_DigestInit(ctx,type);
+        EVP_DigestInit_ex(ctx, type, NULL);
         }
 
 void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data,
diff --git a/src/lib/libcrypto/pem/pem_x509.c b/src/lib/libcrypto/pem/pem_x509.c
new file mode 100644
index 0000000000..19f88d8d3a
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_x509.c
@@ -0,0 +1,69 @@
+/* pem_x509.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)
+
diff --git a/src/lib/libcrypto/pem/pem_xaux.c b/src/lib/libcrypto/pem/pem_xaux.c
new file mode 100644
index 0000000000..2f579b5421
--- /dev/null
+++ b/src/lib/libcrypto/pem/pem_xaux.c
@@ -0,0 +1,68 @@
+/* pem_xaux.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#undef SSLEAY_MACROS
+#include "cryptlib.h"
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+#include <openssl/pem.h>
+
+IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)
diff --git a/src/lib/libcrypto/perlasm/x86unix.pl b/src/lib/libcrypto/perlasm/x86unix.pl
index 10a7af8bff..9ceabf0705 100644
--- a/src/lib/libcrypto/perlasm/x86unix.pl
+++ b/src/lib/libcrypto/perlasm/x86unix.pl
@@ -3,6 +3,8 @@
 package x86unix;
 
 $label="L000";
+$const="";
+$constl=0;
 
 $align=($main'aout)?"4":"16";
 $under=($main'aout)?"_":"";
@@ -162,6 +164,8 @@ sub main'dec	{ &out1("decl",@_); }
 sub main'inc    { &out1("incl",@_); }
 sub main'push   { &out1("pushl",@_); $stack+=4; }
 sub main'pop    { &out1("popl",@_); $stack-=4; }
+sub main'pushf  { &out0("pushf"); $stack+=4; }
+sub main'popf   { &out0("popf"); $stack-=4; }
 sub main'not    { &out1("notl",@_); }
 sub main'call   { &out1("call",$under.$_[0]); }
 sub main'ret    { &out0("ret"); }
@@ -344,6 +348,7 @@ sub main'function_end
 .${func}_end:
 EOF
         push(@out,$tmp);
+
         if ($main'cpp)
                 { push(@out,"\tSIZE($func,.${func}_end-$func)\n"); }
         elsif ($main'gaswin)
@@ -453,9 +458,87 @@ sub main'set_label
 
 sub main'file_end
         {
+        if ($const ne "")
+                {
+                push(@out,".section .rodata\n");
+                push(@out,$const);
+                $const="";
+                }
         }
 
 sub main'data_word
         {
         push(@out,"\t.long $_[0]\n");
         }
+
+# debug output functions: puts, putx, printf
+
+sub main'puts
+        {
+        &pushvars();
+        &main'push('$Lstring' . ++$constl);
+        &main'call('puts');
+        $stack-=4;
+        &main'add("esp",4);
+        &popvars();
+
+        $const .= "Lstring$constl:\n\t.string \"@_[0]\"\n";
+        }
+
+sub main'putx
+        {
+        &pushvars();
+        &main'push($_[0]);
+        &main'push('$Lstring' . ++$constl);
+        &main'call('printf');
+        &main'add("esp",8);
+        $stack-=8;
+        &popvars();
+
+        $const .= "Lstring$constl:\n\t.string \"\%X\"\n";
+        }
+
+sub main'printf
+        {
+        $ostack = $stack;
+        &pushvars();
+        for ($i = @_ - 1; $i >= 0; $i--)
+                {
+                if ($i == 0) # change this to support %s format strings
+                        {
+                        &main'push('$Lstring' . ++$constl);
+                        $const .= "Lstring$constl:\n\t.string \"@_[$i]\"\n";
+                        }
+                else
+                        {
+                        if ($_[$i] =~ /([0-9]*)\(%esp\)/)
+                                {
+                                &main'push(($1 + $stack - $ostack) . '(%esp)');
+                                }
+                        else
+                                {
+                                &main'push($_[$i]);
+                                }
+                        }
+                }
+        &main'call('printf');
+        $stack-=4*@_;
+        &main'add("esp",4*@_);
+        &popvars();
+        }
+
+sub pushvars
+        {
+        &main'pushf();
+        &main'push("edx");
+        &main'push("ecx");
+        &main'push("eax");
+        }
+
+sub popvars
+        {
+        &main'pop("eax");
+        &main'pop("ecx");
+        &main'pop("edx");
+        &main'popf();
+        }
diff --git a/src/lib/libcrypto/pkcs12/Makefile.ssl b/src/lib/libcrypto/pkcs12/Makefile.ssl
index d745c53621..d62f7eb7dd 100644
--- a/src/lib/libcrypto/pkcs12/Makefile.ssl
+++ b/src/lib/libcrypto/pkcs12/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    pkcs12
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,12 +23,12 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= p12_add.c p12_attr.c p12_bags.c p12_crpt.c p12_crt.c p12_decr.c \
-        p12_init.c p12_key.c p12_kiss.c p12_lib.c p12_mac.c p12_mutl.c\
-        p12_sbag.c p12_utl.c p12_npas.c pk12err.c
-LIBOBJ= p12_add.o p12_attr.o p12_bags.o p12_crpt.o p12_crt.o p12_decr.o \
-        p12_init.o p12_key.o p12_kiss.o p12_lib.o p12_mac.o p12_mutl.o\
-        p12_sbag.o p12_utl.o p12_npas.o pk12err.o
+LIBSRC= p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c p12_decr.c \
+        p12_init.c p12_key.c p12_kiss.c p12_mutl.c\
+        p12_utl.c p12_npas.c pk12err.c p12_p8d.c p12_p8e.c
+LIBOBJ= p12_add.o p12_asn.o p12_attr.o p12_crpt.o p12_crt.o p12_decr.o \
+        p12_init.o p12_key.o p12_kiss.o p12_mutl.o\
+        p12_utl.o p12_npas.o pk12err.o p12_p8d.o p12_p8e.o
 
 SRC= $(LIBSRC)
 
@@ -45,8 +46,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -85,316 +85,213 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-p12_add.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_add.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_add.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_add.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_add.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_add.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_add.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_add.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_add.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_add.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_add.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_add.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p12_add.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_add.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_add.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_add.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_add.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_add.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p12_add.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p12_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_add.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_add.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_add.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_add.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_add.o: ../cryptlib.h p12_add.c
+p12_asn.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_asn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+p12_asn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_asn.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p12_asn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_asn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_asn.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p12_asn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p12_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_asn.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_asn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_asn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_asn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_asn.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_asn.c
+p12_attr.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_attr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_attr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_attr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_attr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_attr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_attr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_attr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_attr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_attr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_attr.o: ../../include/openssl/opensslconf.h
-p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_attr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_attr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_attr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_attr.o: ../cryptlib.h
-p12_bags.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p12_bags.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_bags.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_bags.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_bags.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p12_bags.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p12_bags.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_bags.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_bags.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_bags.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_bags.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p12_bags.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_bags.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_bags.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_bags.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_bags.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_bags.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_bags.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_bags.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_bags.o: ../cryptlib.h
-p12_crpt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_crpt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_attr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_attr.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_attr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_attr.c
+p12_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_crpt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_crpt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_crpt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_crpt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_crpt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_crpt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_crpt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_crpt.o: ../../include/openssl/opensslconf.h
-p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_crpt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_crpt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_crpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_crpt.o: ../cryptlib.h
-p12_crt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_crt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_crt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_crpt.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_crpt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_crpt.c
+p12_crt.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_crt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_crt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_crt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_crt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_crt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_crt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_crt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_crt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_crt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_crt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_crt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_crt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p12_crt.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_crt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_crt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_crt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_crt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_crt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p12_crt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p12_decr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_decr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_decr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_crt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_crt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_crt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_crt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_crt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_crt.o: ../cryptlib.h p12_crt.c
+p12_decr.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_decr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_decr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_decr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_decr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_decr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_decr.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_decr.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_decr.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_decr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_decr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_decr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_decr.o: ../../include/openssl/opensslconf.h
-p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_decr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_decr.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_decr.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_decr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_decr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_decr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_decr.o: ../cryptlib.h
-p12_init.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_init.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_init.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_decr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_decr.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_decr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_decr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_decr.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_decr.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_decr.c
+p12_init.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_init.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_init.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_init.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_init.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_init.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_init.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_init.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_init.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_init.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_init.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_init.o: ../../include/openssl/opensslconf.h
-p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_init.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_init.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_init.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_init.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_init.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_init.o: ../cryptlib.h
-p12_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_key.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_init.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_init.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_init.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_init.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_init.c
+p12_key.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_key.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_key.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_key.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_key.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_key.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_key.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_key.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_key.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_key.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p12_key.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_key.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_key.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_key.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p12_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-p12_kiss.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_kiss.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_kiss.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_key.o: ../cryptlib.h p12_key.c
+p12_kiss.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_kiss.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_kiss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_kiss.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_kiss.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_kiss.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_kiss.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_kiss.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_kiss.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_kiss.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_kiss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_kiss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_kiss.o: ../../include/openssl/opensslconf.h
-p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_kiss.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_kiss.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_kiss.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_kiss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_kiss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_kiss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_kiss.o: ../cryptlib.h
-p12_lib.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p12_lib.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p12_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p12_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p12_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_lib.o: ../cryptlib.h
-p12_mac.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p12_mac.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_mac.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_mac.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_mac.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p12_mac.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p12_mac.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_mac.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_mac.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_mac.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_mac.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p12_mac.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_mac.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_mac.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_mac.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_mac.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_mac.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_mac.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_mac.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_mac.o: ../cryptlib.h
-p12_mutl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_mutl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_mutl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_kiss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_kiss.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_kiss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_kiss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_kiss.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_kiss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p12_kiss.c
+p12_mutl.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_mutl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_mutl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_mutl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_mutl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_mutl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_mutl.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
-p12_mutl.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_mutl.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_mutl.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_mutl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_mutl.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
+p12_mutl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p12_mutl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_mutl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p12_mutl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_mutl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_mutl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_mutl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_mutl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p12_mutl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_mutl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_mutl.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_mutl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+p12_mutl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_mutl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_mutl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_mutl.o: ../cryptlib.h p12_mutl.c
 p12_npas.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_npas.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_npas.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_npas.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-p12_npas.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_npas.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_npas.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_npas.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_npas.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_npas.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+p12_npas.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+p12_npas.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+p12_npas.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+p12_npas.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+p12_npas.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 p12_npas.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-p12_npas.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs12.h
-p12_npas.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_npas.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_npas.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_npas.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_npas.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_npas.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_sbag.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-p12_sbag.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-p12_sbag.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-p12_sbag.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-p12_sbag.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-p12_sbag.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-p12_sbag.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-p12_sbag.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-p12_sbag.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-p12_sbag.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-p12_sbag.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-p12_sbag.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p12_sbag.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-p12_sbag.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-p12_sbag.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-p12_sbag.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-p12_sbag.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p12_sbag.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p12_sbag.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p12_sbag.o: ../cryptlib.h
-p12_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-p12_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-p12_utl.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+p12_npas.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p12_npas.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+p12_npas.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+p12_npas.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p12_npas.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p12_npas.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p12_npas.o: ../../include/openssl/x509_vfy.h p12_npas.c
+p12_p8d.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_p8d.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_p8d.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p12_p8d.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_p8d.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_p8d.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+p12_p8d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p12_p8d.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_p8d.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_p8d.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_p8d.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_p8d.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_p8d.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_p8d.o: ../cryptlib.h p12_p8d.c
+p12_p8e.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_p8e.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_p8e.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+p12_p8e.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+p12_p8e.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_p8e.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+p12_p8e.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p12_p8e.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p12_p8e.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_p8e.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_p8e.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_p8e.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_p8e.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_p8e.o: ../cryptlib.h p12_p8e.c
+p12_utl.o: ../../e_os.h ../../include/openssl/asn1.h
+p12_utl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+p12_utl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p12_utl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-p12_utl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-p12_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p12_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-p12_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-p12_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+p12_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+p12_utl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 p12_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 p12_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p12_utl.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-p12_utl.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-p12_utl.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-p12_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p12_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p12_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p12_utl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+p12_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+p12_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p12_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p12_utl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p12_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p12_utl.o: ../cryptlib.h p12_utl.c
 pk12err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk12err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk12err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk12err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pk12err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk12err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk12err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk12err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk12err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk12err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk12err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+pk12err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pk12err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk12err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk12err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk12err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs12.h
-pk12err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pk12err.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk12err.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk12err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk12err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk12err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk12err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk12err.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
+pk12err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk12err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk12err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk12err.o: ../../include/openssl/x509_vfy.h pk12err.c
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index b563656895..1909f28506 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -62,21 +62,21 @@
 
 /* Pack an object into an OCTET STRING and turn into a safebag */
 
-PKCS12_SAFEBAG *PKCS12_pack_safebag (char *obj, int (*i2d)(), int nid1,
+PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1,
              int nid2)
 {
         PKCS12_BAGS *bag;
         PKCS12_SAFEBAG *safebag;
-        if (!(bag = PKCS12_BAGS_new ())) {
+        if (!(bag = PKCS12_BAGS_new())) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
         bag->type = OBJ_nid2obj(nid1);
-        if (!ASN1_pack_string(obj, i2d, &bag->value.octet)) {
+        if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
-        if (!(safebag = PKCS12_SAFEBAG_new ())) {
+        if (!(safebag = PKCS12_SAFEBAG_new())) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -87,7 +87,7 @@ PKCS12_SAFEBAG *PKCS12_pack_safebag (char *obj, int (*i2d)(), int nid1,
 
 /* Turn PKCS8 object into a keybag */
 
-PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG (PKCS8_PRIV_KEY_INFO *p8)
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8)
 {
         PKCS12_SAFEBAG *bag;
         if (!(bag = PKCS12_SAFEBAG_new())) {
@@ -101,14 +101,14 @@ PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG (PKCS8_PRIV_KEY_INFO *p8)
 
 /* Turn PKCS8 object into a shrouded keybag */
 
-PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG (int pbe_nid, const char *pass,
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
              int passlen, unsigned char *salt, int saltlen, int iter,
              PKCS8_PRIV_KEY_INFO *p8)
 {
         PKCS12_SAFEBAG *bag;
 
         /* Set up the safe bag */
-        if (!(bag = PKCS12_SAFEBAG_new ())) {
+        if (!(bag = PKCS12_SAFEBAG_new())) {
                 PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -125,7 +125,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG (int pbe_nid, const char *pass,
 }
 
 /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
-PKCS7 *PKCS12_pack_p7data (STACK_OF(PKCS12_SAFEBAG) *sk)
+PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 {
         PKCS7 *p7;
         if (!(p7 = PKCS7_new())) {
@@ -138,18 +138,23 @@ PKCS7 *PKCS12_pack_p7data (STACK_OF(PKCS12_SAFEBAG) *sk)
                 return NULL;
         }
         
-        if (!ASN1_seq_pack_PKCS12_SAFEBAG(sk, i2d_PKCS12_SAFEBAG,
-                                          &p7->d.data->data,
-                                          &p7->d.data->length)) {
+        if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
                 return NULL;
         }
         return p7;
 }
 
+/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
+STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
+{
+        if(!PKCS7_type_is_data(p7)) return NULL;
+        return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+}
+
 /* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */
 
-PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
+PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
                               unsigned char *salt, int saltlen, int iter,
                               STACK_OF(PKCS12_SAFEBAG) *bags)
 {
@@ -164,7 +169,7 @@ PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
                                 PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
                 return NULL;
         }
-        if (!(pbe = PKCS5_pbe_set (pbe_nid, iter, salt, saltlen))) {
+        if (!(pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen))) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
@@ -172,8 +177,8 @@ PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
         p7->d.encrypted->enc_data->algorithm = pbe;
         M_ASN1_OCTET_STRING_free(p7->d.encrypted->enc_data->enc_data);
         if (!(p7->d.encrypted->enc_data->enc_data =
-        PKCS12_i2d_encrypt (pbe, i2d_PKCS12_SAFEBAG, pass, passlen,
-                                 (char *)bags, 1))) {
+        PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass, passlen,
+                                 bags, 1))) {
                 PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
                 return NULL;
         }
@@ -181,38 +186,30 @@ PKCS7 *PKCS12_pack_p7encdata (int pbe_nid, const char *pass, int passlen,
         return p7;
 }
 
-X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
-                         const char *pass, int passlen,
-                         unsigned char *salt, int saltlen, int iter,
-                                                PKCS8_PRIV_KEY_INFO *p8inf)
+STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen)
 {
-        X509_SIG *p8;
-        X509_ALGOR *pbe;
-
-        if (!(p8 = X509_SIG_new())) {
-                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
+        if(!PKCS7_type_is_encrypted(p7)) return NULL;
+        return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
+                                   ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+                                   pass, passlen,
+                                   p7->d.encrypted->enc_data->enc_data, 1);
+}
 
-        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
-        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
-        if(!pbe) {
-                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
-                goto err;
-        }
-        X509_ALGOR_free(p8->algor);
-        p8->algor = pbe;
-        M_ASN1_OCTET_STRING_free(p8->digest);
-        if (!(p8->digest = 
-        PKCS12_i2d_encrypt (pbe, i2d_PKCS8_PRIV_KEY_INFO, pass, passlen,
-                                                 (char *)p8inf, 0))) {
-                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
-                goto err;
-        }
+PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass,
+                                                                int passlen)
+{
+        return PKCS8_decrypt(bag->value.shkeybag, pass, passlen);
+}
 
-        return p8;
+int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) 
+{
+        if(ASN1_item_pack(safes, ASN1_ITEM_rptr(PKCS12_AUTHSAFES),
+                &p12->authsafes->d.data)) 
+                        return 1;
+        return 0;
+}
 
-        err:
-        X509_SIG_free(p8);
-        return NULL;
+STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
+{
+        return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_asn.c b/src/lib/libcrypto/pkcs12/p12_asn.c
new file mode 100644
index 0000000000..c327bdba03
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_asn.c
@@ -0,0 +1,125 @@
+/* p12_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs12.h>
+
+/* PKCS#12 ASN1 module */
+
+ASN1_SEQUENCE(PKCS12) = {
+        ASN1_SIMPLE(PKCS12, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS12, authsafes, PKCS7),
+        ASN1_OPT(PKCS12, mac, PKCS12_MAC_DATA)
+} ASN1_SEQUENCE_END(PKCS12)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12)
+
+ASN1_SEQUENCE(PKCS12_MAC_DATA) = {
+        ASN1_SIMPLE(PKCS12_MAC_DATA, dinfo, X509_SIG),
+        ASN1_SIMPLE(PKCS12_MAC_DATA, salt, ASN1_OCTET_STRING),
+        ASN1_OPT(PKCS12_MAC_DATA, iter, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS12_MAC_DATA)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
+
+ASN1_ADB_TEMPLATE(bag_default) = ASN1_EXP(PKCS12_BAGS, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_BAGS) = {
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509cert, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.x509crl, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_x509Certificate, ASN1_EXP(PKCS12_BAGS, value.sdsicert, ASN1_IA5STRING, 0)),
+} ASN1_ADB_END(PKCS12_BAGS, 0, type, 0, &bag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_BAGS) = {
+        ASN1_SIMPLE(PKCS12_BAGS, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_BAGS),
+} ASN1_SEQUENCE_END(PKCS12_BAGS)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_BAGS)
+
+ASN1_ADB_TEMPLATE(safebag_default) = ASN1_EXP(PKCS12_SAFEBAG, value.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS12_SAFEBAG) = {
+        ADB_ENTRY(NID_keyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, PKCS8_PRIV_KEY_INFO, 0)),
+        ADB_ENTRY(NID_pkcs8ShroudedKeyBag, ASN1_EXP(PKCS12_SAFEBAG, value.keybag, X509_SIG, 0)),
+        ADB_ENTRY(NID_safeContentsBag, ASN1_EXP_SET_OF(PKCS12_SAFEBAG, value.safes, PKCS12_SAFEBAG, 0)),
+        ADB_ENTRY(NID_certBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_crlBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0)),
+        ADB_ENTRY(NID_secretBag, ASN1_EXP(PKCS12_SAFEBAG, value.bag, PKCS12_BAGS, 0))
+} ASN1_ADB_END(PKCS12_SAFEBAG, 0, type, 0, &safebag_default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS12_SAFEBAG) = {
+        ASN1_SIMPLE(PKCS12_SAFEBAG, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS12_SAFEBAG),
+        ASN1_SET_OF_OPT(PKCS12_SAFEBAG, attrib, X509_ATTRIBUTE)
+} ASN1_SEQUENCE_END(PKCS12_SAFEBAG)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
+
+/* SEQUENCE OF SafeBag */
+ASN1_ITEM_TEMPLATE(PKCS12_SAFEBAGS) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_SAFEBAGS, PKCS12_SAFEBAG)
+ASN1_ITEM_TEMPLATE_END(PKCS12_SAFEBAGS)
+
+/* Authsafes: SEQUENCE OF PKCS7 */
+ASN1_ITEM_TEMPLATE(PKCS12_AUTHSAFES) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, PKCS12_AUTHSAFES, PKCS7)
+ASN1_ITEM_TEMPLATE_END(PKCS12_AUTHSAFES)
+
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index a16a97d03d..026cf3826a 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -62,156 +62,63 @@
 
 /* Add a local keyid to a safebag */
 
-int PKCS12_add_localkeyid (PKCS12_SAFEBAG *bag, unsigned char *name,
+int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
              int namelen)
 {
-        X509_ATTRIBUTE *attrib;
-        ASN1_BMPSTRING *oct;
-        ASN1_TYPE *keyid;
-        if (!(keyid = ASN1_TYPE_new ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        keyid->type = V_ASN1_OCTET_STRING;
-        if (!(oct = M_ASN1_OCTET_STRING_new())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (!M_ASN1_OCTET_STRING_set(oct, name, namelen)) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        keyid->value.octet_string = oct;
-        if (!(attrib = X509_ATTRIBUTE_new ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        attrib->object = OBJ_nid2obj(NID_localKeyID);
-        if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        sk_ASN1_TYPE_push (attrib->value.set,keyid);
-        attrib->set = 1;
-        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new_null ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_LOCALKEYID, ERR_R_MALLOC_FAILURE);
+        if (X509at_add1_attr_by_NID(&bag->attrib, NID_localKeyID,
+                                V_ASN1_OCTET_STRING, name, namelen))
+                return 1;
+        else 
                 return 0;
-        }
-        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
-        return 1;
 }
 
 /* Add key usage to PKCS#8 structure */
 
-int PKCS8_add_keyusage (PKCS8_PRIV_KEY_INFO *p8, int usage)
+int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage)
 {
-        X509_ATTRIBUTE *attrib;
-        ASN1_BIT_STRING *bstr;
-        ASN1_TYPE *keyid;
         unsigned char us_val;
         us_val = (unsigned char) usage;
-        if (!(keyid = ASN1_TYPE_new ())) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        keyid->type = V_ASN1_BIT_STRING;
-        if (!(bstr = M_ASN1_BIT_STRING_new())) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (!M_ASN1_BIT_STRING_set(bstr, &us_val, 1)) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        keyid->value.bit_string = bstr;
-        if (!(attrib = X509_ATTRIBUTE_new ())) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        attrib->object = OBJ_nid2obj(NID_key_usage);
-        if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
+        if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage,
+                                V_ASN1_BIT_STRING, &us_val, 1))
+                return 1;
+        else
                 return 0;
-        }
-        sk_ASN1_TYPE_push (attrib->value.set,keyid);
-        attrib->set = 1;
-        if (!p8->attributes
-            && !(p8->attributes = sk_X509_ATTRIBUTE_new_null ())) {
-                PKCS12err(PKCS12_F_PKCS8_ADD_KEYUSAGE, ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        sk_X509_ATTRIBUTE_push (p8->attributes, attrib);
-        return 1;
 }
 
 /* Add a friendlyname to a safebag */
 
-int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
+int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
                                  int namelen)
 {
-        unsigned char *uniname;
-        int ret, unilen;
-        if (!asc2uni(name, namelen, &uniname, &unilen)) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
-                                                        ERR_R_MALLOC_FAILURE);
+        if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
+                                MBSTRING_ASC, (unsigned char *)name, namelen))
+                return 1;
+        else
                 return 0;
-        }
-        ret = PKCS12_add_friendlyname_uni (bag, uniname, unilen);
-        OPENSSL_free(uniname);
-        return ret;
 }
-        
 
-int PKCS12_add_friendlyname_uni (PKCS12_SAFEBAG *bag,
+
+int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
                                  const unsigned char *name, int namelen)
 {
-        X509_ATTRIBUTE *attrib;
-        ASN1_BMPSTRING *bmp;
-        ASN1_TYPE *fname;
-        /* Zap ending double null if included */
-        if(!name[namelen - 1] && !name[namelen - 2]) namelen -= 2;
-        if (!(fname = ASN1_TYPE_new ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-                                                        ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        fname->type = V_ASN1_BMPSTRING;
-        if (!(bmp = M_ASN1_BMPSTRING_new())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-                                                        ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        if (!(bmp->data = OPENSSL_malloc (namelen))) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-                                                        ERR_R_MALLOC_FAILURE);
+        if (X509at_add1_attr_by_NID(&bag->attrib, NID_friendlyName,
+                                MBSTRING_BMP, name, namelen))
+                return 1;
+        else
                 return 0;
-        }
-        memcpy (bmp->data, name, namelen);
-        bmp->length = namelen;
-        fname->value.bmpstring = bmp;
-        if (!(attrib = X509_ATTRIBUTE_new ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-                                                        ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        attrib->object = OBJ_nid2obj(NID_friendlyName);
-        if (!(attrib->value.set = sk_ASN1_TYPE_new_null())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME,
-                                                        ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        sk_ASN1_TYPE_push (attrib->value.set,fname);
-        attrib->set = 1;
-        if (!bag->attrib && !(bag->attrib = sk_X509_ATTRIBUTE_new_null ())) {
-                PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI,
-                                                        ERR_R_MALLOC_FAILURE);
+}
+
+int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
+                                 int namelen)
+{
+        if (X509at_add1_attr_by_NID(&bag->attrib, NID_ms_csp_name,
+                                MBSTRING_ASC, (unsigned char *)name, namelen))
+                return 1;
+        else
                 return 0;
-        }
-        sk_X509_ATTRIBUTE_push (bag->attrib, attrib);
-        return PKCS12_OK;
 }
 
-ASN1_TYPE *PKCS12_get_attr_gen (STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
+ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 {
         X509_ATTRIBUTE *attrib;
         int i;
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 7b96584f07..97be6a5fb5 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -64,19 +64,19 @@
 
 void PKCS12_PBE_add(void)
 {
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
 EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC4, EVP_rc4(), EVP_sha1(),
                                                          PKCS12_PBE_keyivgen);
 EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC4, EVP_rc4_40(), EVP_sha1(),
                                                          PKCS12_PBE_keyivgen);
 #endif
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
 EVP_PBE_alg_add(NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
                         EVP_des_ede3_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
 EVP_PBE_alg_add(NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 
                         EVP_des_ede_cbc(), EVP_sha1(), PKCS12_PBE_keyivgen);
 #endif
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
 EVP_PBE_alg_add(NID_pbe_WithSHA1And128BitRC2_CBC, EVP_rc2_cbc(),
                                         EVP_sha1(), PKCS12_PBE_keyivgen);
 EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
@@ -85,7 +85,7 @@ EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
 }
 
 int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de)
+                ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de)
 {
         PBEPARAM *pbe;
         int saltlen, iter;
@@ -117,7 +117,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
                 return 0;
         }
         PBEPARAM_free(pbe);
-        EVP_CipherInit(ctx, cipher, key, iv, en_de);
+        EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de);
         memset(key, 0, EVP_MAX_KEY_LENGTH);
         memset(iv, 0, EVP_MAX_IV_LENGTH);
         return 1;
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index a8f7b48882..4c36c643ce 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -94,7 +94,7 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
         }
 
         /* Add user certificate */
-        if(!(bag = M_PKCS12_x5092certbag(cert))) return NULL;
+        if(!(bag = PKCS12_x5092certbag(cert))) return NULL;
         if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL;
         X509_digest(cert, EVP_sha1(), keyid, &keyidlen);
         if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL;
@@ -108,7 +108,7 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
         if(ca) {
                 for(i = 0; i < sk_X509_num(ca); i++) {
                         tcert = sk_X509_value(ca, i);
-                        if(!(bag = M_PKCS12_x5092certbag(tcert))) return NULL;
+                        if(!(bag = PKCS12_x5092certbag(tcert))) return NULL;
                         if(!sk_PKCS12_SAFEBAG_push(bags, bag)) {
                                 PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
                                 return NULL;
@@ -152,7 +152,7 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL;
 
-        if(!M_PKCS12_pack_authsafes (p12, safes)) return NULL;
+        if(!PKCS12_pack_authsafes (p12, safes)) return NULL;
 
         sk_PKCS7_pop_free(safes, PKCS7_free);
 
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 8cd7e2f414..394af368f4 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -68,7 +68,7 @@
  * OPENSSL_malloc'ed buffer
  */
 
-unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
+unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
              int passlen, unsigned char *in, int inlen, unsigned char **data,
              int *datalen, int en_de)
 {
@@ -76,47 +76,48 @@ unsigned char * PKCS12_pbe_crypt (X509_ALGOR *algor, const char *pass,
         int outlen, i;
         EVP_CIPHER_CTX ctx;
 
+        EVP_CIPHER_CTX_init(&ctx);
         /* Decrypt data */
-        if (!EVP_PBE_CipherInit (algor->algorithm, pass, passlen,
+        if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
                                          algor->parameter, &ctx, en_de)) {
                 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
                 return NULL;
         }
 
-        if(!(out = OPENSSL_malloc (inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
+        if(!(out = OPENSSL_malloc(inlen + EVP_CIPHER_CTX_block_size(&ctx)))) {
                 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,ERR_R_MALLOC_FAILURE);
-                return NULL;
+                goto err;
         }
 
-        EVP_CipherUpdate (&ctx, out, &i, in, inlen);
+        EVP_CipherUpdate(&ctx, out, &i, in, inlen);
         outlen = i;
-        if(!EVP_CipherFinal (&ctx, out + i, &i)) {
-                OPENSSL_free (out);
+        if(!EVP_CipherFinal_ex(&ctx, out + i, &i)) {
+                OPENSSL_free(out);
+                out = NULL;
                 PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,PKCS12_R_PKCS12_CIPHERFINAL_ERROR);
-                return NULL;
+                goto err;
         }
         outlen += i;
         if (datalen) *datalen = outlen;
         if (data) *data = out;
+        err:
+        EVP_CIPHER_CTX_cleanup(&ctx);
         return out;
 
 }
 
 /* Decrypt an OCTET STRING and decode ASN1 structure 
- * if seq & 1 'obj' is a stack of structures to be encoded
- * if seq & 2 zero buffer after use
- * as a sequence.
+ * if zbuf set zero buffer after use.
  */
 
-char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
-             void (*free_func)(void *), const char *pass, int passlen,
-             ASN1_OCTET_STRING *oct, int seq)
+void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
+             const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf)
 {
         unsigned char *out, *p;
-        char *ret;
+        void *ret;
         int outlen;
 
-        if (!PKCS12_pbe_crypt (algor, pass, passlen, oct->data, oct->length,
+        if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
                                &out, &outlen, 0)) {
                 PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
                 return NULL;
@@ -134,53 +135,41 @@ char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(),
                 fclose(op);
         }
 #endif
-        if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i,
-                                free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-        else ret = d2i(NULL, &p, outlen);
-        if (seq & 2) memset(out, 0, outlen);
+        ret = ASN1_item_d2i(NULL, &p, outlen, it);
+        if (zbuf) memset(out, 0, outlen);
         if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR);
-        OPENSSL_free (out);
+        OPENSSL_free(out);
         return ret;
 }
 
 /* Encode ASN1 structure and encrypt, return OCTET STRING 
- * if 'seq' is non-zero 'obj' is a stack of structures to be encoded
- * as a sequence
+ * if zbuf set zero encoding.
  */
 
-ASN1_OCTET_STRING *PKCS12_i2d_encrypt (X509_ALGOR *algor, int (*i2d)(),
+ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
                                        const char *pass, int passlen,
-                                       char *obj, int seq)
+                                       void *obj, int zbuf)
 {
         ASN1_OCTET_STRING *oct;
-        unsigned char *in, *p;
+        unsigned char *in = NULL;
         int inlen;
         if (!(oct = M_ASN1_OCTET_STRING_new ())) {
                 PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
-        if (seq) inlen = i2d_ASN1_SET((STACK *)obj, NULL, i2d, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
-        else inlen = i2d (obj, NULL);
-        if (!inlen) {
+        inlen = ASN1_item_i2d(obj, &in, it);
+        if (!in) {
                 PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCODE_ERROR);
                 return NULL;
         }
-        if (!(in = OPENSSL_malloc (inlen))) {
-                PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        p = in;
-        if (seq) i2d_ASN1_SET((STACK *)obj, &p, i2d, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
-        else i2d (obj, &p);
-        if (!PKCS12_pbe_crypt (algor, pass, passlen, in, inlen, &oct->data,
+        if (!PKCS12_pbe_crypt(algor, pass, passlen, in, inlen, &oct->data,
                                  &oct->length, 1)) {
                 PKCS12err(PKCS12_F_PKCS12_I2D_ENCRYPT,PKCS12_R_ENCRYPT_ERROR);
                 OPENSSL_free(in);
                 return NULL;
         }
-        OPENSSL_free (in);
+        if (zbuf) memset(in, 0, inlen);
+        OPENSSL_free(in);
         return oct;
 }
 
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index d5d4884c82..eb837a78cf 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -69,15 +69,7 @@ PKCS12 *PKCS12_init (int mode)
                 PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
-        if (!(pkcs12->version = M_ASN1_INTEGER_new ())) {
-                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
         ASN1_INTEGER_set(pkcs12->version, 3);
-        if (!(pkcs12->authsafes = PKCS7_new())) {
-                PKCS12err(PKCS12_F_PKCS12_INIT,ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
         pkcs12->authsafes->type = OBJ_nid2obj(mode);
         switch (mode) {
                 case NID_pkcs7_data:
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index a4fd5b98ec..0d39ebde8c 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -118,6 +118,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
         }
 #endif
 
+        EVP_MD_CTX_init(&ctx);
 #ifdef  DEBUG_KEYGEN
         fprintf(stderr, "KEYGEN DEBUG\n");
         fprintf(stderr, "ID %d, ITER %d\n", id, iter);
@@ -147,14 +148,14 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
         for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
         for (i = 0; i < Plen; i++) *p++ = pass[i % passlen];
         for (;;) {
-                EVP_DigestInit (&ctx, md_type);
-                EVP_DigestUpdate (&ctx, D, v);
-                EVP_DigestUpdate (&ctx, I, Ilen);
-                EVP_DigestFinal (&ctx, Ai, NULL);
+                EVP_DigestInit_ex(&ctx, md_type, NULL);
+                EVP_DigestUpdate(&ctx, D, v);
+                EVP_DigestUpdate(&ctx, I, Ilen);
+                EVP_DigestFinal_ex(&ctx, Ai, NULL);
                 for (j = 1; j < iter; j++) {
-                        EVP_DigestInit (&ctx, md_type);
-                        EVP_DigestUpdate (&ctx, Ai, u);
-                        EVP_DigestFinal (&ctx, Ai, NULL);
+                        EVP_DigestInit_ex(&ctx, md_type, NULL);
+                        EVP_DigestUpdate(&ctx, Ai, u);
+                        EVP_DigestFinal_ex(&ctx, Ai, NULL);
                 }
                 memcpy (out, Ai, min (n, u));
                 if (u >= n) {
@@ -164,6 +165,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                         OPENSSL_free (I);
                         BN_free (Ij);
                         BN_free (Bpl1);
+                        EVP_MD_CTX_cleanup(&ctx);
 #ifdef DEBUG_KEYGEN
                         fprintf(stderr, "Output KEY (length %d)\n", tmpn);
                         h__dump(tmpout, tmpn);
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 5d67f19b45..885087ad00 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -151,14 +151,14 @@ static int parse_pk12 (PKCS12 *p12, const char *pass, int passlen,
         ASN1_OCTET_STRING *keyid = NULL;
 
         char keymatch = 0;
-        if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
+        if (!(asafes = PKCS12_unpack_authsafes (p12))) return 0;
         for (i = 0; i < sk_PKCS7_num (asafes); i++) {
                 p7 = sk_PKCS7_value (asafes, i);
                 bagnid = OBJ_obj2nid (p7->type);
                 if (bagnid == NID_pkcs7_data) {
-                        bags = M_PKCS12_unpack_p7data(p7);
+                        bags = PKCS12_unpack_p7data(p7);
                 } else if (bagnid == NID_pkcs7_encrypted) {
-                        bags = M_PKCS12_unpack_p7encdata(p7, pass, passlen);
+                        bags = PKCS12_unpack_p7encdata(p7, pass, passlen);
                 } else continue;
                 if (!bags) {
                         sk_PKCS7_pop_free(asafes, PKCS7_free);
@@ -237,7 +237,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
 
         case NID_pkcs8ShroudedKeyBag:
                 if (!lkey || !pkey) return 1;   
-                if (!(p8 = M_PKCS12_decrypt_skey(bag, pass, passlen)))
+                if (!(p8 = PKCS12_decrypt_skey(bag, pass, passlen)))
                                 return 0;
                 *pkey = EVP_PKCS82PKEY(p8);
                 PKCS8_PRIV_KEY_INFO_free(p8);
@@ -248,7 +248,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
         case NID_certBag:
                 if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
                                                                  return 1;
-                if (!(x509 = M_PKCS12_certbag2x509(bag))) return 0;
+                if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
                 if(ckid) X509_keyid_set1(x509, ckid->data, ckid->length);
                 if(fname) {
                         int len;
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 13d866da51..0fb67f74b8 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -56,7 +56,7 @@
  *
  */
 
-#ifndef NO_HMAC
+#ifndef OPENSSL_NO_HMAC
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/hmac.h>
@@ -71,6 +71,7 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
         HMAC_CTX hmac;
         unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
         int saltlen, iter;
+
         salt = p12->mac->salt->data;
         saltlen = p12->mac->salt->length;
         if (!p12->mac->iter) iter = 1;
@@ -85,10 +86,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
                 PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_KEY_GEN_ERROR);
                 return 0;
         }
-        HMAC_Init (&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type);
-        HMAC_Update (&hmac, p12->authsafes->d.data->data,
+        HMAC_CTX_init(&hmac);
+        HMAC_Init_ex(&hmac, key, PKCS12_MAC_KEY_LENGTH, md_type, NULL);
+        HMAC_Update(&hmac, p12->authsafes->d.data->data,
                                          p12->authsafes->d.data->length);
-        HMAC_Final (&hmac, mac, maclen);
+        HMAC_Final(&hmac, mac, maclen);
+        HMAC_CTX_cleanup(&hmac);
         return 1;
 }
 
@@ -113,7 +116,7 @@ int PKCS12_verify_mac (PKCS12 *p12, const char *pass, int passlen)
 /* Set a mac */
 
 int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
-             unsigned char *salt, int saltlen, int iter, EVP_MD *md_type)
+             unsigned char *salt, int saltlen, int iter, const EVP_MD *md_type)
 {
         unsigned char mac[EVP_MAX_MD_SIZE];
         unsigned int maclen;
@@ -137,7 +140,7 @@ int PKCS12_set_mac (PKCS12 *p12, const char *pass, int passlen,
 
 /* Set up a mac structure */
 int PKCS12_setup_mac (PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
-             EVP_MD *md_type)
+             const EVP_MD *md_type)
 {
         if (!(p12->mac = PKCS12_MAC_DATA_new())) return PKCS12_ERROR;
         if (iter > 1) {
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 84e31a7f21..a549433eeb 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -113,15 +113,15 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
         unsigned char mac[EVP_MAX_MD_SIZE];
         unsigned int maclen;
 
-        if (!(asafes = M_PKCS12_unpack_authsafes(p12))) return 0;
+        if (!(asafes = PKCS12_unpack_authsafes(p12))) return 0;
         if(!(newsafes = sk_PKCS7_new_null())) return 0;
         for (i = 0; i < sk_PKCS7_num (asafes); i++) {
                 p7 = sk_PKCS7_value(asafes, i);
                 bagnid = OBJ_obj2nid(p7->type);
                 if (bagnid == NID_pkcs7_data) {
-                        bags = M_PKCS12_unpack_p7data(p7);
+                        bags = PKCS12_unpack_p7data(p7);
                 } else if (bagnid == NID_pkcs7_encrypted) {
-                        bags = M_PKCS12_unpack_p7encdata(p7, oldpass, -1);
+                        bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
                         alg_get(p7->d.encrypted->enc_data->algorithm,
                                 &pbe_nid, &pbe_iter, &pbe_saltlen);
                 } else continue;
@@ -151,7 +151,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
 
         p12_data_tmp = p12->authsafes->d.data;
         if(!(p12->authsafes->d.data = ASN1_OCTET_STRING_new())) goto saferr;
-        if(!M_PKCS12_pack_authsafes(p12, newsafes)) goto saferr;
+        if(!PKCS12_pack_authsafes(p12, newsafes)) goto saferr;
 
         if(!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen)) goto saferr;
         if(!(macnew = ASN1_OCTET_STRING_new())) goto saferr;
@@ -194,7 +194,7 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
 
         if(M_PKCS12_bag_type(bag) != NID_pkcs8ShroudedKeyBag) return 1;
 
-        if (!(p8 = M_PKCS12_decrypt_skey(bag, oldpass, -1))) return 0;
+        if (!(p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1))) return 0;
         alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen);
         if(!(p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
                                                      p8_iter, p8))) return 0;
diff --git a/src/lib/libcrypto/pkcs12/p12_p8d.c b/src/lib/libcrypto/pkcs12/p12_p8d.c
new file mode 100644
index 0000000000..3c6f377933
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_p8d.c
@@ -0,0 +1,68 @@
+/* p12_p8d.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen)
+{
+        return PKCS12_item_decrypt_d2i(p8->algor, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
+                                        passlen, p8->digest, 1);
+}
+
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
new file mode 100644
index 0000000000..3d47956652
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -0,0 +1,97 @@
+/* p12_p8e.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/pkcs12.h>
+
+X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
+                         const char *pass, int passlen,
+                         unsigned char *salt, int saltlen, int iter,
+                                                PKCS8_PRIV_KEY_INFO *p8inf)
+{
+        X509_SIG *p8 = NULL;
+        X509_ALGOR *pbe;
+
+        if (!(p8 = X509_SIG_new())) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+                goto err;
+        }
+
+        if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+        else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+        if(!pbe) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
+                goto err;
+        }
+        X509_ALGOR_free(p8->algor);
+        p8->algor = pbe;
+        M_ASN1_OCTET_STRING_free(p8->digest);
+        p8->digest = PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO),
+                                        pass, passlen, p8inf, 1);
+        if(!p8->digest) {
+                PKCS12err(PKCS12_F_PKCS8_ENCRYPT, PKCS12_R_ENCRYPT_ERROR);
+                goto err;
+        }
+
+        return p8;
+
+        err:
+        X509_SIG_free(p8);
+        return NULL;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index 2f1d1e534f..243ec76be9 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -97,26 +97,50 @@ char *uni2asc(unsigned char *uni, int unilen)
 
 int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12)
 {
-        return ASN1_i2d_bio((int(*)())i2d_PKCS12, bp, (unsigned char *)p12);
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
 }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12)
 {
-        return ASN1_i2d_fp((int(*)())i2d_PKCS12, fp, (unsigned char *)p12);
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
 }
 #endif
 
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12)
 {
-        return (PKCS12 *)ASN1_d2i_bio((char *(*)())PKCS12_new,
-         (char *(*)())d2i_PKCS12, bp, (unsigned char **)p12);
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS12), bp, p12);
 }
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
 {
-        return (PKCS12 *)ASN1_d2i_fp((char *(*)())PKCS12_new, 
-         (char *(*)())d2i_PKCS12, fp, (unsigned char **)(p12));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS12), fp, p12);
 }
 #endif
 
+PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509)
+{
+        return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
+                        NID_x509Certificate, NID_certBag);
+}
+
+PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl)
+{
+        return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
+                        NID_x509Crl, NID_crlBag);
+}
+
+X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag)
+{
+        if(M_PKCS12_bag_type(bag) != NID_certBag) return NULL;
+        if(M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet, ASN1_ITEM_rptr(X509));
+}
+
+X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
+{
+        if(M_PKCS12_bag_type(bag) != NID_crlBag) return NULL;
+        if(M_PKCS12_cert_bag_type(bag) != NID_x509Crl) return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet,
+                                                        ASN1_ITEM_rptr(X509_CRL));
+}
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index 12db54f49e..10ab80502c 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -63,7 +63,7 @@
 #include <openssl/pkcs12.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA PKCS12_str_functs[]=
         {
 {ERR_PACK(0,PKCS12_F_PARSE_BAGS,0),     "PARSE_BAGS"},
@@ -130,7 +130,7 @@ void ERR_load_PKCS12_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_functs);
                 ERR_load_strings(ERR_LIB_PKCS12,PKCS12_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index e529154f26..1786b6d4f3 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -120,7 +120,6 @@ union {
         ASN1_TYPE *other;
 }value;
 STACK_OF(X509_ATTRIBUTE) *attrib;
-ASN1_TYPE *rest;
 } PKCS12_SAFEBAG;
 
 DECLARE_STACK_OF(PKCS12_SAFEBAG)
@@ -141,55 +140,25 @@ union {
 #define PKCS12_ERROR    0
 #define PKCS12_OK       1
 
-#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
-#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
-#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
-
-#define M_PKCS12_x5092certbag(x509) \
-PKCS12_pack_safebag((char *)(x509), i2d_X509, NID_x509Certificate, NID_certBag)
-
-#define M_PKCS12_x509crl2certbag(crl) \
-PKCS12_pack_safebag((char *)(crl), i2d_X509CRL, NID_x509Crl, NID_crlBag)
-
-#define M_PKCS12_certbag2x509(bg) \
-(X509 *) ASN1_unpack_string((bg)->value.bag->value.octet, \
-(char *(*)())d2i_X509)
+/* Compatibility macros */
 
-#define M_PKCS12_certbag2x509crl(bg) \
-(X509CRL *) ASN1_unpack_string((bg)->value.bag->value.octet, \
-(char *(*)())d2i_X509CRL)
+#define M_PKCS12_x5092certbag PKCS12_x5092certbag
+#define M_PKCS12_x509crl2certbag PKCS12_x509crl2certbag
 
-/*#define M_PKCS12_pkcs82rsa(p8) \
-(RSA *) ASN1_unpack_string((p8)->pkey, (char *(*)())d2i_RSAPrivateKey)*/
+#define M_PKCS12_certbag2x509 PKCS12_certbag2x509
+#define M_PKCS12_certbag2x509crl PKCS12_certbag2x509crl 
 
-#define M_PKCS12_unpack_p7data(p7) \
-ASN1_seq_unpack_PKCS12_SAFEBAG((p7)->d.data->data, p7->d.data->length, \
-                                d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free)
+#define M_PKCS12_unpack_p7data PKCS12_unpack_p7data
+#define M_PKCS12_pack_authsafes PKCS12_pack_authsafes
+#define M_PKCS12_unpack_authsafes PKCS12_unpack_authsafes
+#define M_PKCS12_unpack_p7encdata PKCS12_unpack_p7encdata
 
-#define M_PKCS12_pack_authsafes(p12, safes) \
-ASN1_seq_pack_PKCS7((safes), i2d_PKCS7,\
-        &(p12)->authsafes->d.data->data, &(p12)->authsafes->d.data->length)
+#define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
+#define M_PKCS8_decrypt PKCS8_decrypt
 
-#define M_PKCS12_unpack_authsafes(p12) \
-ASN1_seq_unpack_PKCS7((p12)->authsafes->d.data->data, \
-                (p12)->authsafes->d.data->length, d2i_PKCS7, PKCS7_free)
-
-#define M_PKCS12_unpack_p7encdata(p7, pass, passlen) \
-PKCS12_decrypt_d2i_PKCS12_SAFEBAG((p7)->d.encrypted->enc_data->algorithm,\
-                                   d2i_PKCS12_SAFEBAG, PKCS12_SAFEBAG_free, \
-                                   (pass), (passlen), \
-                                   (p7)->d.encrypted->enc_data->enc_data, 3)
-
-#define M_PKCS12_decrypt_skey(bag, pass, passlen) \
-(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i((bag)->value.shkeybag->algor, \
-(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (void (*)(void *))PKCS8_PRIV_KEY_INFO_free, \
-                                                (pass), (passlen), \
-                         (bag)->value.shkeybag->digest, 2)
-
-#define M_PKCS8_decrypt(p8, pass, passlen) \
-(PKCS8_PRIV_KEY_INFO *) PKCS12_decrypt_d2i((p8)->algor, \
-(char *(*)())d2i_PKCS8_PRIV_KEY_INFO, (void (*)(void *))PKCS8_PRIV_KEY_INFO_free,\
-                         (pass), (passlen), (p8)->digest, 2)
+#define M_PKCS12_bag_type(bag) OBJ_obj2nid(bag->type)
+#define M_PKCS12_cert_bag_type(bag) OBJ_obj2nid(bag->value.bag->type)
+#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
 
 #define PKCS12_get_attr(bag, attr_nid) \
                          PKCS12_get_attr_gen(bag->attrib, attr_nid)
@@ -200,8 +169,17 @@ PKCS12_decrypt_d2i_PKCS12_SAFEBAG((p7)->d.encrypted->enc_data->algorithm,\
 #define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
 
 
-PKCS12_SAFEBAG *PKCS12_pack_safebag(char *obj, int (*i2d)(), int nid1, int nid2);
+PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509);
+PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
+X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
+X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
+
+PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1,
+             int nid2);
 PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen);
+PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass,
+                                                                int passlen);
 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, 
                         const char *pass, int passlen,
                         unsigned char *salt, int saltlen, int iter,
@@ -211,12 +189,20 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
                                      int saltlen, int iter,
                                      PKCS8_PRIV_KEY_INFO *p8);
 PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk);
+STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7);
 PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
                              unsigned char *salt, int saltlen, int iter,
                              STACK_OF(PKCS12_SAFEBAG) *bags);
+STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen);
+
+int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes);
+STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12);
+
 int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen);
 int PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name,
                                 int namelen);
+int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
+                                int namelen);
 int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name,
                                 int namelen);
 int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
@@ -225,49 +211,38 @@ char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
 unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass,
                                 int passlen, unsigned char *in, int inlen,
                                 unsigned char **data, int *datalen, int en_de);
-char *PKCS12_decrypt_d2i(X509_ALGOR *algor, char *(*d2i)(),
-                         void (*free_func)(void *), const char *pass, int passlen,
-                         ASN1_STRING *oct, int seq);
-ASN1_STRING *PKCS12_i2d_encrypt(X509_ALGOR *algor, int (*i2d)(),
-                                const char *pass, int passlen, char *obj,
-                                int seq);
+void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
+             const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf);
+ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it,
+                                       const char *pass, int passlen,
+                                       void *obj, int zbuf);
 PKCS12 *PKCS12_init(int mode);
 int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
                        int saltlen, int id, int iter, int n,
                        unsigned char *out, const EVP_MD *md_type);
 int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type);
 int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
-                         ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md_type,
+                         ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md_type,
                          int en_de);
 int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
                          unsigned char *mac, unsigned int *maclen);
 int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
 int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
                    unsigned char *salt, int saltlen, int iter,
-                   EVP_MD *md_type);
+                   const EVP_MD *md_type);
 int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
-                                         int saltlen, EVP_MD *md_type);
+                                         int saltlen, const EVP_MD *md_type);
 unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
 char *uni2asc(unsigned char *uni, int unilen);
-int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
-PKCS12_BAGS *PKCS12_BAGS_new(void);
-PKCS12_BAGS *d2i_PKCS12_BAGS(PKCS12_BAGS **a, unsigned char **pp, long length);
-void PKCS12_BAGS_free(PKCS12_BAGS *a);
-int i2d_PKCS12(PKCS12 *a, unsigned char **pp);
-PKCS12 *d2i_PKCS12(PKCS12 **a, unsigned char **pp, long length);
-PKCS12 *PKCS12_new(void);
-void PKCS12_free(PKCS12 *a);
-int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **pp);
-PKCS12_MAC_DATA *PKCS12_MAC_DATA_new(void);
-PKCS12_MAC_DATA *d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, unsigned char **pp,
-                                                                 long length);
-void PKCS12_MAC_DATA_free(PKCS12_MAC_DATA *a);
-int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **pp);
-PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void);
-PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
-                                                                 long length);
-void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a);
-void ERR_load_PKCS12_strings(void);
+
+DECLARE_ASN1_FUNCTIONS(PKCS12)
+DECLARE_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
+DECLARE_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
+DECLARE_ASN1_FUNCTIONS(PKCS12_BAGS)
+
+DECLARE_ASN1_ITEM(PKCS12_SAFEBAGS)
+DECLARE_ASN1_ITEM(PKCS12_AUTHSAFES)
+
 void PKCS12_PBE_add(void);
 int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
                  STACK_OF(X509) **ca);
@@ -284,6 +259,7 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_PKCS12_strings(void);
 
 /* Error codes for the PKCS12 functions. */
 
@@ -342,4 +318,3 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/pkcs7/Makefile.ssl b/src/lib/libcrypto/pkcs7/Makefile.ssl
index 37b72f0890..3f0c3452e5 100644
--- a/src/lib/libcrypto/pkcs7/Makefile.ssl
+++ b/src/lib/libcrypto/pkcs7/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    pkcs7
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -25,8 +26,10 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c pk7_mime.c
-LIBOBJ= pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o pk7_mime.o
+LIBSRC= pk7_asn1.c pk7_lib.c pkcs7err.c pk7_doit.c pk7_smime.c pk7_attr.c \
+        pk7_mime.c
+LIBOBJ= pk7_asn1.o pk7_lib.o pkcs7err.o pk7_doit.o pk7_smime.o pk7_attr.o \
+        pk7_mime.o
 
 SRC= $(LIBSRC)
 
@@ -58,8 +61,7 @@ verify: verify.o example.o lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -98,121 +100,96 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
+pk7_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+pk7_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+pk7_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pk7_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk7_asn1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pk7_asn1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk7_asn1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pk7_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_asn1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_asn1.o: ../cryptlib.h pk7_asn1.c
 pk7_attr.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_attr.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_attr.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_attr.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pk7_attr.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_attr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pk7_attr.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pk7_attr.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pk7_attr.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pk7_attr.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pk7_attr.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+pk7_attr.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pk7_attr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+pk7_attr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+pk7_attr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 pk7_attr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-pk7_attr.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pk7_attr.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk7_attr.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk7_attr.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk7_attr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk7_attr.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pk7_attr.o: ../../include/openssl/x509_vfy.h
-pk7_doit.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_doit.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_doit.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pk7_doit.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-pk7_doit.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-pk7_doit.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_attr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk7_attr.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pk7_attr.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pk7_attr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_attr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_attr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_attr.o: pk7_attr.c
+pk7_doit.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_doit.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pk7_doit.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+pk7_doit.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pk7_doit.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 pk7_doit.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_doit.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_doit.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_doit.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-pk7_doit.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-pk7_doit.o: ../../include/openssl/opensslconf.h
-pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-pk7_doit.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pk7_doit.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_doit.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_doit.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_doit.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_doit.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_doit.o: ../../include/openssl/x509v3.h ../cryptlib.h
-pk7_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_doit.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pk7_doit.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pk7_doit.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk7_doit.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pk7_doit.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_doit.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_doit.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_doit.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+pk7_doit.o: ../cryptlib.h pk7_doit.c
+pk7_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pk7_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pk7_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pk7_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pk7_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pk7_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-pk7_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-pk7_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_lib.o: ../cryptlib.h
-pk7_mime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_mime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_mime.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+pk7_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+pk7_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_lib.c
+pk7_mime.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_mime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pk7_mime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 pk7_mime.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-pk7_mime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-pk7_mime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_mime.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_mime.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_mime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+pk7_mime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+pk7_mime.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 pk7_mime.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 pk7_mime.o: ../../include/openssl/opensslconf.h
-pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-pk7_mime.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-pk7_mime.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-pk7_mime.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-pk7_mime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-pk7_mime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-pk7_mime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-pk7_mime.o: ../cryptlib.h
-pk7_smime.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pk7_smime.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pk7_smime.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-pk7_smime.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-pk7_smime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-pk7_smime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+pk7_mime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk7_mime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+pk7_mime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+pk7_mime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+pk7_mime.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+pk7_mime.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pk7_mime.c
+pk7_smime.o: ../../e_os.h ../../include/openssl/asn1.h
+pk7_smime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+pk7_smime.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+pk7_smime.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+pk7_smime.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 pk7_smime.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pk7_smime.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pk7_smime.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pk7_smime.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-pk7_smime.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+pk7_smime.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+pk7_smime.o: ../../include/openssl/objects.h
 pk7_smime.o: ../../include/openssl/opensslconf.h
-pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-pk7_smime.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pk7_smime.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pk7_smime.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pk7_smime.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pk7_smime.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pk7_smime.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-pk7_smime.o: ../cryptlib.h
+pk7_smime.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pk7_smime.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+pk7_smime.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pk7_smime.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pk7_smime.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pk7_smime.o: ../../include/openssl/x509v3.h ../cryptlib.h pk7_smime.c
 pkcs7err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-pkcs7err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-pkcs7err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-pkcs7err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-pkcs7err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+pkcs7err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 pkcs7err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-pkcs7err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-pkcs7err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-pkcs7err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-pkcs7err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-pkcs7err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-pkcs7err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pkcs7err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pkcs7err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pkcs7err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pkcs7err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-pkcs7err.o: ../../include/openssl/x509_vfy.h
+pkcs7err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+pkcs7err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pkcs7err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+pkcs7err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pkcs7err.o: pkcs7err.c
diff --git a/src/lib/libcrypto/pkcs7/bio_ber.c b/src/lib/libcrypto/pkcs7/bio_ber.c
index 5447e69818..42331f7ab0 100644
--- a/src/lib/libcrypto/pkcs7/bio_ber.c
+++ b/src/lib/libcrypto/pkcs7/bio_ber.c
@@ -339,7 +339,7 @@ static long ber_ctrl(BIO *b, int cmd, long num, char *ptr)
         case BIO_CTRL_RESET:
                 ctx->ok=1;
                 ctx->finished=0;
-                EVP_CipherInit(&(ctx->cipher),NULL,NULL,NULL,
+                EVP_CipherInit_ex(&(ctx->cipher),NULL,NULL,NULL,NULL,
                         ctx->cipher.berrypt);
                 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
                 break;
@@ -376,7 +376,7 @@ again:
                         {
                         ctx->finished=1;
                         ctx->buf_off=0;
-                        ret=EVP_CipherFinal(&(ctx->cipher),
+                        ret=EVP_CipherFinal_ex(&(ctx->cipher),
                                 (unsigned char *)ctx->buf,
                                 &(ctx->buf_len));
                         ctx->ok=(int)ret;
@@ -458,7 +458,7 @@ void BIO_set_cipher(BIO *b, EVP_CIPHER *c, unsigned char *k, unsigned char *i,
 
         b->init=1;
         ctx=(BIO_ENC_CTX *)b->ptr;
-        EVP_CipherInit(&(ctx->cipher),c,k,i,e);
+        EVP_CipherInit_ex(&(ctx->cipher),c,NULL,k,i,e);
         
         if (b->callback != NULL)
                 b->callback(b,BIO_CB_CTRL,(char *)c,BIO_CTRL_SET,e,1L);
diff --git a/src/lib/libcrypto/pkcs7/enc.c b/src/lib/libcrypto/pkcs7/enc.c
index 2b56c2eff3..7417f8a4e0 100644
--- a/src/lib/libcrypto/pkcs7/enc.c
+++ b/src/lib/libcrypto/pkcs7/enc.c
@@ -128,7 +128,7 @@ char *argv[];
         PKCS7_set_type(p7,NID_pkcs7_enveloped);
 #endif
         if(!cipher)     {
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
                 cipher = EVP_des_ede3_cbc();
 #else
                 fprintf(stderr, "No cipher selected\n");
diff --git a/src/lib/libcrypto/pkcs7/example.c b/src/lib/libcrypto/pkcs7/example.c
index f6656be28e..c993947cc3 100644
--- a/src/lib/libcrypto/pkcs7/example.c
+++ b/src/lib/libcrypto/pkcs7/example.c
@@ -3,6 +3,7 @@
 #include <string.h>
 #include <openssl/pkcs7.h>
 #include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
 
 int add_signed_time(PKCS7_SIGNER_INFO *si)
         {
diff --git a/src/lib/libcrypto/pkcs7/pk7_asn1.c b/src/lib/libcrypto/pkcs7/pk7_asn1.c
new file mode 100644
index 0000000000..46f0fc9375
--- /dev/null
+++ b/src/lib/libcrypto/pkcs7/pk7_asn1.c
@@ -0,0 +1,213 @@
+/* pk7_asn.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1t.h>
+#include <openssl/pkcs7.h>
+#include <openssl/x509.h>
+
+/* PKCS#7 ASN1 module */
+
+/* This is the ANY DEFINED BY table for the top level PKCS#7 structure */
+
+ASN1_ADB_TEMPLATE(p7default) = ASN1_EXP_OPT(PKCS7, d.other, ASN1_ANY, 0);
+
+ASN1_ADB(PKCS7) = {
+        ADB_ENTRY(NID_pkcs7_data, ASN1_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING, 0)),
+        ADB_ENTRY(NID_pkcs7_signed, ASN1_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)),
+        ADB_ENTRY(NID_pkcs7_enveloped, ASN1_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)),
+        ADB_ENTRY(NID_pkcs7_digest, ASN1_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)),
+        ADB_ENTRY(NID_pkcs7_encrypted, ASN1_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0))
+} ASN1_ADB_END(PKCS7, 0, type, 0, &p7default_tt, NULL);
+
+ASN1_SEQUENCE(PKCS7) = {
+        ASN1_SIMPLE(PKCS7, type, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(PKCS7)
+}ASN1_SEQUENCE_END(PKCS7)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7)
+IMPLEMENT_ASN1_DUP_FUNCTION(PKCS7)
+
+ASN1_SEQUENCE(PKCS7_SIGNED) = {
+        ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7),
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGNED)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNED)
+
+/* Minor tweak to operation: free up EVP_PKEY */
+static int si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_SIGNER_INFO *si = (PKCS7_SIGNER_INFO *)*pval;
+                EVP_PKEY_free(si->pkey);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_SIGNER_INFO, si_cb) = {
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_alg, X509_ALGOR),
+        /* NB this should be a SET OF but we use a SEQUENCE OF so the
+         * original order * is retained when the structure is reencoded.
+         * Since the attributes are implicitly tagged this will not affect
+         * the encoding.
+         */
+        ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNER_INFO, auth_attr, X509_ATTRIBUTE, 0),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, digest_enc_alg, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGNER_INFO, enc_digest, ASN1_OCTET_STRING),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGNER_INFO, unauth_attr, X509_ATTRIBUTE, 1)
+} ASN1_SEQUENCE_END_cb(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
+
+ASN1_SEQUENCE(PKCS7_ISSUER_AND_SERIAL) = {
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, issuer, X509_NAME),
+        ASN1_SIMPLE(PKCS7_ISSUER_AND_SERIAL, serial, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SERIAL)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
+
+ASN1_SEQUENCE(PKCS7_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SIMPLE(PKCS7_ENVELOPE, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
+
+/* Minor tweak to operation: free up X509 */
+static int ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_FREE_POST) {
+                PKCS7_RECIP_INFO *ri = (PKCS7_RECIP_INFO *)*pval;
+                X509_free(ri->cert);
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(PKCS7_RECIP_INFO, ri_cb) = {
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, issuer_and_serial, PKCS7_ISSUER_AND_SERIAL),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, key_enc_algor, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_RECIP_INFO, enc_key, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(PKCS7_RECIP_INFO, PKCS7_RECIP_INFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
+
+ASN1_SEQUENCE(PKCS7_ENC_CONTENT) = {
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, content_type, ASN1_OBJECT),
+        ASN1_SIMPLE(PKCS7_ENC_CONTENT, algorithm, X509_ALGOR),
+        ASN1_IMP_OPT(PKCS7_ENC_CONTENT, enc_data, ASN1_OCTET_STRING, 0)
+} ASN1_SEQUENCE_END(PKCS7_ENC_CONTENT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
+
+ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = {
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, version, ASN1_INTEGER),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, md_algs, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, enc_data, PKCS7_ENC_CONTENT),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, cert, X509, 0),
+        ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, crl, X509_CRL, 1),
+        ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, signer_info, PKCS7_SIGNER_INFO)
+} ASN1_SEQUENCE_END(PKCS7_SIGN_ENVELOPE)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
+
+ASN1_SEQUENCE(PKCS7_ENCRYPT) = {
+        ASN1_SIMPLE(PKCS7_ENCRYPT, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_ENCRYPT, enc_data, PKCS7_ENC_CONTENT)
+} ASN1_SEQUENCE_END(PKCS7_ENCRYPT)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
+
+ASN1_SEQUENCE(PKCS7_DIGEST) = {
+        ASN1_SIMPLE(PKCS7_DIGEST, version, ASN1_INTEGER),
+        ASN1_SIMPLE(PKCS7_DIGEST, md, X509_ALGOR),
+        ASN1_SIMPLE(PKCS7_DIGEST, contents, PKCS7),
+        ASN1_SIMPLE(PKCS7_DIGEST, digest, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(PKCS7_DIGEST)
+
+IMPLEMENT_ASN1_FUNCTIONS(PKCS7_DIGEST)
+
+/* Specials for authenticated attributes */
+
+/* When signing attributes we want to reorder them to match the sorted
+ * encoding.
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_SIGN) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_ORDER, 0, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_SIGN)
+
+/* When verifying attributes we need to use the received order. So 
+ * we use SEQUENCE OF and tag it to SET OF
+ */
+
+ASN1_ITEM_TEMPLATE(PKCS7_ATTR_VERIFY) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL,
+                                V_ASN1_SET, PKCS7_ATTRIBUTES, X509_ATTRIBUTE)
+ASN1_ITEM_TEMPLATE_END(PKCS7_ATTR_VERIFY)
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 6ae264cbf9..5ff5a88b5c 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,9 +1,59 @@
 /* pk7_attr.c */
-/* S/MIME code.
- * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) 
- * All Rights Reserved. 
- * Redistribution of this code without the authors permission is expressly
- * prohibited.
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
  */
 
 #include <stdio.h>
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index bf43d030ad..4a4ff340ce 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -67,6 +67,38 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
                          void *value);
 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
 
+static int PKCS7_type_is_other(PKCS7* p7)
+        {
+        int isOther=1;
+        
+        int nid=OBJ_obj2nid(p7->type);
+
+        switch( nid )
+                {
+        case NID_pkcs7_data:
+        case NID_pkcs7_signed:
+        case NID_pkcs7_enveloped:
+        case NID_pkcs7_signedAndEnveloped:
+        case NID_pkcs7_digest:
+        case NID_pkcs7_encrypted:
+                isOther=0;
+                break;
+        default:
+                isOther=1;
+                }
+
+        return isOther;
+
+        }
+
+static int PKCS7_type_is_octet_string(PKCS7* p7)
+        {
+        if ( 0==PKCS7_type_is_other(p7) )
+                return 0;
+
+        return (V_ASN1_OCTET_STRING==p7->d.other->type) ? 1 : 0;
+        }
+
 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
         {
         int i,j;
@@ -165,7 +197,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                         goto err;
                 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
                 if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen);
-                EVP_CipherInit(ctx, evp_cipher, key, iv, 1);
+                EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1);
 
                 if (ivlen > 0) {
                         if (xalg->parameter == NULL) 
@@ -219,16 +251,23 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                 }
 
         if (bio == NULL) {
-                if (p7->detached)
+                if (PKCS7_is_detached(p7))
                         bio=BIO_new(BIO_s_null());
                 else {
-                        if (PKCS7_type_is_signed(p7) &&
-                                PKCS7_type_is_data(p7->d.sign->contents)) {
-                                ASN1_OCTET_STRING *os;
-                                os=p7->d.sign->contents->d.data;
-                                if (os->length > 0) bio = 
-                                        BIO_new_mem_buf(os->data, os->length);
-                        } 
+                        if (PKCS7_type_is_signed(p7) ) { 
+                                if ( PKCS7_type_is_data(p7->d.sign->contents)) {
+                                        ASN1_OCTET_STRING *os;
+                                        os=p7->d.sign->contents->d.data;
+                                        if (os->length > 0)
+                                                bio = BIO_new_mem_buf(os->data, os->length);
+                                }
+                                else if ( PKCS7_type_is_octet_string(p7->d.sign->contents) ) {
+                                        ASN1_OCTET_STRING *os;
+                                        os=p7->d.sign->contents->d.other->value.octet_string;
+                                        if (os->length > 0)
+                                                bio = BIO_new_mem_buf(os->data, os->length);
+                                }
+                        }
                         if(bio == NULL) {
                                 bio=BIO_new(BIO_s_mem());
                                 BIO_set_mem_eof_return(bio,0);
@@ -391,7 +430,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
 
                 evp_ctx=NULL;
                 BIO_get_cipher_ctx(etmp,&evp_ctx);
-                EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0);
+                EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0);
                 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
                         goto err;
 
@@ -407,7 +446,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                                 goto err;
                                 }
                 } 
-                EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0);
+                EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0);
 
                 memset(tmp,0,jj);
 
@@ -419,7 +458,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                 }
 
 #if 1
-        if (p7->detached || (in_bio != NULL))
+        if (PKCS7_is_detached(p7) || (in_bio != NULL))
                 {
                 bio=in_bio;
                 }
@@ -471,10 +510,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         EVP_MD_CTX *mdc,ctx_tmp;
         STACK_OF(X509_ATTRIBUTE) *sk;
         STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
-        unsigned char *p,*pp=NULL;
-        int x;
         ASN1_OCTET_STRING *os=NULL;
 
+        EVP_MD_CTX_init(&ctx_tmp);
         i=OBJ_obj2nid(p7->type);
         p7->state=PKCS7_S_HEADER;
 
@@ -528,7 +566,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                                 BIO_get_md_ctx(btmp,&mdc);
                                 if (mdc == NULL)
                                         {
-                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,PKCS7_R_INTERNAL_ERROR);
+                                        PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_INTERNAL_ERROR);
                                         goto err;
                                         }
                                 if (EVP_MD_CTX_type(mdc) == j)
@@ -539,7 +577,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         
                         /* We now have the EVP_MD_CTX, lets do the
                          * signing. */
-                        memcpy(&ctx_tmp,mdc,sizeof(ctx_tmp));
+                        EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
                         if (!BUF_MEM_grow(buf,EVP_PKEY_size(si->pkey)))
                                 {
                                 PKCS7err(PKCS7_F_PKCS7_DATASIGN,ERR_R_BIO_LIB);
@@ -552,43 +590,41 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                          * attribute and only sign the attributes */
                         if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
                                 {
-                                unsigned char md_data[EVP_MAX_MD_SIZE];
-                                unsigned int md_len;
+                                unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NULL;
+                                unsigned int md_len, alen;
                                 ASN1_OCTET_STRING *digest;
                                 ASN1_UTCTIME *sign_time;
                                 const EVP_MD *md_tmp;
 
-                                /* Add signing time */
-                                sign_time=X509_gmtime_adj(NULL,0);
-                                PKCS7_add_signed_attribute(si,
-                                        NID_pkcs9_signingTime,
-                                        V_ASN1_UTCTIME,sign_time);
+                                /* Add signing time if not already present */
+                                if (!PKCS7_get_signed_attribute(si,
+                                                        NID_pkcs9_signingTime))
+                                        {
+                                        sign_time=X509_gmtime_adj(NULL,0);
+                                        PKCS7_add_signed_attribute(si,
+                                                NID_pkcs9_signingTime,
+                                                V_ASN1_UTCTIME,sign_time);
+                                        }
 
                                 /* Add digest */
                                 md_tmp=EVP_MD_CTX_md(&ctx_tmp);
-                                EVP_DigestFinal(&ctx_tmp,md_data,&md_len);
+                                EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
                                 digest=M_ASN1_OCTET_STRING_new();
                                 M_ASN1_OCTET_STRING_set(digest,md_data,md_len);
                                 PKCS7_add_signed_attribute(si,
                                         NID_pkcs9_messageDigest,
                                         V_ASN1_OCTET_STRING,digest);
 
-                                /* Now sign the mess */
-                                EVP_SignInit(&ctx_tmp,md_tmp);
-                                x=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,
-                                           i2d_X509_ATTRIBUTE,
-                                           V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-                                pp=(unsigned char *)OPENSSL_malloc(x);
-                                p=pp;
-                                i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,
-                                           i2d_X509_ATTRIBUTE,
-                                           V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-                                EVP_SignUpdate(&ctx_tmp,pp,x);
-                                OPENSSL_free(pp);
-                                pp=NULL;
+                                /* Now sign the attributes */
+                                EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL);
+                                alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf,
+                                                        ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
+                                if(!abuf) goto err;
+                                EVP_SignUpdate(&ctx_tmp,abuf,alen);
+                                OPENSSL_free(abuf);
                                 }
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
                         if (si->pkey->type == EVP_PKEY_DSA)
                                 ctx_tmp.digest=EVP_dss1();
 #endif
@@ -608,7 +644,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         }
                 }
 
-        if (!p7->detached)
+        if (!PKCS7_is_detached(p7))
                 {
                 btmp=BIO_find_type(bio,BIO_TYPE_MEM);
                 if (btmp == NULL)
@@ -629,11 +665,9 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                         (unsigned char *)buf_mem->data,buf_mem->length);
 #endif
                 }
-        if (pp != NULL) OPENSSL_free(pp);
-        pp=NULL;
-
         ret=1;
 err:
+        EVP_MD_CTX_cleanup(&ctx_tmp);
         if (buf != NULL) BUF_MEM_free(buf);
         return(ret);
         }
@@ -672,7 +706,11 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
                 }
 
         /* Lets verify */
-        X509_STORE_CTX_init(ctx,cert_store,x509,cert);
+        if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert))
+                {
+                PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
+                goto err;
+                }
         X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
         i=X509_verify_cert(ctx);
         if (i <= 0) 
@@ -693,13 +731,14 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
         {
         ASN1_OCTET_STRING *os;
         EVP_MD_CTX mdc_tmp,*mdc;
-        unsigned char *pp,*p;
         int ret=0,i;
         int md_type;
         STACK_OF(X509_ATTRIBUTE) *sk;
         BIO *btmp;
         EVP_PKEY *pkey;
 
+        EVP_MD_CTX_init(&mdc_tmp);
+
         if (!PKCS7_type_is_signed(p7) && 
                                 !PKCS7_type_is_signedAndEnveloped(p7)) {
                 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
@@ -723,7 +762,7 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
                 if (mdc == NULL)
                         {
                         PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
-                                                        PKCS7_R_INTERNAL_ERROR);
+                                                        ERR_R_INTERNAL_ERROR);
                         goto err;
                         }
                 if (EVP_MD_CTX_type(mdc) == md_type)
@@ -733,16 +772,16 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
 
         /* mdc is the digest ctx that we want, unless there are attributes,
          * in which case the digest is the signed attributes */
-        memcpy(&mdc_tmp,mdc,sizeof(mdc_tmp));
+        EVP_MD_CTX_copy_ex(&mdc_tmp,mdc);
 
         sk=si->auth_attr;
         if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
                 {
-                unsigned char md_dat[EVP_MAX_MD_SIZE];
-                unsigned int md_len;
+                unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
+                unsigned int md_len, alen;
                 ASN1_OCTET_STRING *message_digest;
 
-                EVP_DigestFinal(&mdc_tmp,md_dat,&md_len);
+                EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len);
                 message_digest=PKCS7_digest_from_attributes(sk);
                 if (!message_digest)
                         {
@@ -767,20 +806,13 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
                         goto err;
                         }
 
-                EVP_VerifyInit(&mdc_tmp,EVP_get_digestbynid(md_type));
-                /* Note: when forming the encoding of the attributes we
-                 * shouldn't reorder them or this will break the signature.
-                 * This is done by using the IS_SEQUENCE flag.
-                 */
-                i=i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,NULL,i2d_X509_ATTRIBUTE,
-                        V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
-                pp=OPENSSL_malloc(i);
-                p=pp;
-                i2d_ASN1_SET_OF_X509_ATTRIBUTE(sk,&p,i2d_X509_ATTRIBUTE,
-                        V_ASN1_SET,V_ASN1_UNIVERSAL, IS_SEQUENCE);
-                EVP_VerifyUpdate(&mdc_tmp,pp,i);
+                EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL);
+
+                alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
+                                                ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
+                EVP_VerifyUpdate(&mdc_tmp, abuf, alen);
 
-                OPENSSL_free(pp);
+                OPENSSL_free(abuf);
                 }
 
         os=si->enc_digest;
@@ -790,7 +822,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
                 ret = -1;
                 goto err;
                 }
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
 #endif
 
@@ -806,6 +838,7 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
         else
                 ret=1;
 err:
+        EVP_MD_CTX_cleanup(&mdc_tmp);
         return(ret);
         }
 
@@ -847,7 +880,7 @@ static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
                 xa=sk_X509_ATTRIBUTE_value(sk,i);
                 if (OBJ_cmp(xa->object,o) == 0)
                         {
-                        if (xa->set && sk_ASN1_TYPE_num(xa->value.set))
+                        if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
                                 return(sk_ASN1_TYPE_value(xa->value.set,0));
                         else
                                 return(NULL);
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index 45973fe850..c00ed6833a 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -84,7 +84,11 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
         case PKCS7_OP_GET_DETACHED_SIGNATURE:
                 if (nid == NID_pkcs7_signed)
                         {
-                        ret=p7->detached;
+                        if(!p7->d.sign  || !p7->d.sign->contents->d.ptr)
+                                ret = 1;
+                        else ret = 0;
+                                
+                        p7->detached = ret;
                         }
                 else
                         {
@@ -144,7 +148,7 @@ int PKCS7_set_type(PKCS7 *p7, int type)
         {
         ASN1_OBJECT *obj;
 
-        PKCS7_content_free(p7);
+        /*PKCS7_content_free(p7);*/
         obj=OBJ_nid2obj(type); /* will not fail */
 
         switch (type)
@@ -165,18 +169,24 @@ int PKCS7_set_type(PKCS7 *p7, int type)
                 if ((p7->d.signed_and_enveloped=PKCS7_SIGN_ENVELOPE_new())
                         == NULL) goto err;
                 ASN1_INTEGER_set(p7->d.signed_and_enveloped->version,1);
+                p7->d.signed_and_enveloped->enc_data->content_type
+                                                = OBJ_nid2obj(NID_pkcs7_data);
                 break;
         case NID_pkcs7_enveloped:
                 p7->type=obj;
                 if ((p7->d.enveloped=PKCS7_ENVELOPE_new())
                         == NULL) goto err;
                 ASN1_INTEGER_set(p7->d.enveloped->version,0);
+                p7->d.enveloped->enc_data->content_type
+                                                = OBJ_nid2obj(NID_pkcs7_data);
                 break;
         case NID_pkcs7_encrypted:
                 p7->type=obj;
                 if ((p7->d.encrypted=PKCS7_ENCRYPT_new())
                         == NULL) goto err;
                 ASN1_INTEGER_set(p7->d.encrypted->version,0);
+                p7->d.encrypted->enc_data->content_type
+                                                = OBJ_nid2obj(NID_pkcs7_data);
                 break;
 
         case NID_pkcs7_digest:
@@ -295,7 +305,7 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
         }
 
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
-             EVP_MD *dgst)
+             const EVP_MD *dgst)
         {
         char is_dsa;
         if (pkey->type == EVP_PKEY_DSA) is_dsa = 1;
@@ -343,7 +353,7 @@ err:
         }
 
 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
-             EVP_MD *dgst)
+             const EVP_MD *dgst)
         {
         PKCS7_SIGNER_INFO *si;
 
@@ -415,9 +425,7 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
                 M_ASN1_INTEGER_dup(X509_get_serialNumber(x509));
 
         X509_ALGOR_free(p7i->key_enc_algor);
-        p7i->key_enc_algor=(X509_ALGOR *)ASN1_dup(i2d_X509_ALGOR,
-                (char *(*)())d2i_X509_ALGOR,
-                (char *)x509->cert_info->key->algor);
+        p7i->key_enc_algor= X509_ALGOR_dup(x509->cert_info->key->algor);
 
         CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
         p7i->cert=x509;
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 3d3214f5ee..f0d071e282 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -115,17 +115,17 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
                         PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
                         return NULL;
                 }
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
                 PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1);
 #endif
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
                 PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128);
                 PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64);
 #endif
-#ifndef NO_DES
+#ifndef OPENSSL_NO_DES
                 PKCS7_simple_smimecap (smcap, NID_des_cbc, -1);
 #endif
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
                 PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40);
 #endif
                 PKCS7_add_attrib_smimecap (si, smcap);
@@ -201,11 +201,20 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
         if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
                 signer = sk_X509_value (signers, k);
                 if (!(flags & PKCS7_NOCHAIN)) {
-                        X509_STORE_CTX_init(&cert_ctx, store, signer,
-                                                        p7->d.sign->cert);
+                        if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
+                                                        p7->d.sign->cert))
+                                {
+                                PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
+                                sk_X509_free(signers);
+                                return 0;
+                                }
                         X509_STORE_CTX_set_purpose(&cert_ctx,
                                                 X509_PURPOSE_SMIME_SIGN);
-                } else X509_STORE_CTX_init (&cert_ctx, store, signer, NULL);
+                } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
+                        PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
+                        sk_X509_free(signers);
+                        return 0;
+                }
                 i = X509_verify_cert(&cert_ctx);
                 if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
                 X509_STORE_CTX_cleanup(&cert_ctx);
@@ -327,7 +336,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)
 
 /* Build a complete PKCS#7 enveloped data */
 
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
                                                                 int flags)
 {
         PKCS7 *p7;
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h
index 1b817e605d..5819700a85 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7.h
+++ b/src/lib/libcrypto/pkcs7/pkcs7.h
@@ -59,16 +59,18 @@
 #ifndef HEADER_PKCS7_H
 #define HEADER_PKCS7_H
 
+#include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/x509.h>
+#include <openssl/e_os2.h>
 
 #include <openssl/symhacks.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 /* Under Win32 thes are defined in wincrypt.h */
 #undef PKCS7_ISSUER_AND_SERIAL
 #undef PKCS7_SIGNER_INFO
@@ -225,6 +227,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_get_attributes(si)        ((si)->unauth_attr)
 
 #define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed)
+#define PKCS7_type_is_encrypted(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted)
 #define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped)
 #define PKCS7_type_is_signedAndEnveloped(a) \
                 (OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
@@ -235,6 +238,8 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_get_detached(p) \
                 PKCS7_ctrl(p,PKCS7_OP_GET_DETACHED_SIGNATURE,0,NULL)
 
+#define PKCS7_is_detached(p7) (PKCS7_type_is_signed(p7) && PKCS7_get_detached(p7))
+
 #ifdef SSLEAY_MACROS
 #ifndef PKCS7_ISSUER_AND_SERIAL_digest
 #define PKCS7_ISSUER_AND_SERIAL_digest(data,type,md,len) \
@@ -268,19 +273,12 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define SMIME_BINARY    PKCS7_BINARY
 #define SMIME_NOATTR    PKCS7_NOATTR
 
-PKCS7_ISSUER_AND_SERIAL *PKCS7_ISSUER_AND_SERIAL_new(void );
-void                    PKCS7_ISSUER_AND_SERIAL_free(
-                                PKCS7_ISSUER_AND_SERIAL *a);
-int                     i2d_PKCS7_ISSUER_AND_SERIAL(
-                                PKCS7_ISSUER_AND_SERIAL *a,unsigned char **pp);
-PKCS7_ISSUER_AND_SERIAL *d2i_PKCS7_ISSUER_AND_SERIAL(
-                                PKCS7_ISSUER_AND_SERIAL **a,
-                                unsigned char **pp, long length);
+DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
 
 #ifndef SSLEAY_MACROS
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,const EVP_MD *type,
         unsigned char *md,unsigned int *len);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp,PKCS7 **p7);
 int i2d_PKCS7_fp(FILE *fp,PKCS7 *p7);
 #endif
@@ -289,71 +287,18 @@ PKCS7 *d2i_PKCS7_bio(BIO *bp,PKCS7 **p7);
 int i2d_PKCS7_bio(BIO *bp,PKCS7 *p7);
 #endif
 
-PKCS7_SIGNER_INFO       *PKCS7_SIGNER_INFO_new(void);
-void                    PKCS7_SIGNER_INFO_free(PKCS7_SIGNER_INFO *a);
-int                     i2d_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO *a,
-                                unsigned char **pp);
-PKCS7_SIGNER_INFO       *d2i_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO **a,
-                                unsigned char **pp,long length);
-
-PKCS7_RECIP_INFO        *PKCS7_RECIP_INFO_new(void);
-void                    PKCS7_RECIP_INFO_free(PKCS7_RECIP_INFO *a);
-int                     i2d_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO *a,
-                                unsigned char **pp);
-PKCS7_RECIP_INFO        *d2i_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO **a,
-                                unsigned char **pp,long length);
-
-PKCS7_SIGNED            *PKCS7_SIGNED_new(void);
-void                    PKCS7_SIGNED_free(PKCS7_SIGNED *a);
-int                     i2d_PKCS7_SIGNED(PKCS7_SIGNED *a,
-                                unsigned char **pp);
-PKCS7_SIGNED            *d2i_PKCS7_SIGNED(PKCS7_SIGNED **a,
-                                unsigned char **pp,long length);
-
-PKCS7_ENC_CONTENT       *PKCS7_ENC_CONTENT_new(void);
-void                    PKCS7_ENC_CONTENT_free(PKCS7_ENC_CONTENT *a);
-int                     i2d_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT *a,
-                                unsigned char **pp);
-PKCS7_ENC_CONTENT       *d2i_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT **a,
-                                unsigned char **pp,long length);
-
-PKCS7_ENVELOPE          *PKCS7_ENVELOPE_new(void);
-void                    PKCS7_ENVELOPE_free(PKCS7_ENVELOPE *a);
-int                     i2d_PKCS7_ENVELOPE(PKCS7_ENVELOPE *a,
-                                unsigned char **pp);
-PKCS7_ENVELOPE          *d2i_PKCS7_ENVELOPE(PKCS7_ENVELOPE **a,
-                                unsigned char **pp,long length);
-
-PKCS7_SIGN_ENVELOPE     *PKCS7_SIGN_ENVELOPE_new(void);
-void                    PKCS7_SIGN_ENVELOPE_free(PKCS7_SIGN_ENVELOPE *a);
-int                     i2d_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE *a,
-                                unsigned char **pp);
-PKCS7_SIGN_ENVELOPE     *d2i_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE **a,
-                                unsigned char **pp,long length);
-
-PKCS7_DIGEST            *PKCS7_DIGEST_new(void);
-void                    PKCS7_DIGEST_free(PKCS7_DIGEST *a);
-int                     i2d_PKCS7_DIGEST(PKCS7_DIGEST *a,
-                                unsigned char **pp);
-PKCS7_DIGEST            *d2i_PKCS7_DIGEST(PKCS7_DIGEST **a,
-                                unsigned char **pp,long length);
-
-PKCS7_ENCRYPT           *PKCS7_ENCRYPT_new(void);
-void                    PKCS7_ENCRYPT_free(PKCS7_ENCRYPT *a);
-int                     i2d_PKCS7_ENCRYPT(PKCS7_ENCRYPT *a,
-                                unsigned char **pp);
-PKCS7_ENCRYPT           *d2i_PKCS7_ENCRYPT(PKCS7_ENCRYPT **a,
-                                unsigned char **pp,long length);
-
-PKCS7                   *PKCS7_new(void);
-void                    PKCS7_free(PKCS7 *a);
-void                    PKCS7_content_free(PKCS7 *a);
-int                     i2d_PKCS7(PKCS7 *a,
-                                unsigned char **pp);
-PKCS7                   *d2i_PKCS7(PKCS7 **a,
-                                unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
+DECLARE_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
+DECLARE_ASN1_FUNCTIONS(PKCS7_SIGNED)
+DECLARE_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
+DECLARE_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
+DECLARE_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
+DECLARE_ASN1_FUNCTIONS(PKCS7_DIGEST)
+DECLARE_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
+DECLARE_ASN1_FUNCTIONS(PKCS7)
 
-void ERR_load_PKCS7_strings(void);
+DECLARE_ASN1_ITEM(PKCS7_ATTR_SIGN)
+DECLARE_ASN1_ITEM(PKCS7_ATTR_VERIFY)
 
 
 long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
@@ -361,7 +306,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
 int PKCS7_set_type(PKCS7 *p7, int type);
 int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
-        EVP_MD *dgst);
+        const EVP_MD *dgst);
 int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
 int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
 int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
@@ -377,7 +322,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
 
 
 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
-        EVP_PKEY *pkey, EVP_MD *dgst);
+        EVP_PKEY *pkey, const EVP_MD *dgst);
 X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
 
@@ -404,7 +349,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                                         BIO *indata, BIO *out, int flags);
 STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, EVP_CIPHER *cipher,
+PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
                                                                 int flags);
 int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
 
@@ -422,6 +367,7 @@ int SMIME_text(BIO *in, BIO *out);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_PKCS7_strings(void);
 
 /* Error codes for the PKCS7 functions. */
 
@@ -462,7 +408,6 @@ int SMIME_text(BIO *in, BIO *out);
 #define PKCS7_R_DIGEST_FAILURE                           101
 #define PKCS7_R_ERROR_ADDING_RECIPIENT                   120
 #define PKCS7_R_ERROR_SETTING_CIPHER                     121
-#define PKCS7_R_INTERNAL_ERROR                           102
 #define PKCS7_R_INVALID_MIME_TYPE                        131
 #define PKCS7_R_INVALID_NULL_POINTER                     143
 #define PKCS7_R_MIME_NO_CONTENT_TYPE                     132
@@ -502,4 +447,3 @@ int SMIME_text(BIO *in, BIO *out);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/pkcs7/pkcs7err.c b/src/lib/libcrypto/pkcs7/pkcs7err.c
index 8ded8913db..5e51527a40 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7err.c
+++ b/src/lib/libcrypto/pkcs7/pkcs7err.c
@@ -63,7 +63,7 @@
 #include <openssl/pkcs7.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA PKCS7_str_functs[]=
         {
 {ERR_PACK(0,PKCS7_F_B64_READ_PKCS7,0),  "B64_READ_PKCS7"},
@@ -105,7 +105,6 @@ static ERR_STRING_DATA PKCS7_str_reasons[]=
 {PKCS7_R_DIGEST_FAILURE                  ,"digest failure"},
 {PKCS7_R_ERROR_ADDING_RECIPIENT          ,"error adding recipient"},
 {PKCS7_R_ERROR_SETTING_CIPHER            ,"error setting cipher"},
-{PKCS7_R_INTERNAL_ERROR                  ,"internal error"},
 {PKCS7_R_INVALID_MIME_TYPE               ,"invalid mime type"},
 {PKCS7_R_INVALID_NULL_POINTER            ,"invalid null pointer"},
 {PKCS7_R_MIME_NO_CONTENT_TYPE            ,"mime no content type"},
@@ -152,7 +151,7 @@ void ERR_load_PKCS7_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_functs);
                 ERR_load_strings(ERR_LIB_PKCS7,PKCS7_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/pkcs7/sign.c b/src/lib/libcrypto/pkcs7/sign.c
index 22290e192c..8b59885f7e 100644
--- a/src/lib/libcrypto/pkcs7/sign.c
+++ b/src/lib/libcrypto/pkcs7/sign.c
@@ -76,16 +76,16 @@ char *argv[];
         int i;
         int nodetach=0;
 
-#ifndef NO_MD2
+#ifndef OPENSSL_NO_MD2
         EVP_add_digest(EVP_md2());
 #endif
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
         EVP_add_digest(EVP_md5());
 #endif
-#ifndef NO_SHA1
+#ifndef OPENSSL_NO_SHA1
         EVP_add_digest(EVP_sha1());
 #endif
-#ifndef NO_MDC2
+#ifndef OPENSSL_NO_MDC2
         EVP_add_digest(EVP_mdc2());
 #endif
 
diff --git a/src/lib/libcrypto/pkcs7/verify.c b/src/lib/libcrypto/pkcs7/verify.c
index 49fc8d8bed..5f7afe8933 100644
--- a/src/lib/libcrypto/pkcs7/verify.c
+++ b/src/lib/libcrypto/pkcs7/verify.c
@@ -85,16 +85,16 @@ char *argv[];
 
         bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
         bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
-#ifndef NO_MD2
+#ifndef OPENSSL_NO_MD2
         EVP_add_digest(EVP_md2());
 #endif
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
         EVP_add_digest(EVP_md5());
 #endif
-#ifndef NO_SHA1
+#ifndef OPENSSL_NO_SHA1
         EVP_add_digest(EVP_sha1());
 #endif
-#ifndef NO_MDC2
+#ifndef OPENSSL_NO_MDC2
         EVP_add_digest(EVP_mdc2());
 #endif
 
diff --git a/src/lib/libcrypto/rand/Makefile.ssl b/src/lib/libcrypto/rand/Makefile.ssl
index 707eaac678..42623d18d8 100644
--- a/src/lib/libcrypto/rand/Makefile.ssl
+++ b/src/lib/libcrypto/rand/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,8 +23,10 @@ TEST= randtest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c rand_win.c
-LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o rand_win.o
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
+        rand_win.c rand_unix.c rand_os2.c
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \
+        rand_win.o rand_unix.o rand_os2.o
 
 SRC= $(LIBSRC)
 
@@ -39,8 +42,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,45 +81,77 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-md_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-md_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-md_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+md_rand.o: ../../e_os.h ../../include/openssl/asn1.h
+md_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+md_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+md_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+md_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-md_rand.o: ../../include/openssl/symhacks.h rand_lcl.h
-rand_egd.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
+md_rand.o: ../../include/openssl/symhacks.h md_rand.c rand_lcl.h
+rand_egd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rand_egd.o: rand_egd.c
 rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-rand_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rand_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rand_err.o: ../../include/openssl/symhacks.h
-rand_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rand_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rand_lib.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-rand_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-rand_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-rand_lib.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-rand_lib.o: ../../include/openssl/idea.h ../../include/openssl/md2.h
-rand_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rand_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rand_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rand_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rand_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-rand_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rand_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rand_lib.o: ../../include/openssl/symhacks.h
-rand_win.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+rand_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rand_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rand_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_err.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_err.o: rand_err.c
+rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rand_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rand_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+rand_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+rand_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rand_lib.o: ../../include/openssl/opensslconf.h
+rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rand_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+rand_lib.o: ../cryptlib.h rand_lib.c
+rand_os2.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_os2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rand_os2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rand_os2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rand_os2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rand_os2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_os2.o: ../../include/openssl/opensslconf.h
+rand_os2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_os2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_os2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_os2.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_os2.o: rand_os2.c
+rand_unix.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_unix.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rand_unix.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rand_unix.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rand_unix.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rand_unix.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_unix.o: ../../include/openssl/opensslconf.h
+rand_unix.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_unix.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_unix.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_unix.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_unix.o: rand_unix.c
+rand_win.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_win.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rand_win.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rand_win.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rand_win.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rand_win.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rand_win.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rand_win.o: ../cryptlib.h rand_lcl.h
-randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+rand_win.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rand_win.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_win.o: ../../include/openssl/opensslconf.h
+rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_win.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+rand_win.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rand_win.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h
+rand_win.o: rand_win.c
+randfile.o: ../../e_os.h ../../include/openssl/crypto.h
 randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-randfile.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-randfile.o: ../../include/openssl/symhacks.h
+randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+randfile.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+randfile.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+randfile.o: randfile.c
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index 04b9d695b0..a00ed70718 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -119,7 +119,7 @@
 #include <stdio.h>
 #include <string.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/rand.h>
 #include "rand_lcl.h"
@@ -144,6 +144,7 @@ static int initialized=0;
 static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
                                            * holds CRYPTO_LOCK_RAND
                                            * (to prevent double locking) */
+/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
 static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
 
 
@@ -191,7 +192,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
         int i,j,k,st_idx;
         long md_c[2];
         unsigned char local_md[MD_DIGEST_LENGTH];
-        MD_CTX m;
+        EVP_MD_CTX m;
         int do_not_lock;
 
         /*
@@ -210,7 +211,14 @@ static void ssleay_rand_add(const void *buf, int num, double add)
          */
 
         /* check if we already have the lock */
-        do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
+        if (crypto_lock_rand)
+                {
+                CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
+                do_not_lock = (locking_thread == CRYPTO_thread_id());
+                CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
+                }
+        else
+                do_not_lock = 0;
 
         if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
         st_idx=state_index;
@@ -246,6 +254,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
 
         if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
+        EVP_MD_CTX_init(&m);
         for (i=0; i<num; i+=MD_DIGEST_LENGTH)
                 {
                 j=(num-i);
@@ -264,7 +273,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
                         
                 MD_Update(&m,buf,j);
                 MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
-                MD_Final(local_md,&m);
+                MD_Final(&m,local_md);
                 md_c[1]++;
 
                 buf=(const char *)buf + j;
@@ -284,7 +293,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
                                 st_idx=0;
                         }
                 }
-        memset((char *)&m,0,sizeof(m));
+        EVP_MD_CTX_cleanup(&m);
 
         if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
         /* Don't just copy back local_md into md -- this could mean that
@@ -299,7 +308,7 @@ static void ssleay_rand_add(const void *buf, int num, double add)
             entropy += add;
         if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
         
-#if !defined(THREADS) && !defined(WIN32)
+#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
         assert(md_c[1] == md_count[1]);
 #endif
         }
@@ -317,7 +326,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
         int ok;
         long md_c[2];
         unsigned char local_md[MD_DIGEST_LENGTH];
-        MD_CTX m;
+        EVP_MD_CTX m;
 #ifndef GETPID_IS_MEANINGLESS
         pid_t curr_pid = getpid();
 #endif
@@ -336,7 +345,8 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 
         if (num <= 0)
                 return 1;
-        
+
+        EVP_MD_CTX_init(&m);
         /* round upwards to multiple of MD_DIGEST_LENGTH/2 */
         num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2);
 
@@ -361,8 +371,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
 
         /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-        crypto_lock_rand = 1;
+        CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
         locking_thread = CRYPTO_thread_id();
+        CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+        crypto_lock_rand = 1;
 
         if (!initialized)
                 {
@@ -435,7 +447,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 
         /* before unlocking, we must clear 'crypto_lock_rand' */
         crypto_lock_rand = 0;
-        locking_thread = 0;
         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
         while (num > 0)
@@ -464,7 +475,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
                         }
                 else
                         MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
-                MD_Final(local_md,&m);
+                MD_Final(&m,local_md);
 
                 for (i=0; i<MD_DIGEST_LENGTH/2; i++)
                         {
@@ -481,10 +492,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
         MD_Update(&m,local_md,MD_DIGEST_LENGTH);
         CRYPTO_w_lock(CRYPTO_LOCK_RAND);
         MD_Update(&m,md,MD_DIGEST_LENGTH);
-        MD_Final(md,&m);
+        MD_Final(&m,md);
         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-        memset(&m,0,sizeof(m));
+        EVP_MD_CTX_cleanup(&m);
         if (ok)
                 return(1);
         else
@@ -521,15 +532,24 @@ static int ssleay_rand_status(void)
 
         /* check if we already have the lock
          * (could happen if a RAND_poll() implementation calls RAND_status()) */
-        do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
+        if (crypto_lock_rand)
+                {
+                CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
+                do_not_lock = (locking_thread == CRYPTO_thread_id());
+                CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
+                }
+        else
+                do_not_lock = 0;
         
         if (!do_not_lock)
                 {
                 CRYPTO_w_lock(CRYPTO_LOCK_RAND);
                 
                 /* prevent ssleay_rand_bytes() from trying to obtain the lock again */
-                crypto_lock_rand = 1;
+                CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
                 locking_thread = CRYPTO_thread_id();
+                CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+                crypto_lock_rand = 1;
                 }
         
         if (!initialized)
@@ -544,7 +564,6 @@ static int ssleay_rand_status(void)
                 {
                 /* before unlocking, we must clear 'crypto_lock_rand' */
                 crypto_lock_rand = 0;
-                locking_thread = 0;
                 
                 CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
                 }
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index 9c6052733e..e17aa7a9f7 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -60,6 +60,7 @@
 #define HEADER_RAND_H
 
 #include <stdlib.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -79,10 +80,9 @@ typedef struct rand_meth_st
 extern int rand_predictable;
 #endif
 
-struct engine_st;
-
-int RAND_set_rand_method(struct engine_st *meth);
-RAND_METHOD *RAND_get_rand_method(void );
+int RAND_set_rand_method(const RAND_METHOD *meth);
+const RAND_METHOD *RAND_get_rand_method(void);
+int RAND_set_rand_engine(ENGINE *engine);
 RAND_METHOD *RAND_SSLeay(void);
 void RAND_cleanup(void );
 int  RAND_bytes(unsigned char *buf,int num);
@@ -93,42 +93,34 @@ int  RAND_load_file(const char *file,long max_bytes);
 int  RAND_write_file(const char *file);
 const char *RAND_file_name(char *file,size_t num);
 int RAND_status(void);
+int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes);
 int RAND_egd(const char *path);
 int RAND_egd_bytes(const char *path,int bytes);
-void ERR_load_RAND_strings(void);
 int RAND_poll(void);
 
-#ifdef  __cplusplus
-}
-#endif
-
-#if defined(WINDOWS) || defined(WIN32)
-#include <windows.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 
 void RAND_screen(void);
 int RAND_event(UINT, WPARAM, LPARAM);
 
-#ifdef  __cplusplus
-}
-#endif
 #endif
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_RAND_strings(void);
 
 /* Error codes for the RAND functions. */
 
 /* Function codes. */
+#define RAND_F_RAND_GET_RAND_METHOD                      101
 #define RAND_F_SSLEAY_RAND_BYTES                         100
 
 /* Reason codes. */
 #define RAND_R_PRNG_NOT_SEEDED                           100
 
+#ifdef  __cplusplus
+}
+#endif
 #endif
-
diff --git a/src/lib/libcrypto/rand/rand_egd.c b/src/lib/libcrypto/rand/rand_egd.c
index 79b5e6fa57..dd490c8254 100644
--- a/src/lib/libcrypto/rand/rand_egd.c
+++ b/src/lib/libcrypto/rand/rand_egd.c
@@ -1,5 +1,5 @@
 /* crypto/rand/rand_egd.c */
-/* Written by Ulf Moeller for the OpenSSL project. */
+/* Written by Ulf Moeller and Lutz Jaenicke for the OpenSSL project. */
 /* ====================================================================
  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
  *
@@ -54,12 +54,51 @@
  *
  */
 
+#include <openssl/e_os2.h>
 #include <openssl/rand.h>
 
-/* Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
+/*
+ * Query the EGD <URL: http://www.lothar.com/tech/crypto/>.
+ *
+ * This module supplies three routines:
+ *
+ * RAND_query_egd_bytes(path, buf, bytes)
+ *   will actually query "bytes" bytes of entropy form the egd-socket located
+ *   at path and will write them to buf (if supplied) or will directly feed
+ *   it to RAND_seed() if buf==NULL.
+ *   The number of bytes is not limited by the maximum chunk size of EGD,
+ *   which is 255 bytes. If more than 255 bytes are wanted, several chunks
+ *   of entropy bytes are requested. The connection is left open until the
+ *   query is competed.
+ *   RAND_query_egd_bytes() returns with
+ *     -1  if an error occured during connection or communication.
+ *     num the number of bytes read from the EGD socket. This number is either
+ *         the number of bytes requested or smaller, if the EGD pool is
+ *         drained and the daemon signals that the pool is empty.
+ *   This routine does not touch any RAND_status(). This is necessary, since
+ *   PRNG functions may call it during initialization.
+ *
+ * RAND_egd_bytes(path, bytes) will query "bytes" bytes and have them
+ *   used to seed the PRNG.
+ *   RAND_egd_bytes() is a wrapper for RAND_query_egd_bytes() with buf=NULL.
+ *   Unlike RAND_query_egd_bytes(), RAND_status() is used to test the
+ *   seed status so that the return value can reflect the seed state:
+ *     -1  if an error occured during connection or communication _or_
+ *         if the PRNG has still not received the required seeding.
+ *     num the number of bytes read from the EGD socket. This number is either
+ *         the number of bytes requested or smaller, if the EGD pool is
+ *         drained and the daemon signals that the pool is empty.
+ *
+ * RAND_egd(path) will query 255 bytes and use the bytes retreived to seed
+ *   the PRNG.
+ *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
  */
 
-#if defined(WIN32) || defined(VMS) || defined(__VMS)
+#if defined(OPENSSL_SYS_WIN32) || defined(VMS) || defined(__VMS)
+int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
+        {
+        return(-1);
+        }
 int RAND_egd(const char *path)
         {
         return(-1);
@@ -75,7 +114,11 @@ int RAND_egd_bytes(const char *path,int bytes)
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifndef NO_SYS_UN_H
-#include <sys/un.h>
+# ifdef OPENSSL_SYS_VSWORKS
+#   include <streams/un.h>
+# else
+#   include <sys/un.h>
+# endif
 #else
 struct  sockaddr_un {
         short   sun_family;             /* AF_UNIX */
@@ -83,50 +126,20 @@ struct	sockaddr_un {
 };
 #endif /* NO_SYS_UN_H */
 #include <string.h>
+#include <errno.h>
 
 #ifndef offsetof
 #  define offsetof(TYPE, MEMBER) ((size_t) &((TYPE *)0)->MEMBER)
 #endif
 
-int RAND_egd(const char *path)
-        {
-        int ret = -1;
-        struct sockaddr_un addr;
-        int len, num;
-        int fd = -1;
-        unsigned char buf[256];
-
-        memset(&addr, 0, sizeof(addr));
-        addr.sun_family = AF_UNIX;
-        if (strlen(path) > sizeof(addr.sun_path))
-                return (-1);
-        strcpy(addr.sun_path,path);
-        len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
-        fd = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (fd == -1) return (-1);
-        if (connect(fd, (struct sockaddr *)&addr, len) == -1) goto err;
-        buf[0] = 1;
-        buf[1] = 255;
-        write(fd, buf, 2);
-        if (read(fd, buf, 1) != 1) goto err;
-        if (buf[0] == 0) goto err;
-        num = read(fd, buf, 255);
-        if (num < 1) goto err;
-        RAND_seed(buf, num);
-        if (RAND_status() == 1)
-                ret = num;
- err:
-        if (fd != -1) close(fd);
-        return(ret);
-        }
-
-int RAND_egd_bytes(const char *path,int bytes)
+int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
         {
         int ret = 0;
         struct sockaddr_un addr;
-        int len, num;
+        int len, num, numbytes;
         int fd = -1;
-        unsigned char buf[255];
+        int success;
+        unsigned char egdbuf[2], tempbuf[255], *retrievebuf;
 
         memset(&addr, 0, sizeof(addr));
         addr.sun_family = AF_UNIX;
@@ -136,34 +149,126 @@ int RAND_egd_bytes(const char *path,int bytes)
         len = offsetof(struct sockaddr_un, sun_path) + strlen(path);
         fd = socket(AF_UNIX, SOCK_STREAM, 0);
         if (fd == -1) return (-1);
-        if (connect(fd, (struct sockaddr *)&addr, len) == -1) goto err;
+        success = 0;
+        while (!success)
+            {
+            if (connect(fd, (struct sockaddr *)&addr, len) == 0)
+               success = 1;
+            else
+                {
+                switch (errno)
+                    {
+#ifdef EINTR
+                    case EINTR:
+#endif
+#ifdef EAGAIN
+                    case EAGAIN:
+#endif
+#ifdef EINPROGRESS
+                    case EINPROGRESS:
+#endif
+#ifdef EALREADY
+                    case EALREADY:
+#endif
+                        /* No error, try again */
+                        break;
+#ifdef EISCONN
+                    case EISCONN:
+                        success = 1;
+                        break;
+#endif
+                    default:
+                        goto err;       /* failure */
+                    }
+                }
+            }
 
         while(bytes > 0)
             {
-            buf[0] = 1;
-            buf[1] = bytes < 255 ? bytes : 255;
-            write(fd, buf, 2);
-            if (read(fd, buf, 1) != 1)
+            egdbuf[0] = 1;
+            egdbuf[1] = bytes < 255 ? bytes : 255;
+            numbytes = 0;
+            while (numbytes != 2)
                 {
-                ret=-1;
-                goto err;
+                num = write(fd, egdbuf + numbytes, 2 - numbytes);
+                if (num >= 0)
+                    numbytes += num;
+                else
+                    {
+                    switch (errno)
+                        {
+#ifdef EINTR
+                        case EINTR:
+#endif
+#ifdef EAGAIN
+                        case EAGAIN:
+#endif
+                            /* No error, try again */
+                            break;
+                        default:
+                            ret = -1;
+                            goto err;   /* failure */
+                        }
+                    }
                 }
-            if(buf[0] == 0)
-                goto err;
-            num = read(fd, buf, buf[0]);
-            if (num < 1)
+            numbytes = 0;
+            while (numbytes != 1)
                 {
-                ret=-1;
-                goto err;
+                num = read(fd, egdbuf, 1);
+                if (num >= 0)
+                    numbytes += num;
+                else
+                    {
+                    switch (errno)
+                        {
+#ifdef EINTR
+                        case EINTR:
+#endif
+#ifdef EAGAIN
+                        case EAGAIN:
+#endif
+                            /* No error, try again */
+                            break;
+                        default:
+                            ret = -1;
+                            goto err;   /* failure */
+                        }
+                    }
                 }
-            RAND_seed(buf, num);
-            if (RAND_status() != 1)
-                {
-                ret=-1;
+            if(egdbuf[0] == 0)
                 goto err;
+            if (buf)
+                retrievebuf = buf + ret;
+            else
+                retrievebuf = tempbuf;
+            numbytes = 0;
+            while (numbytes != egdbuf[0])
+                {
+                num = read(fd, retrievebuf + numbytes, egdbuf[0] - numbytes);
+                if (num >= 0)
+                    numbytes += num;
+                else
+                    {
+                    switch (errno)
+                        {
+#ifdef EINTR
+                        case EINTR:
+#endif
+#ifdef EAGAIN
+                        case EAGAIN:
+#endif
+                            /* No error, try again */
+                            break;
+                        default:
+                            ret = -1;
+                            goto err;   /* failure */
+                        }
+                    }
                 }
-            ret += num;
-            bytes-=num;
+            ret += egdbuf[0];
+            bytes -= egdbuf[0];
+            if (!buf)
+                RAND_seed(tempbuf, egdbuf[0]);
             }
  err:
         if (fd != -1) close(fd);
@@ -171,4 +276,23 @@ int RAND_egd_bytes(const char *path,int bytes)
         }
 
 
+int RAND_egd_bytes(const char *path, int bytes)
+        {
+        int num, ret = 0;
+
+        num = RAND_query_egd_bytes(path, NULL, bytes);
+        if (num < 1) goto err;
+        if (RAND_status() == 1)
+            ret = num;
+ err:
+        return(ret);
+        }
+
+
+int RAND_egd(const char *path)
+        {
+        return (RAND_egd_bytes(path, 255));
+        }
+
+
 #endif
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index 1af0aa0b8a..b77267e213 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -63,9 +63,10 @@
 #include <openssl/rand.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA RAND_str_functs[]=
         {
+{ERR_PACK(0,RAND_F_RAND_GET_RAND_METHOD,0),     "RAND_get_rand_method"},
 {ERR_PACK(0,RAND_F_SSLEAY_RAND_BYTES,0),        "SSLEAY_RAND_BYTES"},
 {0,NULL}
         };
@@ -85,7 +86,7 @@ void ERR_load_RAND_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_RAND,RAND_str_functs);
                 ERR_load_strings(ERR_LIB_RAND,RAND_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/rand/rand_lcl.h b/src/lib/libcrypto/rand/rand_lcl.h
index 120e9366d2..618a8ec899 100644
--- a/src/lib/libcrypto/rand/rand_lcl.h
+++ b/src/lib/libcrypto/rand/rand_lcl.h
@@ -1,4 +1,4 @@
-/* crypto/rand/md_rand.c */
+/* crypto/rand/rand_lcl.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,72 +112,46 @@
 #ifndef HEADER_RAND_LCL_H
 #define HEADER_RAND_LCL_H
 
-#define ENTROPY_NEEDED 20  /* require 160 bits = 20 bytes of randomness */
+#define ENTROPY_NEEDED 32  /* require 256 bits = 32 bytes of randomness */
 
 
 #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-#if !defined(NO_SHA) && !defined(NO_SHA1)
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 #define USE_SHA1_RAND
-#elif !defined(NO_MD5)
+#elif !defined(OPENSSL_NO_MD5)
 #define USE_MD5_RAND
-#elif !defined(NO_MDC2) && !defined(NO_DES)
+#elif !defined(OPENSSL_NO_MDC2) && !defined(OPENSSL_NO_DES)
 #define USE_MDC2_RAND
-#elif !defined(NO_MD2)
+#elif !defined(OPENSSL_NO_MD2)
 #define USE_MD2_RAND
 #else
 #error No message digest algorithm available
 #endif
 #endif
 
+#include <openssl/evp.h>
+#define MD_Update(a,b,c)        EVP_DigestUpdate(a,b,c)
+#define MD_Final(a,b)           EVP_DigestFinal_ex(a,b,NULL)
 #if defined(USE_MD5_RAND)
 #include <openssl/md5.h>
 #define MD_DIGEST_LENGTH        MD5_DIGEST_LENGTH
-#define MD(a,b,c)               MD5(a,b,c)
+#define MD_Init(a)              EVP_DigestInit_ex(a,EVP_md5(), NULL)
+#define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_md5(), NULL)
 #elif defined(USE_SHA1_RAND)
 #include <openssl/sha.h>
 #define MD_DIGEST_LENGTH        SHA_DIGEST_LENGTH
-#define MD(a,b,c)               SHA1(a,b,c)
+#define MD_Init(a)              EVP_DigestInit_ex(a,EVP_sha1(), NULL)
+#define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_sha1(), NULL)
 #elif defined(USE_MDC2_RAND)
 #include <openssl/mdc2.h>
 #define MD_DIGEST_LENGTH        MDC2_DIGEST_LENGTH
-#define MD(a,b,c)               MDC2(a,b,c)
+#define MD_Init(a)              EVP_DigestInit_ex(a,EVP_mdc2(), NULL)
+#define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_mdc2(), NULL)
 #elif defined(USE_MD2_RAND)
 #include <openssl/md2.h>
 #define MD_DIGEST_LENGTH        MD2_DIGEST_LENGTH
-#define MD(a,b,c)               MD2(a,b,c)
-#endif
-#if defined(USE_MD5_RAND)
-#include <openssl/md5.h>
-#define MD_DIGEST_LENGTH        MD5_DIGEST_LENGTH
-#define MD_CTX                  MD5_CTX
-#define MD_Init(a)              MD5_Init(a)
-#define MD_Update(a,b,c)        MD5_Update(a,b,c)
-#define MD_Final(a,b)           MD5_Final(a,b)
-#define MD(a,b,c)               MD5(a,b,c)
-#elif defined(USE_SHA1_RAND)
-#include <openssl/sha.h>
-#define MD_DIGEST_LENGTH        SHA_DIGEST_LENGTH
-#define MD_CTX                  SHA_CTX
-#define MD_Init(a)              SHA1_Init(a)
-#define MD_Update(a,b,c)        SHA1_Update(a,b,c)
-#define MD_Final(a,b)           SHA1_Final(a,b)
-#define MD(a,b,c)               SHA1(a,b,c)
-#elif defined(USE_MDC2_RAND)
-#include <openssl/mdc2.h>
-#define MD_DIGEST_LENGTH        MDC2_DIGEST_LENGTH
-#define MD_CTX                  MDC2_CTX
-#define MD_Init(a)              MDC2_Init(a)
-#define MD_Update(a,b,c)        MDC2_Update(a,b,c)
-#define MD_Final(a,b)           MDC2_Final(a,b)
-#define MD(a,b,c)               MDC2(a,b,c)
-#elif defined(USE_MD2_RAND)
-#include <openssl/md2.h>
-#define MD_DIGEST_LENGTH        MD2_DIGEST_LENGTH
-#define MD_CTX                  MD2_CTX
-#define MD_Init(a)              MD2_Init(a)
-#define MD_Update(a,b,c)        MD2_Update(a,b,c)
-#define MD_Final(a,b)           MD2_Final(a,b)
-#define MD(a,b,c)               MD2(a,b,c)
+#define MD_Init(a)              EVP_DigestInit_ex(a,EVP_md2(), NULL)
+#define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
 #endif
 
 
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 57eff0f132..5cf5dc1188 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -58,62 +58,92 @@
 
 #include <stdio.h>
 #include <time.h>
+#include "cryptlib.h"
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 
-static ENGINE *rand_engine=NULL;
+/* non-NULL if default_RAND_meth is ENGINE-provided */
+static ENGINE *funct_ref =NULL;
+static const RAND_METHOD *default_RAND_meth = NULL;
 
-#if 0
-void RAND_set_rand_method(RAND_METHOD *meth)
+int RAND_set_rand_method(const RAND_METHOD *meth)
         {
-        rand_meth=meth;
+        if(funct_ref)
+                {
+                ENGINE_finish(funct_ref);
+                funct_ref = NULL;
+                }
+        default_RAND_meth = meth;
+        return 1;
         }
-#else
-int RAND_set_rand_method(ENGINE *engine)
+
+const RAND_METHOD *RAND_get_rand_method(void)
         {
-        ENGINE *mtmp;
-        mtmp = rand_engine;
-        if (!ENGINE_init(engine))
-                return 0;
-        rand_engine = engine;
-        /* SHOULD ERROR CHECK THIS!!! */
-        ENGINE_finish(mtmp);
-        return 1;
+        if (!default_RAND_meth)
+                {
+                ENGINE *e = ENGINE_get_default_RAND();
+                if(e)
+                        {
+                        default_RAND_meth = ENGINE_get_RAND(e);
+                        if(!default_RAND_meth)
+                                {
+                                ENGINE_finish(e);
+                                e = NULL;
+                                }
+                        }
+                if(e)
+                        funct_ref = e;
+                else
+                        default_RAND_meth = RAND_SSLeay();
+                }
+        return default_RAND_meth;
         }
-#endif
 
-RAND_METHOD *RAND_get_rand_method(void)
+int RAND_set_rand_engine(ENGINE *engine)
         {
-        if (rand_engine == NULL
-                && (rand_engine = ENGINE_get_default_RAND()) == NULL)
-                return NULL;
-        return ENGINE_get_RAND(rand_engine);
+        const RAND_METHOD *tmp_meth = NULL;
+        if(engine)
+                {
+                if(!ENGINE_init(engine))
+                        return 0;
+                tmp_meth = ENGINE_get_RAND(engine);
+                if(!tmp_meth)
+                        {
+                        ENGINE_finish(engine);
+                        return 0;
+                        }
+                }
+        /* This function releases any prior ENGINE so call it first */
+        RAND_set_rand_method(tmp_meth);
+        funct_ref = engine;
+        return 1;
         }
 
 void RAND_cleanup(void)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->cleanup)
                 meth->cleanup();
+        RAND_set_rand_method(NULL);
         }
 
 void RAND_seed(const void *buf, int num)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->seed)
                 meth->seed(buf,num);
         }
 
 void RAND_add(const void *buf, int num, double entropy)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->add)
                 meth->add(buf,num,entropy);
         }
 
 int RAND_bytes(unsigned char *buf, int num)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->bytes)
                 return meth->bytes(buf,num);
         return(-1);
@@ -121,7 +151,7 @@ int RAND_bytes(unsigned char *buf, int num)
 
 int RAND_pseudo_bytes(unsigned char *buf, int num)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->pseudorand)
                 return meth->pseudorand(buf,num);
         return(-1);
@@ -129,7 +159,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num)
 
 int RAND_status(void)
         {
-        RAND_METHOD *meth = RAND_get_rand_method();
+        const RAND_METHOD *meth = RAND_get_rand_method();
         if (meth && meth->status)
                 return meth->status();
         return 0;
diff --git a/src/lib/libcrypto/rand/rand_os2.c b/src/lib/libcrypto/rand/rand_os2.c
new file mode 100644
index 0000000000..c3e36d4e5e
--- /dev/null
+++ b/src/lib/libcrypto/rand/rand_os2.c
@@ -0,0 +1,147 @@
+/* crypto/rand/rand_os2.c */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#ifdef OPENSSL_SYS_OS2
+
+#define INCL_DOSPROCESS
+#define INCL_DOSPROFILE
+#define INCL_DOSMISC
+#define INCL_DOSMODULEMGR
+#include <os2.h>
+
+#define   CMD_KI_RDCNT    (0x63)
+
+typedef struct _CPUUTIL {
+    ULONG ulTimeLow;            /* Low 32 bits of time stamp      */
+    ULONG ulTimeHigh;           /* High 32 bits of time stamp     */
+    ULONG ulIdleLow;            /* Low 32 bits of idle time       */
+    ULONG ulIdleHigh;           /* High 32 bits of idle time      */
+    ULONG ulBusyLow;            /* Low 32 bits of busy time       */
+    ULONG ulBusyHigh;           /* High 32 bits of busy time      */
+    ULONG ulIntrLow;            /* Low 32 bits of interrupt time  */
+    ULONG ulIntrHigh;           /* High 32 bits of interrupt time */
+} CPUUTIL;
+
+APIRET APIENTRY(*DosPerfSysCall) (ULONG ulCommand, ULONG ulParm1, ULONG ulParm2, ULONG ulParm3) = NULL;
+APIRET APIENTRY(*DosQuerySysState) (ULONG func, ULONG arg1, ULONG pid, ULONG _res_, PVOID buf, ULONG bufsz) = NULL;
+HMODULE hDoscalls = 0;
+
+int RAND_poll(void)
+{
+    char failed_module[20];
+    QWORD qwTime;
+    ULONG SysVars[QSV_FOREGROUND_PROCESS];
+
+    if (hDoscalls == 0) {
+        ULONG rc = DosLoadModule(failed_module, sizeof(failed_module), "DOSCALLS", &hDoscalls);
+
+        if (rc == 0) {
+            rc = DosQueryProcAddr(hDoscalls, 976, NULL, (PFN *)&DosPerfSysCall);
+
+            if (rc)
+                DosPerfSysCall = NULL;
+
+            rc = DosQueryProcAddr(hDoscalls, 368, NULL, (PFN *)&DosQuerySysState);
+
+            if (rc)
+                DosQuerySysState = NULL;
+        }
+    }
+
+    /* Sample the hi-res timer, runs at around 1.1 MHz */
+    DosTmrQueryTime(&qwTime);
+    RAND_add(&qwTime, sizeof(qwTime), 2);
+
+    /* Sample a bunch of system variables, includes various process & memory statistics */
+    DosQuerySysInfo(1, QSV_FOREGROUND_PROCESS, SysVars, sizeof(SysVars));
+    RAND_add(SysVars, sizeof(SysVars), 4);
+
+    /* If available, sample CPU registers that count at CPU MHz
+     * Only fairly new CPUs (PPro & K6 onwards) & OS/2 versions support this
+     */
+    if (DosPerfSysCall) {
+        CPUUTIL util;
+
+        if (DosPerfSysCall(CMD_KI_RDCNT, (ULONG)&util, 0, 0) == 0) {
+            RAND_add(&util, sizeof(util), 10);
+        }
+        else {
+            DosPerfSysCall = NULL;
+        }
+    }
+
+    /* DosQuerySysState() gives us a huge quantity of process, thread, memory & handle stats */
+    if (DosQuerySysState) {
+        char *buffer = OPENSSL_malloc(256 * 1024);
+
+        if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) {
+            /* First 4 bytes in buffer is a pointer to the thread count
+             * there should be at least 1 byte of entropy per thread
+             */
+            RAND_add(buffer, 256 * 1024, **(ULONG **)buffer);
+        }
+
+        OPENSSL_free(buffer);
+        return 1;
+    }
+
+    return 0;
+}
+
+#endif /* OPENSSL_SYS_OS2 */
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
new file mode 100644
index 0000000000..0b29235130
--- /dev/null
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -0,0 +1,274 @@
+/* crypto/rand/rand_unix.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "cryptlib.h"
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2))
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/times.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+
+#ifdef __OpenBSD__
+#undef DEVRANDOM
+#define DEVRANDOM "/dev/arandom"
+int RAND_poll(void)
+{
+        unsigned long l;
+        pid_t curr_pid = getpid();
+        FILE *fh;
+
+        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+         * have this. Use /dev/urandom if you can as /dev/random may block
+         * if it runs out of random entries.  */
+
+        if ((fh = fopen(DEVRANDOM, "r")) != NULL)
+                {
+                unsigned char tmpbuf[ENTROPY_NEEDED];
+                int n;
+
+                setvbuf(fh, NULL, _IONBF, 0);
+                n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
+                fclose(fh);
+                RAND_add(tmpbuf,sizeof tmpbuf,n);
+                memset(tmpbuf,0,n);
+                }
+
+        /* put in some default random data, we need more than just this */
+        l=curr_pid;
+        RAND_add(&l,sizeof(l),0);
+        l=getuid();
+        RAND_add(&l,sizeof(l),0);
+
+        l=time(NULL);
+        RAND_add(&l,sizeof(l),0);
+
+        return 1;
+}
+#else
+int RAND_poll(void)
+{
+        unsigned long l;
+        pid_t curr_pid = getpid();
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        unsigned char tmpbuf[ENTROPY_NEEDED];
+        int n = 0;
+#endif
+#ifdef DEVRANDOM
+        static const char *randomfiles[] = { DEVRANDOM, NULL };
+        const char **randomfile = NULL;
+        int fd;
+#endif
+#ifdef DEVRANDOM_EGD
+        static const char *egdsockets[] = { DEVRANDOM_EGD, NULL };
+        const char **egdsocket = NULL;
+#endif
+
+#ifdef DEVRANDOM
+        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
+         * have this. Use /dev/urandom if you can as /dev/random may block
+         * if it runs out of random entries.  */
+
+        for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
+                {
+                if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
+#ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it
+                   our controlling tty */
+                        |O_NOCTTY
+#endif
+#ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */
+                        |O_NOFOLLOW
+#endif
+                        )) >= 0)
+                        {
+                        struct timeval t = { 0, 10*1000 }; /* Spend 10ms on
+                                                              each file. */
+                        int r;
+                        fd_set fset;
+
+                        do
+                                {
+                                FD_ZERO(&fset);
+                                FD_SET(fd, &fset);
+                                r = -1;
+
+                                if (select(fd+1,&fset,NULL,NULL,&t) < 0)
+                                        t.tv_usec=0;
+                                else if (FD_ISSET(fd, &fset))
+                                        {
+                                        r=read(fd,(unsigned char *)tmpbuf+n,
+                                               ENTROPY_NEEDED-n);
+                                        if (r > 0)
+                                                n += r;
+                                        }
+
+                                /* Some Unixen will update t, some
+                                   won't.  For those who won't, give
+                                   up here, otherwise, we will do
+                                   this once again for the remaining
+                                   time. */
+                                if (t.tv_usec == 10*1000)
+                                        t.tv_usec=0;
+                                }
+                        while ((r > 0 || (errno == EINTR || errno == EAGAIN))
+                                && t.tv_usec != 0 && n < ENTROPY_NEEDED);
+
+                        close(fd);
+                        }
+                }
+#endif
+
+#ifdef DEVRANDOM_EGD
+        /* Use an EGD socket to read entropy from an EGD or PRNGD entropy
+         * collecting daemon. */
+
+        for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED; egdsocket++)
+                {
+                int r;
+
+                r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf+n,
+                                         ENTROPY_NEEDED-n);
+                if (r > 0)
+                        n += r;
+                }
+#endif
+
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        if (n > 0)
+                {
+                RAND_add(tmpbuf,sizeof tmpbuf,n);
+                memset(tmpbuf,0,n);
+                }
+#endif
+
+        /* put in some default random data, we need more than just this */
+        l=curr_pid;
+        RAND_add(&l,sizeof(l),0);
+        l=getuid();
+        RAND_add(&l,sizeof(l),0);
+
+        l=time(NULL);
+        RAND_add(&l,sizeof(l),0);
+
+#if defined(DEVRANDOM) || defined(DEVRANDOM_EGD)
+        return 1;
+#else
+        return 0;
+#endif
+}
+
+#endif
+#endif
diff --git a/src/lib/libcrypto/rand/rand_vms.c b/src/lib/libcrypto/rand/rand_vms.c
new file mode 100644
index 0000000000..29b2d7af0b
--- /dev/null
+++ b/src/lib/libcrypto/rand/rand_vms.c
@@ -0,0 +1,135 @@
+/* crypto/rand/rand_vms.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/rand.h>
+#include "rand_lcl.h"
+
+#if defined(OPENSSL_SYS_VMS)
+
+#include <descrip.h>
+#include <jpidef.h>
+#include <ssdef.h>
+#include <starlet.h>
+#ifdef __DECC
+# pragma message disable DOLLARID
+#endif
+
+static struct items_data_st
+        {
+        short length, code;     /* length is amount of bytes */
+        } items_data[] =
+                { { 4, JPI$_BUFIO },
+                  { 4, JPI$_CPUTIM },
+                  { 4, JPI$_DIRIO },
+                  { 8, JPI$_LOGINTIM },
+                  { 4, JPI$_PAGEFLTS },
+                  { 4, JPI$_PID },
+                  { 4, JPI$_WSSIZE },
+                  { 0, 0 }
+                };
+                  
+int RAND_poll(void)
+        {
+        long pid, iosb[2];
+        int status = 0;
+        struct
+                {
+                short length, code;
+                long *buffer;
+                int *retlen;
+                } item[32], *pitem;
+        unsigned char data_buffer[256];
+        short total_length = 0;
+        struct items_data_st *pitems_data;
+
+        pitems_data = items_data;
+        pitem = item;
+
+        /* Setup */
+        while (pitems_data->length)
+                {
+                pitem->length = pitems_data->length;
+                pitem->code = pitems_data->code;
+                pitem->buffer = (long *)data_buffer[total_length];
+                pitem->retlen = 0;
+                total_length += pitems_data->length;
+                pitems_data++;
+                pitem++;
+                }
+        pitem->length = pitem->code = 0;
+
+        /*
+         * Scan through all the processes in the system and add entropy with
+         * results from the processes that were possible to look at.
+         * However, view the information as only half trustable.
+         */
+        pid = -1;                       /* search context */
+        while ((status = sys$getjpiw(0, &pid,  0, item, iosb, 0, 0))
+                != SS$_NOMOREPROC)
+                {
+                if (status == SS$_NORMAL)
+                        {
+                        RAND_add(data_buffer, total_length, total_length/2);
+                        }
+                }
+        sys$gettim(iosb);
+        RAND_add((unsigned char *)iosb, sizeof(iosb), sizeof(iosb)/2);
+        return 1;
+}
+
+#endif
diff --git a/src/lib/libcrypto/rand/rand_win.c b/src/lib/libcrypto/rand/rand_win.c
index 3d137badd0..c1b955b06f 100644
--- a/src/lib/libcrypto/rand/rand_win.c
+++ b/src/lib/libcrypto/rand/rand_win.c
@@ -113,7 +113,7 @@
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#if defined(WINDOWS) || defined(WIN32)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 #include <windows.h>
 #ifndef _WIN32_WINNT
 # define _WIN32_WINNT 0x0400
@@ -254,6 +254,10 @@ int RAND_poll(void)
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
          * Only use it on NT.
          */
+        /* Wolfgang Marczy <WMarczy@topcall.co.at> reports that
+         * the RegQueryValueEx call below can hang on NT4.0 (SP6).
+         * So we don't use this at all for now. */
+#if 0
         if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
                 osverinfo.dwMajorVersion < 5)
                 {
@@ -290,6 +294,7 @@ int RAND_poll(void)
                 if (buf)
                         free(buf);
                 }
+#endif
 
         if (advapi)
                 {
@@ -310,8 +315,8 @@ int RAND_poll(void)
                         {
                         if (gen(hProvider, sizeof(buf), buf) != 0)
                                 {
-                                RAND_add(buf, sizeof(buf), sizeof(buf));
-#ifdef DEBUG
+                                RAND_add(buf, sizeof(buf), 0);
+#if 0
                                 printf("randomness from PROV_RSA_FULL\n");
 #endif
                                 }
@@ -324,7 +329,7 @@ int RAND_poll(void)
                         if (gen(hProvider, sizeof(buf), buf) != 0)
                                 {
                                 RAND_add(buf, sizeof(buf), sizeof(buf));
-#ifdef DEBUG
+#if 0
                                 printf("randomness from PROV_INTEL_SEC\n");
 #endif
                                 }
@@ -461,7 +466,7 @@ int RAND_poll(void)
                                                 hlist.th32ProcessID,
                                                 hlist.th32HeapID))
                                                 {
-                                                int entrycnt = 50;
+                                                int entrycnt = 80;
                                                 do
                                                         RAND_add(&hentry,
                                                                 hentry.dwSize, 5);
@@ -510,7 +515,7 @@ int RAND_poll(void)
                 FreeLibrary(kernel);
                 }
 
-#ifdef DEBUG
+#if 0
         printf("Exiting RAND_poll\n");
 #endif
 
@@ -685,50 +690,4 @@ static void readscreen(void)
   DeleteDC(hScrDC);
 }
 
-#else /* Unix version */
-
-#include <time.h>
-
-int RAND_poll(void)
-{
-        unsigned long l;
-        pid_t curr_pid = getpid();
-#ifdef DEVRANDOM
-        FILE *fh;
-#endif
-
-#ifdef DEVRANDOM
-        /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD
-         * have this. Use /dev/urandom if you can as /dev/random may block
-         * if it runs out of random entries.  */
-
-        if ((fh = fopen(DEVRANDOM, "r")) != NULL)
-                {
-                unsigned char tmpbuf[ENTROPY_NEEDED];
-                int n;
-                
-                setvbuf(fh, NULL, _IONBF, 0);
-                n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh);
-                fclose(fh);
-                RAND_add(tmpbuf,sizeof tmpbuf,n);
-                memset(tmpbuf,0,n);
-                }
-#endif
-
-        /* put in some default random data, we need more than just this */
-        l=curr_pid;
-        RAND_add(&l,sizeof(l),0);
-        l=getuid();
-        RAND_add(&l,sizeof(l),0);
-
-        l=time(NULL);
-        RAND_add(&l,sizeof(l),0);
-
-#ifdef DEVRANDOM
-        return 1;
-#else
-        return 0;
-#endif
-}
-
 #endif
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index c4eb79ac5f..4b221e08f5 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -61,7 +61,11 @@
 #include <stdlib.h>
 #include <string.h>
 
-#ifdef VMS
+#include "e_os.h"
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+
+#ifdef OPENSSL_SYS_VMS
 #include <unixio.h>
 #endif
 #ifndef NO_SYS_TYPES_H
@@ -73,10 +77,6 @@
 # include <sys/stat.h>
 #endif
 
-#include "openssl/e_os.h"
-#include <openssl/crypto.h>
-#include <openssl/rand.h>
-
 #undef BUFSIZE
 #define BUFSIZE 1024
 #define RAND_DATA 1024
@@ -158,7 +158,7 @@ int RAND_write_file(const char *file)
           }
         }
 
-#if defined(O_CREAT) && !defined(WIN32)
+#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
         /* For some reason Win32 can't write to files created this way */
         
         /* chmod(..., 0600) is too late to protect the file,
@@ -190,7 +190,7 @@ int RAND_write_file(const char *file)
                 ret+=i;
                 if (n <= 0) break;
                 }
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
         /* Try to delete older versions of the file, until there aren't
            any */
         {
@@ -208,7 +208,7 @@ int RAND_write_file(const char *file)
                                       some point... */
                 }
         }
-#endif /* VMS */
+#endif /* OPENSSL_SYS_VMS */
 
         fclose(out);
         memset(buf,0,BUFSIZE);
@@ -242,7 +242,7 @@ const char *RAND_file_name(char *buf, size_t size)
                 if (s && *s && strlen(s)+strlen(RFILE)+2 < size)
                         {
                         strlcpy(buf,s,size);
-#ifndef VMS
+#ifndef OPENSSL_SYS_VMS
                         strcat(buf,"/");
 #endif
                         strlcat(buf,RFILE,size);
@@ -252,20 +252,20 @@ const char *RAND_file_name(char *buf, size_t size)
                         buf[0] = '\0'; /* no file name */
                 }
 
-#ifdef DEVRANDOM
+#ifdef __OpenBSD__
         /* given that all random loads just fail if the file can't be 
          * seen on a stat, we stat the file we're returning, if it
-         * fails, use DEVRANDOM instead. this allows the user to 
+         * fails, use /dev/arandom instead. this allows the user to 
          * use their own source for good random data, but defaults
          * to something hopefully decent if that isn't available. 
          */
 
         if (!ok)
-                if (strlcpy(buf,DEVRANDOM,size) >= size) {
+                if (strlcpy(buf,"/dev/arandom",size) >= size) {
                         return(NULL);
                 }       
         if (stat(buf,&sb) == -1)
-                if (strlcpy(buf,DEVRANDOM,size) >= size) {
+                if (strlcpy(buf,"/dev/arandom",size) >= size) {
                         return(NULL);
                 }       
 
diff --git a/src/lib/libcrypto/rand/randtest.c b/src/lib/libcrypto/rand/randtest.c
index da96e3f695..b64de616db 100644
--- a/src/lib/libcrypto/rand/randtest.c
+++ b/src/lib/libcrypto/rand/randtest.c
@@ -73,7 +73,13 @@ int main()
         /*double d; */
         long d;
 
-        RAND_pseudo_bytes(buf,2500);
+        i = RAND_pseudo_bytes(buf,2500);
+        if (i < 0)
+                {
+                printf ("init failed, the rand method is not properly installed\n");
+                err++;
+                goto err;
+                }
 
         n1=0;
         for (i=0; i<16; i++) n2[i]=0;
@@ -201,6 +207,7 @@ int main()
                 err++;
                 }
         printf("test 4 done\n");
+ err:
         err=((err)?1:0);
         exit(err);
         return(err);
diff --git a/src/lib/libcrypto/rc2/Makefile.ssl b/src/lib/libcrypto/rc2/Makefile.ssl
index 39813d68be..73ebbfa400 100644
--- a/src/lib/libcrypto/rc2/Makefile.ssl
+++ b/src/lib/libcrypto/rc2/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -80,12 +80,12 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 rc2_cbc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
-rc2_cbc.o: rc2_locl.h
+rc2_cbc.o: rc2_cbc.c rc2_locl.h
 rc2_ecb.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rc2_ecb.o: ../../include/openssl/rc2.h rc2_locl.h
+rc2_ecb.o: ../../include/openssl/rc2.h rc2_ecb.c rc2_locl.h
 rc2_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
-rc2_skey.o: rc2_locl.h
+rc2_skey.o: rc2_locl.h rc2_skey.c
 rc2cfb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
-rc2cfb64.o: rc2_locl.h
+rc2cfb64.o: rc2_locl.h rc2cfb64.c
 rc2ofb64.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc2.h
-rc2ofb64.o: rc2_locl.h
+rc2ofb64.o: rc2_locl.h rc2ofb64.c
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 076c0a067c..7816b454dc 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_RC2_H
 #define HEADER_RC2_H
 
-#ifdef NO_RC2
+#ifdef OPENSSL_NO_RC2
 #error RC2 is disabled.
 #endif
 
diff --git a/src/lib/libcrypto/rc2/rc2speed.c b/src/lib/libcrypto/rc2/rc2speed.c
index 9f7f5ccfa3..47d34b444e 100644
--- a/src/lib/libcrypto/rc2/rc2speed.c
+++ b/src/lib/libcrypto/rc2/rc2speed.c
@@ -59,7 +59,7 @@
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -268,7 +268,7 @@ int main(int argc, char **argv)
         printf("RC2 raw ecb bytes per sec = %12.2f (%9.3fuS)\n",b,8.0e6/b);
         printf("RC2 cbc     bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/rc2/rc2test.c b/src/lib/libcrypto/rc2/rc2test.c
index 521269ded1..d9a2a0a1cb 100644
--- a/src/lib/libcrypto/rc2/rc2test.c
+++ b/src/lib/libcrypto/rc2/rc2test.c
@@ -63,7 +63,7 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_RC2
+#ifdef OPENSSL_NO_RC2
 int main(int argc, char *argv[])
 {
     printf("No RC2 support\n");
diff --git a/src/lib/libcrypto/rc4/Makefile.ssl b/src/lib/libcrypto/rc4/Makefile.ssl
index e75858d3b9..25d9e4344c 100644
--- a/src/lib/libcrypto/rc4/Makefile.ssl
+++ b/src/lib/libcrypto/rc4/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -47,8 +48,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -109,7 +109,7 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 rc4_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/rc4.h
-rc4_enc.o: rc4_locl.h
+rc4_enc.o: rc4_enc.c rc4_locl.h
 rc4_skey.o: ../../include/openssl/opensslconf.h
 rc4_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/rc4.h
-rc4_skey.o: rc4_locl.h
+rc4_skey.o: rc4_locl.h rc4_skey.c
diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c
index bfb0a3c1f9..c2165b0b75 100644
--- a/src/lib/libcrypto/rc4/rc4.c
+++ b/src/lib/libcrypto/rc4/rc4.c
@@ -141,7 +141,7 @@ bad:
                         }
                 }
                 
-#ifdef MSDOS
+#ifdef OPENSSL_SYS_MSDOS
         /* This should set the file to binary mode. */
         {
 #include <fcntl.h>
@@ -162,7 +162,7 @@ bad:
                 keystr=buf;
                 }
 
-        MD5((unsigned char *)keystr,(unsigned long)strlen(keystr),md);
+        EVP_Digest((unsigned char *)keystr,(unsigned long)strlen(keystr),md,NULL,EVP_md5());
         memset(keystr,0,strlen(keystr));
         RC4_set_key(&key,MD5_DIGEST_LENGTH,md);
         
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index 40251024a4..8722091f2e 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_RC4_H
 #define HEADER_RC4_H
 
-#ifdef NO_RC4
+#ifdef OPENSSL_NO_RC4
 #error RC4 is disabled.
 #endif
 
diff --git a/src/lib/libcrypto/rc4/rc4speed.c b/src/lib/libcrypto/rc4/rc4speed.c
index b448f4a5c6..ced98c52df 100644
--- a/src/lib/libcrypto/rc4/rc4speed.c
+++ b/src/lib/libcrypto/rc4/rc4speed.c
@@ -59,7 +59,7 @@
 /* 11-Sep-92 Andrew Daviel   Support for Silicon Graphics IRIX added */
 /* 06-Apr-92 Luke Brennan    Support for VMS and add extra signal calls */
 
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if !defined(OPENSSL_SYS_MSDOS) && (!defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX)
 #define TIMES
 #endif
 
@@ -82,7 +82,7 @@ OPENSSL_DECLARE_EXIT
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -243,7 +243,7 @@ int main(int argc, char **argv)
         printf("RC4 set_key per sec = %12.2f (%9.3fuS)\n",a,1.0e6/a);
         printf("RC4   bytes per sec = %12.2f (%9.3fuS)\n",c,8.0e6/c);
         exit(0);
-#if defined(LINT) || defined(MSDOS)
+#if defined(LINT) || defined(OPENSSL_SYS_MSDOS)
         return(0);
 #endif
         }
diff --git a/src/lib/libcrypto/rc4/rc4test.c b/src/lib/libcrypto/rc4/rc4test.c
index 3914eb6c38..a28d457c8d 100644
--- a/src/lib/libcrypto/rc4/rc4test.c
+++ b/src/lib/libcrypto/rc4/rc4test.c
@@ -60,7 +60,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#ifdef NO_RC4
+#ifdef OPENSSL_NO_RC4
 int main(int argc, char *argv[])
 {
     printf("No RC4 support\n");
diff --git a/src/lib/libcrypto/rc5/Makefile.ssl b/src/lib/libcrypto/rc5/Makefile.ssl
index c8ee124776..25740ab961 100644
--- a/src/lib/libcrypto/rc5/Makefile.ssl
+++ b/src/lib/libcrypto/rc5/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -44,8 +45,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -106,8 +106,8 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
 rc5_ecb.o: ../../include/openssl/opensslv.h ../../include/openssl/rc5.h
-rc5_ecb.o: rc5_locl.h
-rc5_enc.o: ../../include/openssl/rc5.h rc5_locl.h
-rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h
-rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h
-rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h
+rc5_ecb.o: rc5_ecb.c rc5_locl.h
+rc5_enc.o: ../../include/openssl/rc5.h rc5_enc.c rc5_locl.h
+rc5_skey.o: ../../include/openssl/rc5.h rc5_locl.h rc5_skey.c
+rc5cfb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5cfb64.c
+rc5ofb64.o: ../../include/openssl/rc5.h rc5_locl.h rc5ofb64.c
diff --git a/src/lib/libcrypto/rc5/rc5.h b/src/lib/libcrypto/rc5/rc5.h
index fc4cea5e36..4adfd2db5a 100644
--- a/src/lib/libcrypto/rc5/rc5.h
+++ b/src/lib/libcrypto/rc5/rc5.h
@@ -63,7 +63,7 @@
 extern "C" {
 #endif
 
-#ifdef NO_RC5
+#ifdef OPENSSL_NO_RC5
 #error RC5 is disabled.
 #endif
 
diff --git a/src/lib/libcrypto/rijndael/Makefile.ssl b/src/lib/libcrypto/rijndael/Makefile.ssl
new file mode 100644
index 0000000000..ddc480e9d7
--- /dev/null
+++ b/src/lib/libcrypto/rijndael/Makefile.ssl
@@ -0,0 +1,89 @@
+#
+# crypto/rijndael/Makefile
+#
+
+DIR=    rijndael
+TOP=    ../..
+CC=     cc
+CPP=    $(CC) -E
+INCLUDES=
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+RD_ENC=         rd_enc.o
+# or use
+#DES_ENC=       bx86-elf.o
+
+# CFLAGS= -mpentiumpro $(INCLUDES) $(CFLAG) -O3 -fexpensive-optimizations -funroll-loops -fforce-addr
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+TEST=
+APPS=
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC=rd_fst.c
+LIBOBJ=rd_fst.o
+
+SRC= $(LIBSRC)
+
+EXHEADER=rd_fst.h rijndael.h
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB)
+        @touch lib
+
+$(LIBOBJ): $(LIBSRC)
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install: installs
+
+installs:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+rd_fst.o: rd_fst.c rd_fst.h
diff --git a/src/lib/libcrypto/rijndael/README b/src/lib/libcrypto/rijndael/README
new file mode 100644
index 0000000000..1118ccbad8
--- /dev/null
+++ b/src/lib/libcrypto/rijndael/README
@@ -0,0 +1,80 @@
+Optimised ANSI C code for the Rijndael cipher (now AES)
+
+Authors:
+    Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+    Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+    Paulo Barreto <paulo.barreto@terra.com.br>
+
+All code contained in this distributed is placed in the public domain.
+
+========================================================================
+
+Disclaimer:
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS 
+OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE 
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+
+========================================================================
+
+Acknowledgements:
+
+We are deeply indebted to the following people for their bug reports,
+fixes, and improvement suggestions to the API implementation. Though we
+tried to list all contributions, we apologise in advance for any
+missing reference:
+
+Andrew Bales <Andrew.Bales@Honeywell.com>
+Markus Friedl <markus.friedl@informatik.uni-erlangen.de>
+John Skodon <skodonj@webquill.com>
+
+========================================================================
+
+Description:
+
+This optimised implementation of Rijndael is noticeably faster than the
+previous versions on Intel processors under Win32 w/ MSVC 6.0.  On the
+same processor under Linux w/ gcc-2.95.2, the key setup is also
+considerably faster, but normal encryption/decryption is only marginally
+faster.
+
+To enable full loop unrolling for encryption/decryption, define the
+conditional compilation directive FULL_UNROLL.  This may help increase
+performance or not, depending on the platform.
+
+To compute the intermediate value tests, define the conditional
+compilation directive INTERMEDIATE_VALUE_KAT.  It may be worthwhile to
+define the TRACE_KAT_MCT directive too, which provides useful progress
+information during the generation of the KAT and MCT sets.
+
+========================================================================
+
+Contents:
+
+README                  This file
+rijndael-alg-fst.c      The algorithm implementation.
+rijndael-alg-fst.h      The corresponding header file.
+rijndael-api-fst.c      NIST's implementation.
+rijndael-api-fst.h      The corresponding header file.
+rijndael-test-fst.c     A simple program to generate test vectors.
+table.128               Data for the table tests and 128-bit keys.
+table.192               Data for the table tests and 192-bit keys.
+table.256               Data for the table tests and 256-bit keys.
+fips-test-vectors.txt   Key schedule and ciphertext intermediate values
+                        (reduced set proposed for FIPS inclusion).
+Makefile                A sample makefile; may need some changes,
+                        depending on the C compiler used.
+
+N.B. Both the API implementation and the provisional reduced set of
+test vectors are likely to change, according to NIST's final decision
+regarding modes of operation and the FIPS contents. They are therefore
+marked as "version 2.9" rather than "version 3.0".
+
diff --git a/src/lib/libcrypto/rijndael/rd_fst.c b/src/lib/libcrypto/rijndael/rd_fst.c
new file mode 100644
index 0000000000..f1597288f0
--- /dev/null
+++ b/src/lib/libcrypto/rijndael/rd_fst.c
@@ -0,0 +1,1400 @@
+/**
+ * rijndael-alg-fst.c
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <assert.h>
+#include <stdlib.h>
+
+#include "rd_fst.h"
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+
+Td0[x] = Si[x].[0e, 09, 0d, 0b];
+Td1[x] = Si[x].[0b, 0e, 09, 0d];
+Td2[x] = Si[x].[0d, 0b, 0e, 09];
+Td3[x] = Si[x].[09, 0d, 0b, 0e];
+Td4[x] = Si[x].[01, 01, 01, 01];
+*/
+
+static const u32 Te0[256] = {
+    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const u32 Te1[256] = {
+    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const u32 Te2[256] = {
+    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const u32 Te3[256] = {
+
+    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const u32 Te4[256] = {
+    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+static const u32 Td0[256] = {
+    0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
+    0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
+    0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
+    0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
+    0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
+    0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
+    0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
+    0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
+    0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
+    0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
+    0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
+    0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
+    0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
+    0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
+    0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
+    0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
+    0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
+    0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
+    0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
+    0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
+    0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
+    0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
+    0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
+    0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
+    0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
+    0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
+    0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
+    0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
+    0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
+    0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
+    0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
+    0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
+    0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
+    0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
+    0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
+    0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
+    0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
+    0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
+    0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
+    0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
+    0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
+    0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
+    0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
+    0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
+    0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
+    0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
+    0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
+    0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
+    0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
+    0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
+    0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
+    0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
+    0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
+    0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
+    0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
+    0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
+    0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
+    0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
+    0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
+    0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
+    0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
+    0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
+    0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
+    0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
+};
+static const u32 Td1[256] = {
+    0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
+    0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
+    0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
+    0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
+    0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
+    0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
+    0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
+    0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
+    0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
+    0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
+    0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
+    0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
+    0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
+    0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
+    0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
+    0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
+    0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
+    0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
+    0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
+    0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
+    0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
+    0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
+    0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
+    0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
+    0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
+    0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
+    0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
+    0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
+    0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
+    0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
+    0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
+    0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
+    0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
+    0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
+    0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
+    0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
+    0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
+    0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
+    0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
+    0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
+    0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
+    0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
+    0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
+    0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
+    0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
+    0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
+    0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
+    0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
+    0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
+    0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
+    0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
+    0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
+    0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
+    0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
+    0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
+    0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
+    0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
+    0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
+    0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
+    0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
+    0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
+    0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
+    0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
+    0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
+};
+static const u32 Td2[256] = {
+    0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
+    0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
+    0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
+    0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
+    0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
+    0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
+    0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
+    0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
+    0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
+    0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
+    0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
+    0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
+    0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
+    0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
+    0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
+    0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
+    0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
+    0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
+    0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
+    0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
+
+    0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
+    0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
+    0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
+    0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
+    0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
+    0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
+    0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
+    0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
+    0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
+    0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
+    0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
+    0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
+    0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
+    0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
+    0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
+    0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
+    0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
+    0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
+    0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
+    0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
+    0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
+    0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
+    0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
+    0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
+    0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
+    0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
+    0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
+    0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
+    0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
+    0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
+    0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
+    0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
+    0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
+    0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
+    0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
+    0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
+    0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
+    0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
+    0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
+    0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
+    0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
+    0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
+    0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
+    0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
+};
+static const u32 Td3[256] = {
+    0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
+    0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
+    0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
+    0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
+    0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
+    0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
+    0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
+    0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
+    0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
+    0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
+    0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
+    0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
+    0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
+    0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
+    0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
+    0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
+    0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
+    0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
+    0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
+    0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
+    0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
+    0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
+    0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
+    0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
+    0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
+    0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
+    0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
+    0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
+    0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
+    0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
+    0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
+    0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
+    0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
+    0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
+    0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
+    0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
+    0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
+    0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
+    0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
+    0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
+    0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
+    0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
+    0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
+    0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
+    0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
+    0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
+    0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
+    0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
+    0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
+    0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
+    0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
+    0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
+    0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
+    0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
+    0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
+    0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
+    0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
+    0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
+    0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
+    0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
+    0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
+    0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
+    0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
+    0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
+};
+static const u32 Td4[256] = {
+    0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
+    0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
+    0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
+    0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
+    0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
+    0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
+    0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
+    0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
+    0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
+    0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
+    0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
+    0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
+    0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
+    0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
+    0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
+    0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
+    0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
+    0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
+    0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
+    0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
+    0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
+    0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
+    0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
+    0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
+    0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
+    0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
+    0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
+    0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
+    0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
+    0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
+    0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
+    0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
+    0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
+    0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
+    0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
+    0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
+    0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
+    0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
+    0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
+    0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
+    0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
+    0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
+    0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
+    0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
+    0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
+    0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
+    0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
+    0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
+    0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
+    0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
+    0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
+    0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
+    0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
+    0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
+    0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
+    0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
+    0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
+    0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
+    0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
+    0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
+    0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
+    0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
+    0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
+    0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
+};
+static const u32 rcon[] = {
+        0x01000000, 0x02000000, 0x04000000, 0x08000000,
+        0x10000000, 0x20000000, 0x40000000, 0x80000000,
+        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+
+#ifdef _MSC_VER
+#define GETU32(p) SWAP(*((u32 *)(p)))
+#define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
+#else
+#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] <<  8) ^ ((u32)(pt)[3]))
+#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >>  8); (ct)[3] = (u8)(st); }
+#endif
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ *
+ * @return      the number of rounds for the given cipher key size.
+ */
+int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
+        int i = 0;
+        u32 temp;
+
+        rk[0] = GETU32(cipherKey     );
+        rk[1] = GETU32(cipherKey +  4);
+        rk[2] = GETU32(cipherKey +  8);
+        rk[3] = GETU32(cipherKey + 12);
+        if (keyBits == 128) {
+                for (;;) {
+                        temp  = rk[3];
+                        rk[4] = rk[0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[5] = rk[1] ^ rk[4];
+                        rk[6] = rk[2] ^ rk[5];
+                        rk[7] = rk[3] ^ rk[6];
+                        if (++i == 10) {
+                                return 10;
+                        }
+                        rk += 4;
+                }
+        }
+        rk[4] = GETU32(cipherKey + 16);
+        rk[5] = GETU32(cipherKey + 20);
+        if (keyBits == 192) {
+                for (;;) {
+                        temp = rk[ 5];
+                        rk[ 6] = rk[ 0] ^
+                                (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                                (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                                (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                                (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                                rcon[i];
+                        rk[ 7] = rk[ 1] ^ rk[ 6];
+                        rk[ 8] = rk[ 2] ^ rk[ 7];
+                        rk[ 9] = rk[ 3] ^ rk[ 8];
+                        if (++i == 8) {
+                                return 12;
+                        }
+                        rk[10] = rk[ 4] ^ rk[ 9];
+                        rk[11] = rk[ 5] ^ rk[10];
+                        rk += 6;
+                }
+        }
+        rk[6] = GETU32(cipherKey + 24);
+        rk[7] = GETU32(cipherKey + 28);
+        if (keyBits == 256) {
+        for (;;) {
+                temp = rk[ 7];
+                rk[ 8] = rk[ 0] ^
+                        (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                        (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                        (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                        (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                        rcon[i];
+                rk[ 9] = rk[ 1] ^ rk[ 8];
+                rk[10] = rk[ 2] ^ rk[ 9];
+                rk[11] = rk[ 3] ^ rk[10];
+                        if (++i == 7) {
+                                return 14;
+                        }
+                temp = rk[11];
+                rk[12] = rk[ 4] ^
+                        (Te4[(temp >> 24)       ] & 0xff000000) ^
+                        (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+                        (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
+                        (Te4[(temp      ) & 0xff] & 0x000000ff);
+                rk[13] = rk[ 5] ^ rk[12];
+                rk[14] = rk[ 6] ^ rk[13];
+                rk[15] = rk[ 7] ^ rk[14];
+
+                        rk += 8;
+        }
+        }
+        return 0;
+}
+
+/**
+ * Expand the cipher key into the decryption key schedule.
+ *
+ * @return      the number of rounds for the given cipher key size.
+ */
+int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
+        int Nr, i, j;
+        u32 temp;
+
+        /* expand the cipher key: */
+        Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
+        /* invert the order of the round keys: */
+        for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
+                temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
+                temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
+                temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
+                temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
+        }
+        /* apply the inverse MixColumn transform to all round keys but the first and the last: */
+        for (i = 1; i < Nr; i++) {
+                rk += 4;
+                rk[0] =
+                        Td0[Te4[(rk[0] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[0] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[0]      ) & 0xff] & 0xff];
+                rk[1] =
+                        Td0[Te4[(rk[1] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[1] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[1]      ) & 0xff] & 0xff];
+                rk[2] =
+                        Td0[Te4[(rk[2] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[2] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[2]      ) & 0xff] & 0xff];
+                rk[3] =
+                        Td0[Te4[(rk[3] >> 24)       ] & 0xff] ^
+                        Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
+                        Td2[Te4[(rk[3] >>  8) & 0xff] & 0xff] ^
+                        Td3[Te4[(rk[3]      ) & 0xff] & 0xff];
+        }
+        return Nr;
+}
+
+void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) {
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+    int r;
+#endif /* ?FULL_UNROLL */
+
+    /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(pt     ) ^ rk[0];
+        s1 = GETU32(pt +  4) ^ rk[1];
+        s2 = GETU32(pt +  8) ^ rk[2];
+        s3 = GETU32(pt + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+    /* round 1: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+        /* round 2: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+    /* round 3: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+        /* round 4: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+    /* round 5: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+        /* round 6: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+    /* round 7: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+        /* round 8: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+    /* round 9: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+    if (Nr > 10) {
+        /* round 10: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
+        if (Nr > 12) {
+            /* round 12: */
+            s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
+            s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
+            s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
+            s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
+            t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
+            t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
+            t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
+        }
+    }
+    rk += Nr << 2;
+#else  /* !FULL_UNROLL */
+    /*
+         * Nr - 1 full rounds:
+         */
+    r = Nr >> 1;
+    for (;;) {
+        t0 =
+            Te0[(s0 >> 24)       ] ^
+            Te1[(s1 >> 16) & 0xff] ^
+            Te2[(s2 >>  8) & 0xff] ^
+            Te3[(s3      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Te0[(s1 >> 24)       ] ^
+            Te1[(s2 >> 16) & 0xff] ^
+            Te2[(s3 >>  8) & 0xff] ^
+            Te3[(s0      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Te0[(s2 >> 24)       ] ^
+            Te1[(s3 >> 16) & 0xff] ^
+            Te2[(s0 >>  8) & 0xff] ^
+            Te3[(s1      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Te0[(s3 >> 24)       ] ^
+            Te1[(s0 >> 16) & 0xff] ^
+            Te2[(s1 >>  8) & 0xff] ^
+            Te3[(s2      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Te0[(t0 >> 24)       ] ^
+            Te1[(t1 >> 16) & 0xff] ^
+            Te2[(t2 >>  8) & 0xff] ^
+            Te3[(t3      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Te0[(t1 >> 24)       ] ^
+            Te1[(t2 >> 16) & 0xff] ^
+            Te2[(t3 >>  8) & 0xff] ^
+            Te3[(t0      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Te0[(t2 >> 24)       ] ^
+            Te1[(t3 >> 16) & 0xff] ^
+            Te2[(t0 >>  8) & 0xff] ^
+            Te3[(t1      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Te0[(t3 >> 24)       ] ^
+            Te1[(t0 >> 16) & 0xff] ^
+            Te2[(t1 >>  8) & 0xff] ^
+            Te3[(t2      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Te4[(t0 >> 24)       ] & 0xff000000) ^
+                (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(ct     , s0);
+        s1 =
+                (Te4[(t1 >> 24)       ] & 0xff000000) ^
+                (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(ct +  4, s1);
+        s2 =
+                (Te4[(t2 >> 24)       ] & 0xff000000) ^
+                (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(ct +  8, s2);
+        s3 =
+                (Te4[(t3 >> 24)       ] & 0xff000000) ^
+                (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(ct + 12, s3);
+}
+
+void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) {
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+#ifndef FULL_UNROLL
+    int r;
+#endif /* ?FULL_UNROLL */
+
+    /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+    s0 = GETU32(ct     ) ^ rk[0];
+    s1 = GETU32(ct +  4) ^ rk[1];
+    s2 = GETU32(ct +  8) ^ rk[2];
+    s3 = GETU32(ct + 12) ^ rk[3];
+#ifdef FULL_UNROLL
+    /* round 1: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
+    /* round 2: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
+    /* round 3: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
+    /* round 4: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
+    /* round 5: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
+    /* round 6: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
+    /* round 7: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
+    /* round 8: */
+    s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
+    s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
+    s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
+    s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
+    /* round 9: */
+    t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
+    t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
+    t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
+    t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
+    if (Nr > 10) {
+        /* round 10: */
+        s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
+        s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
+        s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
+        s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
+        /* round 11: */
+        t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
+        t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
+        t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
+        t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
+        if (Nr > 12) {
+            /* round 12: */
+            s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >>  8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
+            s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >>  8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
+            s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >>  8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
+            s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >>  8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
+            /* round 13: */
+            t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >>  8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
+            t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >>  8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
+            t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >>  8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
+            t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >>  8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
+        }
+    }
+        rk += Nr << 2;
+#else  /* !FULL_UNROLL */
+    /*
+     * Nr - 1 full rounds:
+     */
+    r = Nr >> 1;
+    for (;;) {
+        t0 =
+            Td0[(s0 >> 24)       ] ^
+            Td1[(s3 >> 16) & 0xff] ^
+            Td2[(s2 >>  8) & 0xff] ^
+            Td3[(s1      ) & 0xff] ^
+            rk[4];
+        t1 =
+            Td0[(s1 >> 24)       ] ^
+            Td1[(s0 >> 16) & 0xff] ^
+            Td2[(s3 >>  8) & 0xff] ^
+            Td3[(s2      ) & 0xff] ^
+            rk[5];
+        t2 =
+            Td0[(s2 >> 24)       ] ^
+            Td1[(s1 >> 16) & 0xff] ^
+            Td2[(s0 >>  8) & 0xff] ^
+            Td3[(s3      ) & 0xff] ^
+            rk[6];
+        t3 =
+            Td0[(s3 >> 24)       ] ^
+            Td1[(s2 >> 16) & 0xff] ^
+            Td2[(s1 >>  8) & 0xff] ^
+            Td3[(s0      ) & 0xff] ^
+            rk[7];
+
+        rk += 8;
+        if (--r == 0) {
+            break;
+        }
+
+        s0 =
+            Td0[(t0 >> 24)       ] ^
+            Td1[(t3 >> 16) & 0xff] ^
+            Td2[(t2 >>  8) & 0xff] ^
+            Td3[(t1      ) & 0xff] ^
+            rk[0];
+        s1 =
+            Td0[(t1 >> 24)       ] ^
+            Td1[(t0 >> 16) & 0xff] ^
+            Td2[(t3 >>  8) & 0xff] ^
+            Td3[(t2      ) & 0xff] ^
+            rk[1];
+        s2 =
+            Td0[(t2 >> 24)       ] ^
+            Td1[(t1 >> 16) & 0xff] ^
+            Td2[(t0 >>  8) & 0xff] ^
+            Td3[(t3      ) & 0xff] ^
+            rk[2];
+        s3 =
+            Td0[(t3 >> 24)       ] ^
+            Td1[(t2 >> 16) & 0xff] ^
+            Td2[(t1 >>  8) & 0xff] ^
+            Td3[(t0      ) & 0xff] ^
+            rk[3];
+    }
+#endif /* ?FULL_UNROLL */
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        s0 =
+                (Td4[(t0 >> 24)       ] & 0xff000000) ^
+                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        PUTU32(pt     , s0);
+        s1 =
+                (Td4[(t1 >> 24)       ] & 0xff000000) ^
+                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        PUTU32(pt +  4, s1);
+        s2 =
+                (Td4[(t2 >> 24)       ] & 0xff000000) ^
+                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        PUTU32(pt +  8, s2);
+        s3 =
+                (Td4[(t3 >> 24)       ] & 0xff000000) ^
+                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+        PUTU32(pt + 12, s3);
+}
+
+#ifdef INTERMEDIATE_VALUE_KAT
+
+void rijndaelEncryptRound(const u32 rk[/*4*(Nr + 1)*/], int Nr, u8 block[16], int rounds) {
+        int r;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+
+    /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(block     ) ^ rk[0];
+        s1 = GETU32(block +  4) ^ rk[1];
+        s2 = GETU32(block +  8) ^ rk[2];
+        s3 = GETU32(block + 12) ^ rk[3];
+    rk += 4;
+
+    /*
+         * Nr - 1 full rounds:
+         */
+        for (r = (rounds < Nr ? rounds : Nr - 1); r > 0; r--) {
+                t0 =
+                        Te0[(s0 >> 24)       ] ^
+                        Te1[(s1 >> 16) & 0xff] ^
+                        Te2[(s2 >>  8) & 0xff] ^
+                        Te3[(s3      ) & 0xff] ^
+                        rk[0];
+                t1 =
+                        Te0[(s1 >> 24)       ] ^
+                        Te1[(s2 >> 16) & 0xff] ^
+                        Te2[(s3 >>  8) & 0xff] ^
+                        Te3[(s0      ) & 0xff] ^
+                        rk[1];
+                t2 =
+                        Te0[(s2 >> 24)       ] ^
+                        Te1[(s3 >> 16) & 0xff] ^
+                        Te2[(s0 >>  8) & 0xff] ^
+                        Te3[(s1      ) & 0xff] ^
+                        rk[2];
+                t3 =
+                        Te0[(s3 >> 24)       ] ^
+                        Te1[(s0 >> 16) & 0xff] ^
+                        Te2[(s1 >>  8) & 0xff] ^
+                        Te3[(s2      ) & 0xff] ^
+                        rk[3];
+
+                s0 = t0;
+                s1 = t1;
+                s2 = t2;
+                s3 = t3;
+                rk += 4;
+
+    }
+
+    /*
+         * apply last round and
+         * map cipher state to byte array block:
+         */
+        if (rounds == Nr) {
+        t0 =
+                (Te4[(s0 >> 24)       ] & 0xff000000) ^
+                (Te4[(s1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(s2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(s3      ) & 0xff] & 0x000000ff) ^
+                rk[0];
+        t1 =
+                (Te4[(s1 >> 24)       ] & 0xff000000) ^
+                (Te4[(s2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(s3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(s0      ) & 0xff] & 0x000000ff) ^
+                rk[1];
+        t2 =
+                (Te4[(s2 >> 24)       ] & 0xff000000) ^
+                (Te4[(s3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(s0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(s1      ) & 0xff] & 0x000000ff) ^
+                rk[2];
+        t3 =
+                (Te4[(s3 >> 24)       ] & 0xff000000) ^
+                (Te4[(s0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Te4[(s1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Te4[(s2      ) & 0xff] & 0x000000ff) ^
+                rk[3];
+                
+                s0 = t0;
+                s1 = t1;
+                s2 = t2;
+                s3 = t3;
+        }
+
+        PUTU32(block     , s0);
+        PUTU32(block +  4, s1);
+        PUTU32(block +  8, s2);
+        PUTU32(block + 12, s3);
+}
+
+void rijndaelDecryptRound(const u32 rk[/*4*(Nr + 1)*/], int Nr, u8 block[16], int rounds) {
+        int r;
+        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+
+    /*
+         * map byte array block to cipher state
+         * and add initial round key:
+         */
+        s0 = GETU32(block     ) ^ rk[0];
+        s1 = GETU32(block +  4) ^ rk[1];
+        s2 = GETU32(block +  8) ^ rk[2];
+        s3 = GETU32(block + 12) ^ rk[3];
+    rk += 4;
+
+    /*
+         * Nr - 1 full rounds:
+         */
+        for (r = (rounds < Nr ? rounds : Nr) - 1; r > 0; r--) {
+                t0 =
+                        Td0[(s0 >> 24)       ] ^
+                        Td1[(s3 >> 16) & 0xff] ^
+                        Td2[(s2 >>  8) & 0xff] ^
+                        Td3[(s1      ) & 0xff] ^
+                        rk[0];
+                t1 =
+                        Td0[(s1 >> 24)       ] ^
+                        Td1[(s0 >> 16) & 0xff] ^
+                        Td2[(s3 >>  8) & 0xff] ^
+                        Td3[(s2      ) & 0xff] ^
+                        rk[1];
+                t2 =
+                        Td0[(s2 >> 24)       ] ^
+                        Td1[(s1 >> 16) & 0xff] ^
+                        Td2[(s0 >>  8) & 0xff] ^
+                        Td3[(s3      ) & 0xff] ^
+                        rk[2];
+                t3 =
+                        Td0[(s3 >> 24)       ] ^
+                        Td1[(s2 >> 16) & 0xff] ^
+                        Td2[(s1 >>  8) & 0xff] ^
+                        Td3[(s0      ) & 0xff] ^
+                        rk[3];
+
+                s0 = t0;
+                s1 = t1;
+                s2 = t2;
+                s3 = t3;
+                rk += 4;
+
+    }
+
+    /*
+         * complete the last round and
+         * map cipher state to byte array block:
+         */
+        t0 =
+                (Td4[(s0 >> 24)       ] & 0xff000000) ^
+                (Td4[(s3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(s2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(s1      ) & 0xff] & 0x000000ff);
+        t1 =
+                (Td4[(s1 >> 24)       ] & 0xff000000) ^
+                (Td4[(s0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(s3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(s2      ) & 0xff] & 0x000000ff);
+        t2 =
+                (Td4[(s2 >> 24)       ] & 0xff000000) ^
+                (Td4[(s1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(s0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(s3      ) & 0xff] & 0x000000ff);
+        t3 =
+                (Td4[(s3 >> 24)       ] & 0xff000000) ^
+                (Td4[(s2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(s1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(s0      ) & 0xff] & 0x000000ff);
+
+        if (rounds == Nr) {
+            t0 ^= rk[0];
+            t1 ^= rk[1];
+            t2 ^= rk[2];
+            t3 ^= rk[3];
+        }
+
+        PUTU32(block     , t0);
+        PUTU32(block +  4, t1);
+        PUTU32(block +  8, t2);
+        PUTU32(block + 12, t3);
+}
+
+#endif /* INTERMEDIATE_VALUE_KAT */
diff --git a/src/lib/libcrypto/rijndael/rd_fst.h b/src/lib/libcrypto/rijndael/rd_fst.h
new file mode 100644
index 0000000000..fcace29478
--- /dev/null
+++ b/src/lib/libcrypto/rijndael/rd_fst.h
@@ -0,0 +1,42 @@
+/**
+ * rijndael-alg-fst.h
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef __RIJNDAEL_ALG_FST_H
+#define __RIJNDAEL_ALG_FST_H
+
+#define MAXKC   (256/32)
+#define MAXKB   (256/8)
+#define MAXNR   14
+
+typedef unsigned char   u8;     
+typedef unsigned short  u16;    
+typedef unsigned int    u32;
+
+int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits);
+int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits);
+void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]);
+void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]);
+
+#endif /* __RIJNDAEL_ALG_FST_H */
diff --git a/src/lib/libcrypto/rijndael/rijndael.h b/src/lib/libcrypto/rijndael/rijndael.h
new file mode 100644
index 0000000000..72edcc2942
--- /dev/null
+++ b/src/lib/libcrypto/rijndael/rijndael.h
@@ -0,0 +1,7 @@
+#include "openssl/rd_fst.h"
+
+typedef struct
+    {
+    u32 rd_key[4 *(MAXNR + 1)];
+    int rounds;
+    } RIJNDAEL_KEY;
diff --git a/src/lib/libcrypto/ripemd/Makefile.ssl b/src/lib/libcrypto/ripemd/Makefile.ssl
index 1550c32ca1..a3a6563a5b 100644
--- a/src/lib/libcrypto/ripemd/Makefile.ssl
+++ b/src/lib/libcrypto/ripemd/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -42,8 +43,7 @@ all:    lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -103,7 +103,8 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-rmd_dgst.o: ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
-rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h
-rmd_one.o: ../../include/openssl/ripemd.h
+rmd_dgst.o: ../md32_common.h rmd_dgst.c rmd_locl.h rmdconst.h
+rmd_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+rmd_one.o: ../../include/openssl/ripemd.h rmd_one.c
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index dd1627cf40..78d5f36560 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -59,17 +59,19 @@
 #ifndef HEADER_RIPEMD_H
 #define HEADER_RIPEMD_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef NO_RIPEMD
+#ifdef OPENSSL_NO_RIPEMD
 #error RIPEMD is disabled.
 #endif
 
-#if defined(WIN16) || defined(__LP32__)
+#if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define RIPEMD160_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define RIPEMD160_LONG unsigned long
 #define RIPEMD160_LONG_LOG2 3
 #else
@@ -88,9 +90,9 @@ typedef struct RIPEMD160state_st
         int num;
         } RIPEMD160_CTX;
 
-void RIPEMD160_Init(RIPEMD160_CTX *c);
-void RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
-void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
+int RIPEMD160_Init(RIPEMD160_CTX *c);
+int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
+int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
 unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
         unsigned char *md);
 void RIPEMD160_Transform(RIPEMD160_CTX *c, const unsigned char *b);
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index bdfae270b6..a3170f7c8a 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -69,7 +69,7 @@ const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT;
      void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,int num);
 #  endif
 
-void RIPEMD160_Init(RIPEMD160_CTX *c)
+int RIPEMD160_Init(RIPEMD160_CTX *c)
         {
         c->A=RIPEMD160_A;
         c->B=RIPEMD160_B;
@@ -79,6 +79,7 @@ void RIPEMD160_Init(RIPEMD160_CTX *c)
         c->Nl=0;
         c->Nh=0;
         c->num=0;
+        return 1;
         }
 
 #ifndef ripemd160_block_host_order
diff --git a/src/lib/libcrypto/ripemd/rmd_locl.h b/src/lib/libcrypto/ripemd/rmd_locl.h
index f537b88867..7b835dfbd4 100644
--- a/src/lib/libcrypto/ripemd/rmd_locl.h
+++ b/src/lib/libcrypto/ripemd/rmd_locl.h
@@ -71,7 +71,7 @@
  *                                      <appro@fy.chalmers.se>
  */
 #ifdef RMD160_ASM
-# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 #  define ripemd160_block_host_order ripemd160_block_asm_host_order
 # endif
 #endif
@@ -79,7 +79,7 @@
 void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
 void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
 
-#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 #define ripemd160_block_data_order ripemd160_block_host_order
 #endif
 
diff --git a/src/lib/libcrypto/ripemd/rmdtest.c b/src/lib/libcrypto/ripemd/rmdtest.c
index 5d79c99725..19e9741db2 100644
--- a/src/lib/libcrypto/ripemd/rmdtest.c
+++ b/src/lib/libcrypto/ripemd/rmdtest.c
@@ -59,15 +59,16 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <openssl/ripemd.h>
 
-#ifdef NO_RIPEMD
+#ifdef OPENSSL_NO_RIPEMD
 int main(int argc, char *argv[])
 {
     printf("No ripemd support\n");
     return(0);
 }
 #else
-#include <openssl/ripemd.h>
+#include <openssl/evp.h>
 
 #ifdef CHARSET_EBCDIC
 #include <openssl/ebcdic.h>
@@ -102,6 +103,7 @@ int main(int argc, char *argv[])
         int i,err=0;
         unsigned char **P,**R;
         char *p;
+        unsigned char md[RIPEMD160_DIGEST_LENGTH];
 
         P=(unsigned char **)test;
         R=(unsigned char **)ret;
@@ -111,7 +113,8 @@ int main(int argc, char *argv[])
 #ifdef CHARSET_EBCDIC
                 ebcdic2ascii((char *)*P, (char *)*P, strlen((char *)*P));
 #endif
-                p=pt(RIPEMD160(&(P[0][0]),(unsigned long)strlen((char *)*P),NULL));
+                EVP_Digest(&(P[0][0]),(unsigned long)strlen((char *)*P),md,NULL,EVP_ripemd160(), NULL);
+                p=pt(md);
                 if (strcmp(p,(char *)*R) != 0)
                         {
                         printf("error calculating RIPEMD160 on '%s'\n",*P);
diff --git a/src/lib/libcrypto/rsa/Makefile.ssl b/src/lib/libcrypto/rsa/Makefile.ssl
index 2bee181d4e..8a9f7cbe0c 100644
--- a/src/lib/libcrypto/rsa/Makefile.ssl
+++ b/src/lib/libcrypto/rsa/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    rsa
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -23,9 +24,11 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
-        rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c
+        rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
+        rsa_asn1.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
-        rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o
+        rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
+        rsa_asn1.o
 
 SRC= $(LIBSRC)
 
@@ -41,8 +44,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -81,141 +83,137 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-rsa_chk.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-rsa_chk.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
+rsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+rsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+rsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_asn1.o: ../../include/openssl/opensslconf.h
+rsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_asn1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_asn1.o: ../cryptlib.h rsa_asn1.c
+rsa_chk.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_chk.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_chk.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 rsa_chk.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-rsa_chk.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_chk.o: ../../include/openssl/symhacks.h
-rsa_eay.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_eay.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_eay.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_chk.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_chk.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_chk.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_chk.o: rsa_chk.c
+rsa_eay.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_eay.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_eay.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_eay.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_eay.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_eay.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_eay.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_eay.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_eay.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_eay.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rsa_eay.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_eay.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_eay.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_eay.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+rsa_eay.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_eay.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_eay.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 rsa_eay.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_eay.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h
-rsa_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
-rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
+rsa_eay.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_eay.o: ../../include/openssl/ui.h ../cryptlib.h rsa_eay.c
+rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_err.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 rsa_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/rsa.h
-rsa_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_err.o: ../../include/openssl/symhacks.h
+rsa_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_err.o: rsa_err.c
+rsa_gen.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_gen.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_gen.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_gen.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_gen.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_gen.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 rsa_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_gen.o: ../cryptlib.h
-rsa_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_gen.o: ../cryptlib.h rsa_gen.c
+rsa_lib.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_lib.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_lib.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-rsa_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-rsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+rsa_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h
+rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_lib.o: ../../include/openssl/ui.h ../cryptlib.h rsa_lib.c
+rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_none.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_none.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_none.o: ../../include/openssl/opensslconf.h
-rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_none.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_none.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_none.o: ../cryptlib.h
+rsa_none.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_none.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_none.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_none.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_none.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_none.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_none.c
+rsa_null.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_null.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_null.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_null.o: ../../include/openssl/opensslconf.h
-rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_null.o: ../cryptlib.h
+rsa_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_null.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_null.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_null.c
+rsa_oaep.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_oaep.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_oaep.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_oaep.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_oaep.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+rsa_oaep.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_oaep.o: ../../include/openssl/opensslconf.h
-rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-rsa_oaep.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_oaep.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_oaep.o: ../../include/openssl/symhacks.h ../cryptlib.h
+rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_oaep.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_oaep.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_oaep.o: ../cryptlib.h rsa_oaep.c
+rsa_pk1.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_pk1.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_pk1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_pk1.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_pk1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_pk1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_pk1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_pk1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_pk1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_pk1.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_pk1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h
-rsa_saos.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_saos.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_saos.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c
+rsa_saos.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_saos.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_saos.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_saos.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_saos.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-rsa_saos.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-rsa_saos.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+rsa_saos.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_saos.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 rsa_saos.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rsa_saos.o: ../../include/openssl/opensslconf.h
-rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-rsa_saos.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-rsa_saos.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-rsa_saos.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_saos.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_saos.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-rsa_saos.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-rsa_sign.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-rsa_sign.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_saos.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+rsa_saos.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_saos.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_saos.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rsa_saos.o: ../cryptlib.h rsa_saos.c
+rsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_sign.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-rsa_sign.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_sign.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_sign.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-rsa_sign.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-rsa_sign.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+rsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h
+rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-rsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/rc2.h
-rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rsa_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 rsa_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-rsa_sign.o: ../cryptlib.h
+rsa_sign.o: ../cryptlib.h rsa_sign.c
+rsa_ssl.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_ssl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_ssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-rsa_ssl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-rsa_ssl.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-rsa_ssl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rsa_ssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_ssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_ssl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_ssl.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_ssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h
+rsa_ssl.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_ssl.c
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index bda636a365..030a6c88e5 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -59,13 +59,16 @@
 #ifndef HEADER_RSA_H
 #define HEADER_RSA_H
 
-#ifndef NO_BIO
+#include <openssl/asn1.h>
+
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
+#include <openssl/ossl_typ.h>
 
-#ifdef NO_RSA
+#ifdef OPENSSL_NO_RSA
 #error RSA is disabled.
 #endif
 
@@ -78,16 +81,20 @@ typedef struct rsa_st RSA;
 typedef struct rsa_meth_st
         {
         const char *name;
-        int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to,
+        int (*rsa_pub_enc)(int flen,const unsigned char *from,
+                           unsigned char *to,
                            RSA *rsa,int padding);
-        int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to,
+        int (*rsa_pub_dec)(int flen,const unsigned char *from,
+                           unsigned char *to,
                            RSA *rsa,int padding);
-        int (*rsa_priv_enc)(int flen,unsigned char *from,unsigned char *to,
+        int (*rsa_priv_enc)(int flen,const unsigned char *from,
+                            unsigned char *to,
                             RSA *rsa,int padding);
-        int (*rsa_priv_dec)(int flen,unsigned char *from,unsigned char *to,
+        int (*rsa_priv_dec)(int flen,const unsigned char *from,
+                            unsigned char *to,
                             RSA *rsa,int padding);
-        int (*rsa_mod_exp)(BIGNUM *r0,BIGNUM *I,RSA *rsa); /* Can be null */
-        int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+        int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */
+        int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                           const BIGNUM *m, BN_CTX *ctx,
                           BN_MONT_CTX *m_ctx); /* Can be null */
         int (*init)(RSA *rsa);          /* called at new */
@@ -101,10 +108,12 @@ typedef struct rsa_meth_st
  * compatibility this functionality is only enabled if the RSA_FLAG_SIGN_VER
  * option is set in 'flags'.
  */
-        int (*rsa_sign)(int type, unsigned char *m, unsigned int m_len,
-             unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-        int (*rsa_verify)(int dtype, unsigned char *m, unsigned int m_len,
-             unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+        int (*rsa_sign)(int type,
+                const unsigned char *m, unsigned int m_length,
+                unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
+        int (*rsa_verify)(int dtype,
+                const unsigned char *m, unsigned int m_length,
+                unsigned char *sigbuf, unsigned int siglen, const RSA *rsa);
 
         } RSA_METHOD;
 
@@ -113,12 +122,10 @@ struct rsa_st
         /* The first parameter is used to pickup errors where
          * this is passed instead of aEVP_PKEY, it is set to 0 */
         int pad;
-        int version;
-#if 0
-        RSA_METHOD *meth;
-#else
-        struct engine_st *engine;
-#endif
+        long version;
+        const RSA_METHOD *meth;
+        /* functional reference if 'meth' is ENGINE-provided */
+        ENGINE *engine;
         BIGNUM *n;
         BIGNUM *e;
         BIGNUM *d;
@@ -172,121 +179,108 @@ struct rsa_st
 #define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
 RSA *   RSA_new(void);
-#if 0
-RSA *   RSA_new_method(RSA_METHOD *method);
-#else
-RSA *   RSA_new_method(struct engine_st *engine);
-#endif
-int     RSA_size(RSA *);
+RSA *   RSA_new_method(ENGINE *engine);
+int     RSA_size(const RSA *);
 RSA *   RSA_generate_key(int bits, unsigned long e,void
                 (*callback)(int,int,void *),void *cb_arg);
-int     RSA_check_key(RSA *);
+int     RSA_check_key(const RSA *);
         /* next 4 return -1 on error */
-int     RSA_public_encrypt(int flen, unsigned char *from,
+int     RSA_public_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-int     RSA_private_encrypt(int flen, unsigned char *from,
+int     RSA_private_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-int     RSA_public_decrypt(int flen, unsigned char *from, 
+int     RSA_public_decrypt(int flen, const unsigned char *from, 
                 unsigned char *to, RSA *rsa,int padding);
-int     RSA_private_decrypt(int flen, unsigned char *from, 
+int     RSA_private_decrypt(int flen, const unsigned char *from, 
                 unsigned char *to, RSA *rsa,int padding);
 void    RSA_free (RSA *r);
+/* "up" the RSA object's reference count */
+int     RSA_up_ref(RSA *r);
 
-int     RSA_flags(RSA *r);
+int     RSA_flags(const RSA *r);
 
-void RSA_set_default_openssl_method(RSA_METHOD *meth);
-RSA_METHOD *RSA_get_default_openssl_method(void);
-RSA_METHOD *RSA_get_method(RSA *rsa);
-#if 0
-RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth);
-#else
-int RSA_set_method(RSA *rsa, struct engine_st *engine);
-#endif
+void RSA_set_default_method(const RSA_METHOD *meth);
+const RSA_METHOD *RSA_get_default_method(void);
+const RSA_METHOD *RSA_get_method(const RSA *rsa);
+int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
 
 /* This function needs the memory locking malloc callbacks to be installed */
 int RSA_memory_lock(RSA *r);
 
-/* If you have RSAref compiled in. */
-RSA_METHOD *RSA_PKCS1_RSAref(void);
-
 /* these are the actual SSLeay RSA functions */
-RSA_METHOD *RSA_PKCS1_SSLeay(void);
+const RSA_METHOD *RSA_PKCS1_SSLeay(void);
 
-RSA_METHOD *RSA_null_method(void);
+const RSA_METHOD *RSA_null_method(void);
 
-void    ERR_load_RSA_strings(void );
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPublicKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_const(RSA, RSAPrivateKey)
 
-RSA *   d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
-int     i2d_RSAPublicKey(RSA *a, unsigned char **pp);
-RSA *   d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
-int     i2d_RSAPrivateKey(RSA *a, unsigned char **pp);
-#ifndef NO_FP_API
-int     RSA_print_fp(FILE *fp, RSA *r,int offset);
+#ifndef OPENSSL_NO_FP_API
+int     RSA_print_fp(FILE *fp, const RSA *r,int offset);
 #endif
 
-#ifndef NO_BIO
-int     RSA_print(BIO *bp, RSA *r,int offset);
+#ifndef OPENSSL_NO_BIO
+int     RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
-int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey);
-RSA *d2i_RSA_NET(RSA **a, unsigned char **pp, long length, int (*cb)(), int sgckey);
-RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length, int (*cb)(), int sgckey);
+int i2d_RSA_NET(const RSA *a, unsigned char **pp, int (*cb)(), int sgckey);
+RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int (*cb)(), int sgckey);
 
-int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)());
-RSA *d2i_Netscape_RSA(RSA **a, unsigned char **pp, long length, int (*cb)());
-/* Naughty internal function required elsewhere, to handle a MS structure
- * that is the same as the netscape one :-) */
-RSA *d2i_Netscape_RSA_2(RSA **a, unsigned char **pp, long length, int (*cb)());
+int i2d_Netscape_RSA(const RSA *a, unsigned char **pp, int (*cb)());
+RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)());
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
-int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
         unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
         unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
 /* The following 2 function sign and verify a ASN1_OCTET_STRING
  * object inside PKCS#1 padded RSA encryption */
-int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
+int RSA_sign_ASN1_OCTET_STRING(int type,
+        const unsigned char *m, unsigned int m_length,
         unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-int RSA_verify_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
+int RSA_verify_ASN1_OCTET_STRING(int type,
+        const unsigned char *m, unsigned int m_length,
         unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 void RSA_blinding_off(RSA *rsa);
 
 int RSA_padding_add_PKCS1_type_1(unsigned char *to,int tlen,
-        unsigned char *f,int fl);
+        const unsigned char *f,int fl);
 int RSA_padding_check_PKCS1_type_1(unsigned char *to,int tlen,
-        unsigned char *f,int fl,int rsa_len);
+        const unsigned char *f,int fl,int rsa_len);
 int RSA_padding_add_PKCS1_type_2(unsigned char *to,int tlen,
-        unsigned char *f,int fl);
+        const unsigned char *f,int fl);
 int RSA_padding_check_PKCS1_type_2(unsigned char *to,int tlen,
-        unsigned char *f,int fl,int rsa_len);
+        const unsigned char *f,int fl,int rsa_len);
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
-                               unsigned char *f,int fl,unsigned char *p,
-                               int pl);
+        const unsigned char *f,int fl,
+        const unsigned char *p,int pl);
 int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
-                                 unsigned char *f,int fl,int rsa_len,
-                                 unsigned char *p,int pl);
+        const unsigned char *f,int fl,int rsa_len,
+        const unsigned char *p,int pl);
 int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
-        unsigned char *f,int fl);
+        const unsigned char *f,int fl);
 int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
-        unsigned char *f,int fl,int rsa_len);
+        const unsigned char *f,int fl,int rsa_len);
 int RSA_padding_add_none(unsigned char *to,int tlen,
-        unsigned char *f,int fl);
+        const unsigned char *f,int fl);
 int RSA_padding_check_none(unsigned char *to,int tlen,
-        unsigned char *f,int fl,int rsa_len);
+        const unsigned char *f,int fl,int rsa_len);
 
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int RSA_set_ex_data(RSA *r,int idx,void *arg);
-void *RSA_get_ex_data(RSA *r, int idx);
+void *RSA_get_ex_data(const RSA *r, int idx);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_RSA_strings(void);
 
 /* Error codes for the RSA functions. */
 
@@ -328,6 +322,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
 #define RSA_R_DATA_GREATER_THAN_MOD_LEN                  108
 #define RSA_R_DATA_TOO_LARGE                             109
 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE                110
+#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS                 132
 #define RSA_R_DATA_TOO_SMALL                             111
 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE                122
 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY                 112
@@ -354,4 +349,3 @@ void *RSA_get_ex_data(RSA *r, int idx);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
new file mode 100644
index 0000000000..1455a7e0e4
--- /dev/null
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -0,0 +1,121 @@
+/* rsa_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/asn1t.h>
+
+static ASN1_METHOD method={
+        (int (*)())  i2d_RSAPrivateKey,
+        (char *(*)())d2i_RSAPrivateKey,
+        (char *(*)())RSA_new,
+        (void (*)()) RSA_free};
+
+ASN1_METHOD *RSAPrivateKey_asn1_meth(void)
+        {
+        return(&method);
+        }
+
+/* Override the default free and new methods */
+static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
+{
+        if(operation == ASN1_OP_NEW_PRE) {
+                *pval = (ASN1_VALUE *)RSA_new();
+                if(*pval) return 2;
+                return 0;
+        } else if(operation == ASN1_OP_FREE_PRE) {
+                RSA_free((RSA *)*pval);
+                *pval = NULL;
+                return 2;
+        }
+        return 1;
+}
+
+ASN1_SEQUENCE_cb(RSAPrivateKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, version, LONG),
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+        ASN1_SIMPLE(RSA, d, BIGNUM),
+        ASN1_SIMPLE(RSA, p, BIGNUM),
+        ASN1_SIMPLE(RSA, q, BIGNUM),
+        ASN1_SIMPLE(RSA, dmp1, BIGNUM),
+        ASN1_SIMPLE(RSA, dmq1, BIGNUM),
+        ASN1_SIMPLE(RSA, iqmp, BIGNUM)
+} ASN1_SEQUENCE_END_cb(RSA, RSAPrivateKey)
+
+
+ASN1_SEQUENCE_cb(RSAPublicKey, rsa_cb) = {
+        ASN1_SIMPLE(RSA, n, BIGNUM),
+        ASN1_SIMPLE(RSA, e, BIGNUM),
+} ASN1_SEQUENCE_END_cb(RSA, RSAPublicKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPrivateKey, RSAPrivateKey)
+
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(RSA, RSAPublicKey, RSAPublicKey)
+
+RSA *RSAPublicKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPublicKey), rsa);
+        }
+
+RSA *RSAPrivateKey_dup(RSA *rsa)
+        {
+        return ASN1_item_dup(ASN1_ITEM_rptr(RSAPrivateKey), rsa);
+        }
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index 91b9115798..002f2cb487 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -53,7 +53,7 @@
 #include <openssl/rsa.h>
 
 
-int RSA_check_key(RSA *key)
+int RSA_check_key(const RSA *key)
         {
         BIGNUM *i, *j, *k, *l, *m;
         BN_CTX *ctx;
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index cde5ca27d5..d82dd15493 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -65,46 +65,46 @@
 
 #ifndef RSA_NULL
 
-static int RSA_eay_public_encrypt(int flen, unsigned char *from,
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_eay_public_decrypt(int flen, unsigned char *from,
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_eay_private_decrypt(int flen, unsigned char *from,
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa);
 static int RSA_eay_init(RSA *rsa);
 static int RSA_eay_finish(RSA *rsa);
 static RSA_METHOD rsa_pkcs1_eay_meth={
         "Eric Young's PKCS#1 RSA",
         RSA_eay_public_encrypt,
-        RSA_eay_public_decrypt,
-        RSA_eay_private_encrypt,
+        RSA_eay_public_decrypt, /* signature verification */
+        RSA_eay_private_encrypt, /* signing */
         RSA_eay_private_decrypt,
         RSA_eay_mod_exp,
-        BN_mod_exp_mont,
+        BN_mod_exp_mont, /* XXX probably we should not use Montgomery if  e == 3 */
         RSA_eay_init,
         RSA_eay_finish,
-        0,
+        0, /* flags */
         NULL,
+        0, /* rsa_sign */
+        0  /* rsa_verify */
         };
 
-RSA_METHOD *RSA_PKCS1_SSLeay(void)
+const RSA_METHOD *RSA_PKCS1_SSLeay(void)
         {
         return(&rsa_pkcs1_eay_meth);
         }
 
-static int RSA_eay_public_encrypt(int flen, unsigned char *from,
+static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        const RSA_METHOD *meth;
         BIGNUM f,ret;
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
 
-        meth = ENGINE_get_RSA(rsa->engine);
         BN_init(&f);
         BN_init(&ret);
         if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -120,7 +120,7 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
         case RSA_PKCS1_PADDING:
                 i=RSA_padding_add_PKCS1_type_2(buf,num,from,flen);
                 break;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         case RSA_PKCS1_OAEP_PADDING:
                 i=RSA_padding_add_PKCS1_OAEP(buf,num,from,flen,NULL,0);
                 break;
@@ -139,6 +139,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
 
         if (BN_bin2bn(buf,num,&f) == NULL) goto err;
         
+        if (BN_ucmp(&f, rsa->n) >= 0)
+                {       
+                /* usually the padding functions would catch this */
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+                goto err;
+                }
+
         if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
                 {
                 BN_MONT_CTX* bn_mont_ctx;
@@ -162,8 +169,8 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
                 if (bn_mont_ctx)
                         BN_MONT_CTX_free(bn_mont_ctx);
                 }
-
-        if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+                
+        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
 
         /* put in leading 0 bytes if the number is less than the
@@ -186,16 +193,15 @@ err:
         return(r);
         }
 
-static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+/* signing */
+static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        const RSA_METHOD *meth;
         BIGNUM f,ret;
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
 
-        meth = ENGINE_get_RSA(rsa->engine);
         BN_init(&f);
         BN_init(&ret);
 
@@ -223,6 +229,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
         if (i <= 0) goto err;
 
         if (BN_bin2bn(buf,num,&f) == NULL) goto err;
+        
+        if (BN_ucmp(&f, rsa->n) >= 0)
+                {       
+                /* usually the padding functions would catch this */
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+                goto err;
+                }
 
         if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
                 RSA_blinding_on(rsa,ctx);
@@ -235,10 +248,10 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
                 (rsa->dmp1 != NULL) &&
                 (rsa->dmq1 != NULL) &&
                 (rsa->iqmp != NULL)) )
-                { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
         else
                 {
-                if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
                 }
 
         if (rsa->flags & RSA_FLAG_BLINDING)
@@ -264,17 +277,15 @@ err:
         return(r);
         }
 
-static int RSA_eay_private_decrypt(int flen, unsigned char *from,
+static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        const RSA_METHOD *meth;
         BIGNUM f,ret;
         int j,num=0,r= -1;
         unsigned char *p;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
 
-        meth = ENGINE_get_RSA(rsa->engine);
         BN_init(&f);
         BN_init(&ret);
         ctx=BN_CTX_new();
@@ -299,6 +310,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
         /* make data into a big number */
         if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
 
+        if (BN_ucmp(&f, rsa->n) >= 0)
+                {
+                RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+                goto err;
+                }
+
         if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
                 RSA_blinding_on(rsa,ctx);
         if (rsa->flags & RSA_FLAG_BLINDING)
@@ -311,10 +328,10 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
                 (rsa->dmp1 != NULL) &&
                 (rsa->dmq1 != NULL) &&
                 (rsa->iqmp != NULL)) )
-                { if (!meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
+                { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; }
         else
                 {
-                if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
+                if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL))
                         goto err;
                 }
 
@@ -329,7 +346,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
         case RSA_PKCS1_PADDING:
                 r=RSA_padding_check_PKCS1_type_2(to,num,buf,j,num);
                 break;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         case RSA_PKCS1_OAEP_PADDING:
                 r=RSA_padding_check_PKCS1_OAEP(to,num,buf,j,num,NULL,0);
                 break;
@@ -359,17 +376,16 @@ err:
         return(r);
         }
 
-static int RSA_eay_public_decrypt(int flen, unsigned char *from,
+/* signature verification */
+static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        const RSA_METHOD *meth;
         BIGNUM f,ret;
         int i,num=0,r= -1;
         unsigned char *p;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
 
-        meth = ENGINE_get_RSA(rsa->engine);
         BN_init(&f);
         BN_init(&ret);
         ctx=BN_CTX_new();
@@ -392,6 +408,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
                 }
 
         if (BN_bin2bn(from,flen,&f) == NULL) goto err;
+
+        if (BN_ucmp(&f, rsa->n) >= 0)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
+                goto err;
+                }
+
         /* do the decrypt */
         if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
                 {
@@ -416,8 +439,8 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
                 if (bn_mont_ctx)
                         BN_MONT_CTX_free(bn_mont_ctx);
                 }
-
-        if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
+                
+        if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
                 rsa->_method_mod_n)) goto err;
 
         p=buf;
@@ -450,14 +473,12 @@ err:
         return(r);
         }
 
-static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
+static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
         {
-        const RSA_METHOD *meth;
         BIGNUM r1,m1,vrfy;
         int ret=0;
         BN_CTX *ctx;
 
-        meth = ENGINE_get_RSA(rsa->engine);
         if ((ctx=BN_CTX_new()) == NULL) goto err;
         BN_init(&m1);
         BN_init(&r1);
@@ -515,11 +536,11 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
                 }
                 
         if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
-        if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
+        if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
                 rsa->_method_mod_q)) goto err;
 
         if (!BN_mod(&r1,I,rsa->p,ctx)) goto err;
-        if (!meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
+        if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx,
                 rsa->_method_mod_p)) goto err;
 
         if (!BN_sub(r0,r0,&m1)) goto err;
@@ -544,11 +565,20 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
 
         if (rsa->e && rsa->n)
                 {
-                if (!meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
-                if (BN_cmp(I, &vrfy) != 0)
-                        {
-                        if (!meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
-                        }
+                if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err;
+                /* If 'I' was greater than (or equal to) rsa->n, the operation
+                 * will be equivalent to using 'I mod n'. However, the result of
+                 * the verify will *always* be less than 'n' so we don't check
+                 * for absolute equality, just congruency. */
+                if (!BN_sub(&vrfy, &vrfy, I)) goto err;
+                if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err;
+                if (vrfy.neg)
+                        if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err;
+                if (!BN_is_zero(&vrfy))
+                        /* 'I' and 'vrfy' aren't congruent mod n. Don't leak
+                         * miscalculated CRT output, just do a raw (slower)
+                         * mod_exp and return that instead. */
+                        if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err;
                 }
         ret=1;
 err:
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 1cde7c0da4..a7766c3b76 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -63,7 +63,7 @@
 #include <openssl/rsa.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA RSA_str_functs[]=
         {
 {ERR_PACK(0,RSA_F_MEMORY_LOCK,0),       "MEMORY_LOCK"},
@@ -106,6 +106,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {RSA_R_DATA_GREATER_THAN_MOD_LEN         ,"data greater than mod len"},
 {RSA_R_DATA_TOO_LARGE                    ,"data too large"},
 {RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE       ,"data too large for key size"},
+{RSA_R_DATA_TOO_LARGE_FOR_MODULUS        ,"data too large for modulus"},
 {RSA_R_DATA_TOO_SMALL                    ,"data too small"},
 {RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE       ,"data too small for key size"},
 {RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY        ,"digest too big for rsa key"},
@@ -139,7 +140,7 @@ void ERR_load_RSA_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_RSA,RSA_str_functs);
                 ERR_load_strings(ERR_LIB_RSA,RSA_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 94395cc22c..93235744f7 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -66,42 +66,26 @@
 
 const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 
-static RSA_METHOD *default_RSA_meth=NULL;
-static int rsa_meth_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
+static const RSA_METHOD *default_RSA_meth=NULL;
 
 RSA *RSA_new(void)
         {
         return(RSA_new_method(NULL));
         }
 
-void RSA_set_default_openssl_method(RSA_METHOD *meth)
+void RSA_set_default_method(const RSA_METHOD *meth)
         {
-        ENGINE *e;
-        /* We'll need to notify the "openssl" ENGINE of this
-         * change too. We won't bother locking things down at
-         * our end as there was never any locking in these
-         * functions! */
-        if(default_RSA_meth != meth)
-                {
-                default_RSA_meth = meth;
-                e = ENGINE_by_id("openssl");
-                if(e)
-                        {
-                        ENGINE_set_RSA(e, meth);
-                        ENGINE_free(e);
-                        }
-                }
+        default_RSA_meth = meth;
         }
 
-RSA_METHOD *RSA_get_default_openssl_method(void)
-{
+const RSA_METHOD *RSA_get_default_method(void)
+        {
         if (default_RSA_meth == NULL)
                 {
 #ifdef RSA_NULL
                 default_RSA_meth=RSA_null_method();
 #else
-#ifdef RSAref
+#if 0 /* was: #ifdef RSAref */
                 default_RSA_meth=RSA_PKCS1_RSAref();
 #else
                 default_RSA_meth=RSA_PKCS1_SSLeay();
@@ -110,69 +94,66 @@ RSA_METHOD *RSA_get_default_openssl_method(void)
                 }
 
         return default_RSA_meth;
-}
+        }
 
-RSA_METHOD *RSA_get_method(RSA *rsa)
-{
-        return ENGINE_get_RSA(rsa->engine);
-}
+const RSA_METHOD *RSA_get_method(const RSA *rsa)
+        {
+        return rsa->meth;
+        }
 
-#if 0
-RSA_METHOD *RSA_set_method(RSA *rsa, RSA_METHOD *meth)
-{
-        RSA_METHOD *mtmp;
+int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
+        {
+        /* NB: The caller is specifically setting a method, so it's not up to us
+         * to deal with which ENGINE it comes from. */
+        const RSA_METHOD *mtmp;
         mtmp = rsa->meth;
         if (mtmp->finish) mtmp->finish(rsa);
+        if (rsa->engine)
+                {
+                ENGINE_finish(rsa->engine);
+                rsa->engine = NULL;
+                }
         rsa->meth = meth;
         if (meth->init) meth->init(rsa);
-        return mtmp;
-}
-#else
-int RSA_set_method(RSA *rsa, ENGINE *engine)
-{
-        ENGINE *mtmp;
-        RSA_METHOD *meth;
-        mtmp = rsa->engine;
-        meth = ENGINE_get_RSA(mtmp);
-        if (!ENGINE_init(engine))
-                return 0;
-        if (meth->finish) meth->finish(rsa);
-        rsa->engine = engine;
-        meth = ENGINE_get_RSA(engine);
-        if (meth->init) meth->init(rsa);
-        /* SHOULD ERROR CHECK THIS!!! */
-        ENGINE_finish(mtmp);
         return 1;
-}
-#endif
+        }
 
-#if 0
-RSA *RSA_new_method(RSA_METHOD *meth)
-#else
 RSA *RSA_new_method(ENGINE *engine)
-#endif
         {
-        RSA_METHOD *meth;
         RSA *ret;
 
         ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
         if (ret == NULL)
                 {
                 RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
-                return(NULL);
+                return NULL;
                 }
 
-        if (engine == NULL)
+        ret->meth = RSA_get_default_method();
+        if (engine)
                 {
-                if((ret->engine=ENGINE_get_default_RSA()) == NULL)
+                if (!ENGINE_init(engine))
                         {
+                        RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
                         OPENSSL_free(ret);
                         return NULL;
                         }
+                ret->engine = engine;
                 }
         else
-                ret->engine=engine;
-        meth = ENGINE_get_RSA(ret->engine);
+                ret->engine = ENGINE_get_default_RSA();
+        if(ret->engine)
+                {
+                ret->meth = ENGINE_get_RSA(ret->engine);
+                if(!ret->meth)
+                        {
+                        RSAerr(RSA_F_RSA_NEW_METHOD,
+                                ERR_R_ENGINE_LIB);
+                        ENGINE_finish(ret->engine);
+                        OPENSSL_free(ret);
+                        return NULL;
+                        }
+                }
 
         ret->pad=0;
         ret->version=0;
@@ -190,11 +171,13 @@ RSA *RSA_new_method(ENGINE *engine)
         ret->_method_mod_q=NULL;
         ret->blinding=NULL;
         ret->bignum_data=NULL;
-        ret->flags=meth->flags;
-        CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
-        if ((meth->init != NULL) && !meth->init(ret))
+        ret->flags=ret->meth->flags;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
+        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                 {
-                CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data);
+                if (ret->engine)
+                        ENGINE_finish(ret->engine);
+                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
                 OPENSSL_free(ret);
                 ret=NULL;
                 }
@@ -203,7 +186,6 @@ RSA *RSA_new_method(ENGINE *engine)
 
 void RSA_free(RSA *r)
         {
-        RSA_METHOD *meth;
         int i;
 
         if (r == NULL) return;
@@ -221,12 +203,12 @@ void RSA_free(RSA *r)
                 }
 #endif
 
-        meth = ENGINE_get_RSA(r->engine);
-        if (meth->finish != NULL)
-                meth->finish(r);
-        ENGINE_finish(r->engine);
+        if (r->meth->finish)
+                r->meth->finish(r);
+        if (r->engine)
+                ENGINE_finish(r->engine);
 
-        CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
         if (r->n != NULL) BN_clear_free(r->n);
         if (r->e != NULL) BN_clear_free(r->e);
@@ -241,12 +223,27 @@ void RSA_free(RSA *r)
         OPENSSL_free(r);
         }
 
+int RSA_up_ref(RSA *r)
+        {
+        int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
+#ifdef REF_PRINT
+        REF_PRINT("RSA",r);
+#endif
+#ifdef REF_CHECK
+        if (i < 2)
+                {
+                fprintf(stderr, "RSA_up_ref, bad reference count\n");
+                abort();
+                }
+#endif
+        return ((i > 1) ? 1 : 0);
+        }
+
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-        rsa_meth_num++;
-        return(CRYPTO_get_ex_new_index(rsa_meth_num-1,
-                &rsa_meth,argl,argp,new_func,dup_func,free_func));
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
+                                new_func, dup_func, free_func);
         }
 
 int RSA_set_ex_data(RSA *r, int idx, void *arg)
@@ -254,47 +251,43 @@ int RSA_set_ex_data(RSA *r, int idx, void *arg)
         return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
         }
 
-void *RSA_get_ex_data(RSA *r, int idx)
+void *RSA_get_ex_data(const RSA *r, int idx)
         {
         return(CRYPTO_get_ex_data(&r->ex_data,idx));
         }
 
-int RSA_size(RSA *r)
+int RSA_size(const RSA *r)
         {
         return(BN_num_bytes(r->n));
         }
 
-int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to,
+int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
-        return(ENGINE_get_RSA(rsa->engine)->rsa_pub_enc(flen,
-                from, to, rsa, padding));
+        return(rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding));
         }
 
-int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to,
+int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
-        return(ENGINE_get_RSA(rsa->engine)->rsa_priv_enc(flen,
-                from, to, rsa, padding));
+        return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
         }
 
-int RSA_private_decrypt(int flen, unsigned char *from, unsigned char *to,
+int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
-        return(ENGINE_get_RSA(rsa->engine)->rsa_priv_dec(flen,
-                from, to, rsa, padding));
+        return(rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding));
         }
 
-int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to,
+int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
-        return(ENGINE_get_RSA(rsa->engine)->rsa_pub_dec(flen,
-                from, to, rsa, padding));
+        return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
         }
 
-int RSA_flags(RSA *r)
+int RSA_flags(const RSA *r)
         {
-        return((r == NULL)?0:ENGINE_get_RSA(r->engine)->flags);
+        return((r == NULL)?0:r->meth->flags);
         }
 
 void RSA_blinding_off(RSA *rsa)
@@ -328,8 +321,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
         if (!BN_rand_range(A,rsa->n)) goto err;
         if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
-        if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A,
-                rsa->e,rsa->n,ctx,rsa->_method_mod_n))
+        if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n))
             goto err;
         rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
         rsa->flags|=RSA_FLAG_BLINDING;
@@ -385,4 +377,3 @@ int RSA_memory_lock(RSA *r)
         r->bignum_data=p;
         return(1);
         }
-
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
index f22fce5016..e6f3e627ca 100644
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -62,8 +62,8 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
-int RSA_padding_add_none(unsigned char *to, int tlen, unsigned char *from,
-             int flen)
+int RSA_padding_add_none(unsigned char *to, int tlen,
+        const unsigned char *from, int flen)
         {
         if (flen > tlen)
                 {
@@ -81,8 +81,8 @@ int RSA_padding_add_none(unsigned char *to, int tlen, unsigned char *from,
         return(1);
         }
 
-int RSA_padding_check_none(unsigned char *to, int tlen, unsigned char *from,
-             int flen, int num)
+int RSA_padding_check_none(unsigned char *to, int tlen,
+        const unsigned char *from, int flen, int num)
         {
 
         if (flen > tlen)
diff --git a/src/lib/libcrypto/rsa/rsa_null.c b/src/lib/libcrypto/rsa/rsa_null.c
index 7b58a0eca3..64057fbdcf 100644
--- a/src/lib/libcrypto/rsa/rsa_null.c
+++ b/src/lib/libcrypto/rsa/rsa_null.c
@@ -69,16 +69,16 @@
  * operations (like storing RSA keys) are permitted.
  */
 
-static int RSA_null_public_encrypt(int flen, unsigned char *from,
+static int RSA_null_public_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_null_private_encrypt(int flen, unsigned char *from,
+static int RSA_null_private_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_null_public_decrypt(int flen, unsigned char *from,
+static int RSA_null_public_decrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
-static int RSA_null_private_decrypt(int flen, unsigned char *from,
+static int RSA_null_private_decrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
 #if 0 /* not currently used */
-static int RSA_null_mod_exp(BIGNUM *r0, BIGNUM *i, RSA *rsa);
+static int RSA_null_mod_exp(const BIGNUM *r0, const BIGNUM *i, RSA *rsa);
 #endif
 static int RSA_null_init(RSA *rsa);
 static int RSA_null_finish(RSA *rsa);
@@ -88,40 +88,41 @@ static RSA_METHOD rsa_null_meth={
         RSA_null_public_decrypt,
         RSA_null_private_encrypt,
         RSA_null_private_decrypt,
-        NULL, NULL,
+        NULL,
+        NULL,
         RSA_null_init,
         RSA_null_finish,
         0,
         NULL,
         };
 
-RSA_METHOD *RSA_null_method(void)
+const RSA_METHOD *RSA_null_method(void)
         {
         return(&rsa_null_meth);
         }
 
-static int RSA_null_public_encrypt(int flen, unsigned char *from,
+static int RSA_null_public_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
         RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
         return -1;
         }
 
-static int RSA_null_private_encrypt(int flen, unsigned char *from,
+static int RSA_null_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
         RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
         return -1;
         }
 
-static int RSA_null_private_decrypt(int flen, unsigned char *from,
+static int RSA_null_private_decrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
         RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
         return -1;
         }
 
-static int RSA_null_public_decrypt(int flen, unsigned char *from,
+static int RSA_null_public_decrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
         RSAerr(RSA_F_RSA_NULL, RSA_R_RSA_OPERATIONS_NOT_SUPPORTED);
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 1849e55cd5..e3f7c608ec 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -2,167 +2,205 @@
 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
 
-/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
-
-#if !defined(NO_SHA) && !defined(NO_SHA1)
+/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
+ * <URL: http://www.shoup.net/papers/oaep.ps.Z>
+ * for problems with the security proof for the
+ * original OAEP scheme, which EME-OAEP is based on.
+ * 
+ * A new proof can be found in E. Fujisaki, T. Okamoto,
+ * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
+ * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
+ * The new proof has stronger requirements for the
+ * underlying permutation: "partial-one-wayness" instead
+ * of one-wayness.  For the RSA function, this is
+ * an equivalent notion.
+ */
+
+
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
-#include <openssl/sha.h>
+#include <openssl/evp.h>
 #include <openssl/rand.h>
+#include <openssl/sha.h>
 
-int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
+int MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen);
 
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-             unsigned char *from, int flen, unsigned char *param, int plen)
-    {
-    int i, emlen = tlen - 1;
-    unsigned char *db, *seed;
-    unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
-
-    if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+        const unsigned char *from, int flen,
+        const unsigned char *param, int plen)
         {
-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
-               RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-        return (0);
-        }
+        int i, emlen = tlen - 1;
+        unsigned char *db, *seed;
+        unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
 
-    if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
-        {
-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
-        return (0);
-        }
-    
-    dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
-    if (dbmask == NULL)
-        {
-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-        return (0);
-        }
+        if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+                   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+                return 0;
+                }
+
+        if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+                return 0;
+                }
+
+        dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
+        if (dbmask == NULL)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
 
-    to[0] = 0;
-    seed = to + 1;
-    db = to + SHA_DIGEST_LENGTH + 1;
-
-    SHA1(param, plen, db);
-    memset(db + SHA_DIGEST_LENGTH, 0,
-           emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
-    db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
-    memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
-    if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
-        return (0);
+        to[0] = 0;
+        seed = to + 1;
+        db = to + SHA_DIGEST_LENGTH + 1;
+
+        EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL);
+        memset(db + SHA_DIGEST_LENGTH, 0,
+                emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+        db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+        memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+        if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+                return 0;
 #ifdef PKCS_TESTVECT
-    memcpy(seed,
+        memcpy(seed,
            "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
            20);
 #endif
 
-    MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
-    for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
-        db[i] ^= dbmask[i];
+        MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
+        for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+                db[i] ^= dbmask[i];
 
-    MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
-    for (i = 0; i < SHA_DIGEST_LENGTH; i++)
-        seed[i] ^= seedmask[i];
+        MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
+        for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+                seed[i] ^= seedmask[i];
 
-    OPENSSL_free(dbmask);
-    return (1);
-    }
+        OPENSSL_free(dbmask);
+        return 1;
+        }
 
 int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-             unsigned char *from, int flen, int num, unsigned char *param,
-             int plen)
-    {
-    int i, dblen, mlen = -1;
-    unsigned char *maskeddb;
-    int lzero;
-    unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
-
-    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-        goto decoding_err;
-
-    lzero = num - flen;
-    if (lzero < 0)
-        goto decoding_err;
-    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
-    
-    dblen = num - SHA_DIGEST_LENGTH;
-    db = OPENSSL_malloc(dblen);
-    if (db == NULL)
+        const unsigned char *from, int flen, int num,
+        const unsigned char *param, int plen)
         {
-        RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-        return (-1);
-        }
+        int i, dblen, mlen = -1;
+        const unsigned char *maskeddb;
+        int lzero;
+        unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+        int bad = 0;
+
+        if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+                /* 'num' is the length of the modulus, i.e. does not depend on the
+                 * particular ciphertext. */
+                goto decoding_err;
+
+        lzero = num - flen;
+        if (lzero < 0)
+                {
+                /* lzero == -1 */
+
+                /* signalling this error immediately after detection might allow
+                 * for side-channel attacks (e.g. timing if 'plen' is huge
+                 * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
+                 * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
+                 * so we use a 'bad' flag */
+                bad = 1;
+                lzero = 0;
+                }
+        maskeddb = from - lzero + SHA_DIGEST_LENGTH;
+
+        dblen = num - SHA_DIGEST_LENGTH;
+        db = OPENSSL_malloc(dblen);
+        if (db == NULL)
+                {
+                RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+                return -1;
+                }
 
-    MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
-    for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
-        seed[i] ^= from[i - lzero];
+        MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
+        for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
+                seed[i] ^= from[i - lzero];
   
-    MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
-    for (i = 0; i < dblen; i++)
-        db[i] ^= maskeddb[i];
+        MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
+        for (i = 0; i < dblen; i++)
+                db[i] ^= maskeddb[i];
 
-    SHA1(param, plen, phash);
+        EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
 
-    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
-        goto decoding_err;
-    else
-        {
-        for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
-            if (db[i] != 0x00)
-                break;
-        if (db[i] != 0x01 || i++ >= dblen)
-          goto decoding_err;
+        if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+                goto decoding_err;
         else
-            {
-            mlen = dblen - i;
-            if (tlen < mlen)
                 {
-                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
-                mlen = -1;
+                for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+                        if (db[i] != 0x00)
+                                break;
+                if (db[i] != 0x01 || i++ >= dblen)
+                        goto decoding_err;
+                else
+                        {
+                        /* everything looks OK */
+
+                        mlen = dblen - i;
+                        if (tlen < mlen)
+                                {
+                                RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+                                mlen = -1;
+                                }
+                        else
+                                memcpy(to, db + i, mlen);
+                        }
                 }
-            else
-                memcpy(to, db + i, mlen);
-            }
-        }
-    OPENSSL_free(db);
-    return (mlen);
+        OPENSSL_free(db);
+        return mlen;
 
 decoding_err:
-    /* to avoid chosen ciphertext attacks, the error message should not reveal
-     * which kind of decoding error happened */
-    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-    if (db != NULL) OPENSSL_free(db);
-    return -1;
-    }
-
-int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
-    {
-    long i, outlen = 0;
-    unsigned char cnt[4];
-    SHA_CTX c;
-    unsigned char md[SHA_DIGEST_LENGTH];
-
-    for (i = 0; outlen < len; i++)
+        /* to avoid chosen ciphertext attacks, the error message should not reveal
+         * which kind of decoding error happened */
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+        if (db != NULL) OPENSSL_free(db);
+        return -1;
+        }
+
+int MGF1(unsigned char *mask, long len,
+        const unsigned char *seed, long seedlen)
         {
-        cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
-          cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
-        SHA1_Init(&c);
-        SHA1_Update(&c, seed, seedlen);
-        SHA1_Update(&c, cnt, 4);
-        if (outlen + SHA_DIGEST_LENGTH <= len)
-            {
-            SHA1_Final(mask + outlen, &c);
-            outlen += SHA_DIGEST_LENGTH;
-            }
-        else
-            {
-            SHA1_Final(md, &c);
-            memcpy(mask + outlen, md, len - outlen);
-            outlen = len;
-            }
+        long i, outlen = 0;
+        unsigned char cnt[4];
+        EVP_MD_CTX c;
+        unsigned char md[SHA_DIGEST_LENGTH];
+
+        EVP_MD_CTX_init(&c);
+        for (i = 0; outlen < len; i++)
+                {
+                cnt[0] = (unsigned char)((i >> 24) & 255);
+                cnt[1] = (unsigned char)((i >> 16) & 255);
+                cnt[2] = (unsigned char)((i >> 8)) & 255;
+                cnt[3] = (unsigned char)(i & 255);
+                EVP_DigestInit_ex(&c,EVP_sha1(), NULL);
+                EVP_DigestUpdate(&c, seed, seedlen);
+                EVP_DigestUpdate(&c, cnt, 4);
+                if (outlen + SHA_DIGEST_LENGTH <= len)
+                        {
+                        EVP_DigestFinal_ex(&c, mask + outlen, NULL);
+                        outlen += SHA_DIGEST_LENGTH;
+                        }
+                else
+                        {
+                        EVP_DigestFinal_ex(&c, md, NULL);
+                        memcpy(mask + outlen, md, len - outlen);
+                        outlen = len;
+                        }
+                }
+        EVP_MD_CTX_cleanup(&c);
+        return 0;
         }
-    return (0);
-    }
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 48a32bc264..c1edd6764f 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -63,7 +63,7 @@
 #include <openssl/rand.h>
 
 int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-             unsigned char *from, int flen)
+             const unsigned char *from, int flen)
         {
         int j;
         unsigned char *p;
@@ -89,10 +89,10 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
         }
 
 int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-             unsigned char *from, int flen, int num)
+             const unsigned char *from, int flen, int num)
         {
         int i,j;
-        unsigned char *p;
+        const unsigned char *p;
 
         p=from;
         if ((num != (flen+1)) || (*(p++) != 01))
@@ -141,7 +141,7 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
         }
 
 int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-             unsigned char *from, int flen)
+             const unsigned char *from, int flen)
         {
         int i,j;
         unsigned char *p;
@@ -179,10 +179,10 @@ int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
         }
 
 int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-             unsigned char *from, int flen, int num)
+             const unsigned char *from, int flen, int num)
         {
         int i,j;
-        unsigned char *p;
+        const unsigned char *p;
 
         p=from;
         if ((num != (flen+1)) || (*(p++) != 02))
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index c77f4381ff..85adacc08f 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -63,8 +63,9 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
-             unsigned char *sigret, unsigned int *siglen, RSA *rsa)
+int RSA_sign_ASN1_OCTET_STRING(int type,
+        const unsigned char *m, unsigned int m_len,
+        unsigned char *sigret, unsigned int *siglen, RSA *rsa)
         {
         ASN1_OCTET_STRING sig;
         int i,j,ret=1;
@@ -72,7 +73,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
 
         sig.type=V_ASN1_OCTET_STRING;
         sig.length=m_len;
-        sig.data=m;
+        sig.data=(unsigned char *)m;
 
         i=i2d_ASN1_OCTET_STRING(&sig,NULL);
         j=RSA_size(rsa);
@@ -100,9 +101,10 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len,
         return(ret);
         }
 
-int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m,
-             unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
-             RSA *rsa)
+int RSA_verify_ASN1_OCTET_STRING(int dtype,
+        const unsigned char *m,
+        unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
+        RSA *rsa)
         {
         int i,ret=0;
         unsigned char *p,*s;
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index cf00876292..2a440901de 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -67,16 +67,18 @@
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH  36
 
-int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
              unsigned char *sigret, unsigned int *siglen, RSA *rsa)
         {
         X509_SIG sig;
         ASN1_TYPE parameter;
         int i,j,ret=1;
-        unsigned char *p,*s = NULL;
+        unsigned char *p, *tmps = NULL;
+        const unsigned char *s = NULL;
         X509_ALGOR algor;
         ASN1_OCTET_STRING digest;
-        if(rsa->flags & RSA_FLAG_SIGN_VER)
+        if((rsa->flags & RSA_FLAG_SIGN_VER)
+              && ENGINE_get_RSA(rsa->engine)->rsa_sign)
               return ENGINE_get_RSA(rsa->engine)->rsa_sign(type,
                         m, m_len, sigret, siglen, rsa);
         /* Special case: SSL signature, just check the length */
@@ -105,7 +107,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
                 sig.algor->parameter= &parameter;
 
                 sig.digest= &digest;
-                sig.digest->data=m;
+                sig.digest->data=(unsigned char *)m; /* TMP UGLY CAST */
                 sig.digest->length=m_len;
 
                 i=i2d_X509_SIG(&sig,NULL);
@@ -117,14 +119,15 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
                 return(0);
                 }
         if(type != NID_md5_sha1) {
-                s=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
-                if (s == NULL)
+                tmps=(unsigned char *)OPENSSL_malloc((unsigned int)j+1);
+                if (tmps == NULL)
                         {
                         RSAerr(RSA_F_RSA_SIGN,ERR_R_MALLOC_FAILURE);
                         return(0);
                         }
-                p=s;
+                p=tmps;
                 i2d_X509_SIG(&sig,&p);
+                s=tmps;
         }
         i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
         if (i <= 0)
@@ -133,13 +136,13 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len,
                 *siglen=i;
 
         if(type != NID_md5_sha1) {
-                memset(s,0,(unsigned int)j+1);
-                OPENSSL_free(s);
+                memset(tmps,0,(unsigned int)j+1);
+                OPENSSL_free(tmps);
         }
         return(ret);
         }
 
-int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
+int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
              unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
         {
         int i,ret=0,sigtype;
@@ -152,7 +155,8 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
                 return(0);
                 }
 
-        if(rsa->flags & RSA_FLAG_SIGN_VER)
+        if((rsa->flags & RSA_FLAG_SIGN_VER)
+            && ENGINE_get_RSA(rsa->engine)->rsa_verify)
             return ENGINE_get_RSA(rsa->engine)->rsa_verify(dtype,
                         m, m_len, sigbuf, siglen, rsa);
 
@@ -196,9 +200,9 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len,
                                 (sigtype == NID_md2WithRSAEncryption)))
                                 {
                                 /* ok, we will let it through */
-        #if !defined(NO_STDIO) && !defined(WIN16)
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
                                 fprintf(stderr,"signature has problems, re-make with post SSLeay045\n");
-        #endif
+#endif
                                 }
                         else
                                 {
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index 482f4a8273..ea72629494 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -62,8 +62,8 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
-int RSA_padding_add_SSLv23(unsigned char *to, int tlen, unsigned char *from,
-             int flen)
+int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+        const unsigned char *from, int flen)
         {
         int i,j;
         unsigned char *p;
@@ -102,11 +102,11 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, unsigned char *from,
         return(1);
         }
 
-int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from,
-             int flen, int num)
+int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+        const unsigned char *from, int flen, int num)
         {
         int i,j,k;
-        unsigned char *p;
+        const unsigned char *p;
 
         p=from;
         if (flen < 10)
diff --git a/src/lib/libcrypto/rsa/rsa_test.c b/src/lib/libcrypto/rsa/rsa_test.c
index e5ae0c1f69..b8b462d33b 100644
--- a/src/lib/libcrypto/rsa/rsa_test.c
+++ b/src/lib/libcrypto/rsa/rsa_test.c
@@ -3,12 +3,12 @@
 #include <stdio.h>
 #include <string.h>
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#ifdef NO_RSA
+#ifdef OPENSSL_NO_RSA
 int main(int argc, char *argv[])
 {
     printf("No RSA support\n");
@@ -16,6 +16,7 @@ int main(int argc, char *argv[])
 }
 #else
 #include <openssl/rsa.h>
+#include <openssl/engine.h>
 
 #define SetKey \
   key->n = BN_bin2bn(n, sizeof(n)-1, key->n); \
@@ -219,10 +220,12 @@ int main(int argc, char *argv[])
     int clen = 0;
     int num;
 
+    CRYPTO_malloc_debug_init();
+    CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
+    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
     RAND_seed(rnd_seed, sizeof rnd_seed); /* or OAEP may fail */
 
-    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-        
     plen = sizeof(ptext_ex) - 1;
 
     for (v = 0; v < 3; v++)
@@ -305,9 +308,10 @@ int main(int argc, char *argv[])
         RSA_free(key);
         }
 
+    CRYPTO_cleanup_all_ex_data();
     ERR_remove_state(0);
 
-    CRYPTO_mem_leaks_fp(stdout);
+    CRYPTO_mem_leaks_fp(stderr);
 
     return err;
     }
diff --git a/src/lib/libcrypto/sha/Makefile.ssl b/src/lib/libcrypto/sha/Makefile.ssl
index 790e572fa2..f203ad7681 100644
--- a/src/lib/libcrypto/sha/Makefile.ssl
+++ b/src/lib/libcrypto/sha/Makefile.ssl
@@ -12,7 +12,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -42,8 +43,7 @@ all:    lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 # elf
@@ -103,11 +103,13 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-sha1_one.o: ../../include/openssl/sha.h
-sha1dgst.o: ../../include/openssl/opensslconf.h
+sha1_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+sha1_one.o: ../../include/openssl/sha.h sha1_one.c
+sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
-sha1dgst.o: ../md32_common.h sha_locl.h
-sha_dgst.o: ../../include/openssl/opensslconf.h
+sha1dgst.o: ../md32_common.h sha1dgst.c sha_locl.h
+sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h
-sha_dgst.o: ../md32_common.h sha_locl.h
-sha_one.o: ../../include/openssl/sha.h
+sha_dgst.o: ../md32_common.h sha_dgst.c sha_locl.h
+sha_one.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
+sha_one.o: ../../include/openssl/sha.h sha_one.c
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index 77f6d9695e..3fd54a10cc 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -59,11 +59,13 @@
 #ifndef HEADER_SHA_H
 #define HEADER_SHA_H
 
+#include <openssl/e_os2.h>
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#if defined(NO_SHA) || (defined(NO_SHA0) && defined(NO_SHA1))
+#if defined(OPENSSL_NO_SHA) || (defined(OPENSSL_NO_SHA0) && defined(OPENSSL_NO_SHA1))
 #error SHA is disabled.
 #endif
 
@@ -74,9 +76,9 @@ extern "C" {
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
 
-#if defined(WIN16) || defined(__LP32__)
+#if defined(OPENSSL_SYS_WIN16) || defined(__LP32__)
 #define SHA_LONG unsigned long
-#elif defined(_CRAY) || defined(__ILP64__)
+#elif defined(OPENSSL_SYS_CRAY) || defined(__ILP64__)
 #define SHA_LONG unsigned long
 #define SHA_LONG_LOG2 3
 #else
@@ -98,17 +100,17 @@ typedef struct SHAstate_st
         int num;
         } SHA_CTX;
 
-#ifndef NO_SHA0
-void SHA_Init(SHA_CTX *c);
-void SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
-void SHA_Final(unsigned char *md, SHA_CTX *c);
+#ifndef OPENSSL_NO_SHA0
+int SHA_Init(SHA_CTX *c);
+int SHA_Update(SHA_CTX *c, const void *data, unsigned long len);
+int SHA_Final(unsigned char *md, SHA_CTX *c);
 unsigned char *SHA(const unsigned char *d, unsigned long n,unsigned char *md);
 void SHA_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
-#ifndef NO_SHA1
-void SHA1_Init(SHA_CTX *c);
-void SHA1_Update(SHA_CTX *c, const void *data, unsigned long len);
-void SHA1_Final(unsigned char *md, SHA_CTX *c);
+#ifndef OPENSSL_NO_SHA1
+int SHA1_Init(SHA_CTX *c);
+int SHA1_Update(SHA_CTX *c, const void *data, unsigned long len);
+int SHA1_Final(unsigned char *md, SHA_CTX *c);
 unsigned char *SHA1(const unsigned char *d, unsigned long n,unsigned char *md);
 void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index 861752eaa7..e6a24888ed 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -60,7 +60,7 @@
 #include <string.h>
 #include <openssl/sha.h>
 
-#ifndef NO_SHA1
+#ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md)
         {
         SHA_CTX c;
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index c09edb4cd7..182f65982a 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#if !defined(NO_SHA1) && !defined(NO_SHA)
+#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_0
 #define SHA_1
diff --git a/src/lib/libcrypto/sha/sha1test.c b/src/lib/libcrypto/sha/sha1test.c
index 688d06c637..499a1cf5af 100644
--- a/src/lib/libcrypto/sha/sha1test.c
+++ b/src/lib/libcrypto/sha/sha1test.c
@@ -60,13 +60,14 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_SHA
+#ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
     printf("No SHA support\n");
     return(0);
 }
 #else
+#include <openssl/evp.h>
 #include <openssl/sha.h>
 
 #ifdef CHARSET_EBCDIC
@@ -106,7 +107,7 @@ int main(int argc, char *argv[])
         unsigned char **P,**R;
         static unsigned char buf[1000];
         char *p,*r;
-        SHA_CTX c;
+        EVP_MD_CTX c;
         unsigned char md[SHA_DIGEST_LENGTH];
 
 #ifdef CHARSET_EBCDIC
@@ -114,12 +115,14 @@ int main(int argc, char *argv[])
         ebcdic2ascii(test[1], test[1], strlen(test[1]));
 #endif
 
+        EVP_MD_CTX_init(&c);
         P=(unsigned char **)test;
         R=(unsigned char **)ret;
         i=1;
         while (*P != NULL)
                 {
-                p=pt(SHA1(*P,(unsigned long)strlen((char *)*P),NULL));
+                EVP_Digest(*P,(unsigned long)strlen((char *)*P),md,NULL,EVP_sha1(), NULL);
+                p=pt(md);
                 if (strcmp(p,(char *)*R) != 0)
                         {
                         printf("error calculating SHA1 on '%s'\n",*P);
@@ -137,10 +140,10 @@ int main(int argc, char *argv[])
 #ifdef CHARSET_EBCDIC
         ebcdic2ascii(buf, buf, 1000);
 #endif /*CHARSET_EBCDIC*/
-        SHA1_Init(&c);
+        EVP_DigestInit_ex(&c,EVP_sha1(), NULL);
         for (i=0; i<1000; i++)
-                SHA1_Update(&c,buf,1000);
-        SHA1_Final(md,&c);
+                EVP_DigestUpdate(&c,buf,1000);
+        EVP_DigestFinal_ex(&c,md,NULL);
         p=pt(md);
 
         r=bigret;
@@ -153,6 +156,7 @@ int main(int argc, char *argv[])
         else
                 printf("test 3 ok\n");
         exit(err);
+        EVP_MD_CTX_cleanup(&c);
         return(0);
         }
 
diff --git a/src/lib/libcrypto/sha/sha_dgst.c b/src/lib/libcrypto/sha/sha_dgst.c
index 894a96274a..5a4b3ab204 100644
--- a/src/lib/libcrypto/sha/sha_dgst.c
+++ b/src/lib/libcrypto/sha/sha_dgst.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#if !defined(NO_SHA0) && !defined(NO_SHA)
+#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
 #define SHA_0
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 2f8aef83f3..471dfb9f8f 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -115,7 +115,7 @@
 # endif
 
 # ifdef SHA1_ASM
-#  if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
+#  if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
 #   define sha1_block_host_order                sha1_block_asm_host_order
 #   define DONT_IMPLEMENT_BLOCK_HOST_ORDER
 #   define sha1_block_data_order                sha1_block_asm_data_order
@@ -138,7 +138,7 @@
 #define INIT_DATA_h3 0x10325476UL
 #define INIT_DATA_h4 0xc3d2e1f0UL
 
-void HASH_INIT (SHA_CTX *c)
+int HASH_INIT (SHA_CTX *c)
         {
         c->h0=INIT_DATA_h0;
         c->h1=INIT_DATA_h1;
@@ -148,6 +148,7 @@ void HASH_INIT (SHA_CTX *c)
         c->Nl=0;
         c->Nh=0;
         c->num=0;
+        return 1;
         }
 
 #define K_00_19 0x5a827999UL
diff --git a/src/lib/libcrypto/sha/sha_one.c b/src/lib/libcrypto/sha/sha_one.c
index 2d955de162..5426faae4a 100644
--- a/src/lib/libcrypto/sha/sha_one.c
+++ b/src/lib/libcrypto/sha/sha_one.c
@@ -60,7 +60,7 @@
 #include <string.h>
 #include <openssl/sha.h>
 
-#ifndef NO_SHA0
+#ifndef OPENSSL_NO_SHA0
 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md)
         {
         SHA_CTX c;
diff --git a/src/lib/libcrypto/sha/shatest.c b/src/lib/libcrypto/sha/shatest.c
index a5786bbf76..331294a74f 100644
--- a/src/lib/libcrypto/sha/shatest.c
+++ b/src/lib/libcrypto/sha/shatest.c
@@ -60,13 +60,14 @@
 #include <string.h>
 #include <stdlib.h>
 
-#ifdef NO_SHA
+#ifdef OPENSSL_NO_SHA
 int main(int argc, char *argv[])
 {
     printf("No SHA support\n");
     return(0);
 }
 #else
+#include <openssl/evp.h>
 #include <openssl/sha.h>
 
 #ifdef CHARSET_EBCDIC
@@ -106,7 +107,7 @@ int main(int argc, char *argv[])
         unsigned char **P,**R;
         static unsigned char buf[1000];
         char *p,*r;
-        SHA_CTX c;
+        EVP_MD_CTX c;
         unsigned char md[SHA_DIGEST_LENGTH];
 
 #ifdef CHARSET_EBCDIC
@@ -114,12 +115,14 @@ int main(int argc, char *argv[])
         ebcdic2ascii(test[1], test[1], strlen(test[1]));
 #endif
 
+        EVP_MD_CTX_init(&c);
         P=(unsigned char **)test;
         R=(unsigned char **)ret;
         i=1;
         while (*P != NULL)
                 {
-                p=pt(SHA(*P,(unsigned long)strlen((char *)*P),NULL));
+                EVP_Digest(*P,(unsigned long)strlen((char *)*P),md,NULL,EVP_sha(), NULL);
+                p=pt(md);
                 if (strcmp(p,(char *)*R) != 0)
                         {
                         printf("error calculating SHA on '%s'\n",*P);
@@ -137,10 +140,10 @@ int main(int argc, char *argv[])
 #ifdef CHARSET_EBCDIC
         ebcdic2ascii(buf, buf, 1000);
 #endif /*CHARSET_EBCDIC*/
-        SHA_Init(&c);
+        EVP_DigestInit_ex(&c,EVP_sha(), NULL);
         for (i=0; i<1000; i++)
-                SHA_Update(&c,buf,1000);
-        SHA_Final(md,&c);
+                EVP_DigestUpdate(&c,buf,1000);
+        EVP_DigestFinal_ex(&c,md,NULL);
         p=pt(md);
 
         r=bigret;
@@ -152,6 +155,7 @@ int main(int argc, char *argv[])
                 }
         else
                 printf("test 3 ok\n");
+        EVP_MD_CTX_cleanup(&c);
         exit(err);
         return(0);
         }
diff --git a/src/lib/libcrypto/stack/Makefile.ssl b/src/lib/libcrypto/stack/Makefile.ssl
index c916fd5451..23b24040bc 100644
--- a/src/lib/libcrypto/stack/Makefile.ssl
+++ b/src/lib/libcrypto/stack/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,10 +79,10 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-stack.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-stack.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+stack.o: ../../e_os.h ../../include/openssl/bio.h
+stack.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 stack.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 stack.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 stack.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 stack.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-stack.o: ../cryptlib.h
+stack.o: ../cryptlib.h stack.c
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 9fa63e1be5..ed9ed2c23a 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -224,6 +224,26 @@ STACK_OF(type) \
 #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
 
+#define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
+#define sk_ASN1_GENERALSTRING_free(st) SKM_sk_free(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_num(st) SKM_sk_num(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_value(st, i) SKM_sk_value(ASN1_GENERALSTRING, (st), (i))
+#define sk_ASN1_GENERALSTRING_set(st, i, val) SKM_sk_set(ASN1_GENERALSTRING, (st), (i), (val))
+#define sk_ASN1_GENERALSTRING_zero(st) SKM_sk_zero(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_push(st, val) SKM_sk_push(ASN1_GENERALSTRING, (st), (val))
+#define sk_ASN1_GENERALSTRING_unshift(st, val) SKM_sk_unshift(ASN1_GENERALSTRING, (st), (val))
+#define sk_ASN1_GENERALSTRING_find(st, val) SKM_sk_find(ASN1_GENERALSTRING, (st), (val))
+#define sk_ASN1_GENERALSTRING_delete(st, i) SKM_sk_delete(ASN1_GENERALSTRING, (st), (i))
+#define sk_ASN1_GENERALSTRING_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_GENERALSTRING, (st), (ptr))
+#define sk_ASN1_GENERALSTRING_insert(st, val, i) SKM_sk_insert(ASN1_GENERALSTRING, (st), (val), (i))
+#define sk_ASN1_GENERALSTRING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_GENERALSTRING, (st), (cmp))
+#define sk_ASN1_GENERALSTRING_dup(st) SKM_sk_dup(ASN1_GENERALSTRING, st)
+#define sk_ASN1_GENERALSTRING_pop_free(st, free_func) SKM_sk_pop_free(ASN1_GENERALSTRING, (st), (free_func))
+#define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
+
 #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER)
 #define sk_ASN1_INTEGER_free(st) SKM_sk_free(ASN1_INTEGER, (st))
@@ -304,6 +324,26 @@ STACK_OF(type) \
 #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
 
+#define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE)
+#define sk_ASN1_VALUE_free(st) SKM_sk_free(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_num(st) SKM_sk_num(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_value(st, i) SKM_sk_value(ASN1_VALUE, (st), (i))
+#define sk_ASN1_VALUE_set(st, i, val) SKM_sk_set(ASN1_VALUE, (st), (i), (val))
+#define sk_ASN1_VALUE_zero(st) SKM_sk_zero(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_push(st, val) SKM_sk_push(ASN1_VALUE, (st), (val))
+#define sk_ASN1_VALUE_unshift(st, val) SKM_sk_unshift(ASN1_VALUE, (st), (val))
+#define sk_ASN1_VALUE_find(st, val) SKM_sk_find(ASN1_VALUE, (st), (val))
+#define sk_ASN1_VALUE_delete(st, i) SKM_sk_delete(ASN1_VALUE, (st), (i))
+#define sk_ASN1_VALUE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASN1_VALUE, (st), (ptr))
+#define sk_ASN1_VALUE_insert(st, val, i) SKM_sk_insert(ASN1_VALUE, (st), (val), (i))
+#define sk_ASN1_VALUE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASN1_VALUE, (st), (cmp))
+#define sk_ASN1_VALUE_dup(st) SKM_sk_dup(ASN1_VALUE, st)
+#define sk_ASN1_VALUE_pop_free(st, free_func) SKM_sk_pop_free(ASN1_VALUE, (st), (free_func))
+#define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
+
 #define sk_BIO_new(st) SKM_sk_new(BIO, (st))
 #define sk_BIO_new_null() SKM_sk_new_null(BIO)
 #define sk_BIO_free(st) SKM_sk_free(BIO, (st))
@@ -324,6 +364,46 @@ STACK_OF(type) \
 #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
 #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
 
+#define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE)
+#define sk_CONF_IMODULE_free(st) SKM_sk_free(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_num(st) SKM_sk_num(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_value(st, i) SKM_sk_value(CONF_IMODULE, (st), (i))
+#define sk_CONF_IMODULE_set(st, i, val) SKM_sk_set(CONF_IMODULE, (st), (i), (val))
+#define sk_CONF_IMODULE_zero(st) SKM_sk_zero(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_push(st, val) SKM_sk_push(CONF_IMODULE, (st), (val))
+#define sk_CONF_IMODULE_unshift(st, val) SKM_sk_unshift(CONF_IMODULE, (st), (val))
+#define sk_CONF_IMODULE_find(st, val) SKM_sk_find(CONF_IMODULE, (st), (val))
+#define sk_CONF_IMODULE_delete(st, i) SKM_sk_delete(CONF_IMODULE, (st), (i))
+#define sk_CONF_IMODULE_delete_ptr(st, ptr) SKM_sk_delete_ptr(CONF_IMODULE, (st), (ptr))
+#define sk_CONF_IMODULE_insert(st, val, i) SKM_sk_insert(CONF_IMODULE, (st), (val), (i))
+#define sk_CONF_IMODULE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CONF_IMODULE, (st), (cmp))
+#define sk_CONF_IMODULE_dup(st) SKM_sk_dup(CONF_IMODULE, st)
+#define sk_CONF_IMODULE_pop_free(st, free_func) SKM_sk_pop_free(CONF_IMODULE, (st), (free_func))
+#define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
+
+#define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st))
+#define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE)
+#define sk_CONF_MODULE_free(st) SKM_sk_free(CONF_MODULE, (st))
+#define sk_CONF_MODULE_num(st) SKM_sk_num(CONF_MODULE, (st))
+#define sk_CONF_MODULE_value(st, i) SKM_sk_value(CONF_MODULE, (st), (i))
+#define sk_CONF_MODULE_set(st, i, val) SKM_sk_set(CONF_MODULE, (st), (i), (val))
+#define sk_CONF_MODULE_zero(st) SKM_sk_zero(CONF_MODULE, (st))
+#define sk_CONF_MODULE_push(st, val) SKM_sk_push(CONF_MODULE, (st), (val))
+#define sk_CONF_MODULE_unshift(st, val) SKM_sk_unshift(CONF_MODULE, (st), (val))
+#define sk_CONF_MODULE_find(st, val) SKM_sk_find(CONF_MODULE, (st), (val))
+#define sk_CONF_MODULE_delete(st, i) SKM_sk_delete(CONF_MODULE, (st), (i))
+#define sk_CONF_MODULE_delete_ptr(st, ptr) SKM_sk_delete_ptr(CONF_MODULE, (st), (ptr))
+#define sk_CONF_MODULE_insert(st, val, i) SKM_sk_insert(CONF_MODULE, (st), (val), (i))
+#define sk_CONF_MODULE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CONF_MODULE, (st), (cmp))
+#define sk_CONF_MODULE_dup(st) SKM_sk_dup(CONF_MODULE, st)
+#define sk_CONF_MODULE_pop_free(st, free_func) SKM_sk_pop_free(CONF_MODULE, (st), (free_func))
+#define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
+#define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
+#define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
+
 #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st))
 #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE)
 #define sk_CONF_VALUE_free(st) SKM_sk_free(CONF_VALUE, (st))
@@ -404,6 +484,46 @@ STACK_OF(type) \
 #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
 #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
 
+#define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st))
+#define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE)
+#define sk_ENGINE_free(st) SKM_sk_free(ENGINE, (st))
+#define sk_ENGINE_num(st) SKM_sk_num(ENGINE, (st))
+#define sk_ENGINE_value(st, i) SKM_sk_value(ENGINE, (st), (i))
+#define sk_ENGINE_set(st, i, val) SKM_sk_set(ENGINE, (st), (i), (val))
+#define sk_ENGINE_zero(st) SKM_sk_zero(ENGINE, (st))
+#define sk_ENGINE_push(st, val) SKM_sk_push(ENGINE, (st), (val))
+#define sk_ENGINE_unshift(st, val) SKM_sk_unshift(ENGINE, (st), (val))
+#define sk_ENGINE_find(st, val) SKM_sk_find(ENGINE, (st), (val))
+#define sk_ENGINE_delete(st, i) SKM_sk_delete(ENGINE, (st), (i))
+#define sk_ENGINE_delete_ptr(st, ptr) SKM_sk_delete_ptr(ENGINE, (st), (ptr))
+#define sk_ENGINE_insert(st, val, i) SKM_sk_insert(ENGINE, (st), (val), (i))
+#define sk_ENGINE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ENGINE, (st), (cmp))
+#define sk_ENGINE_dup(st) SKM_sk_dup(ENGINE, st)
+#define sk_ENGINE_pop_free(st, free_func) SKM_sk_pop_free(ENGINE, (st), (free_func))
+#define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
+#define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
+#define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
+
+#define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM)
+#define sk_ENGINE_CLEANUP_ITEM_free(st) SKM_sk_free(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_num(st) SKM_sk_num(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_value(st, i) SKM_sk_value(ENGINE_CLEANUP_ITEM, (st), (i))
+#define sk_ENGINE_CLEANUP_ITEM_set(st, i, val) SKM_sk_set(ENGINE_CLEANUP_ITEM, (st), (i), (val))
+#define sk_ENGINE_CLEANUP_ITEM_zero(st) SKM_sk_zero(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_push(st, val) SKM_sk_push(ENGINE_CLEANUP_ITEM, (st), (val))
+#define sk_ENGINE_CLEANUP_ITEM_unshift(st, val) SKM_sk_unshift(ENGINE_CLEANUP_ITEM, (st), (val))
+#define sk_ENGINE_CLEANUP_ITEM_find(st, val) SKM_sk_find(ENGINE_CLEANUP_ITEM, (st), (val))
+#define sk_ENGINE_CLEANUP_ITEM_delete(st, i) SKM_sk_delete(ENGINE_CLEANUP_ITEM, (st), (i))
+#define sk_ENGINE_CLEANUP_ITEM_delete_ptr(st, ptr) SKM_sk_delete_ptr(ENGINE_CLEANUP_ITEM, (st), (ptr))
+#define sk_ENGINE_CLEANUP_ITEM_insert(st, val, i) SKM_sk_insert(ENGINE_CLEANUP_ITEM, (st), (val), (i))
+#define sk_ENGINE_CLEANUP_ITEM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ENGINE_CLEANUP_ITEM, (st), (cmp))
+#define sk_ENGINE_CLEANUP_ITEM_dup(st) SKM_sk_dup(ENGINE_CLEANUP_ITEM, st)
+#define sk_ENGINE_CLEANUP_ITEM_pop_free(st, free_func) SKM_sk_pop_free(ENGINE_CLEANUP_ITEM, (st), (free_func))
+#define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
+
 #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
 #define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st))
@@ -424,6 +544,166 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
 
+#define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
+#define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_num(st) SKM_sk_num(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_value(st, i) SKM_sk_value(KRB5_APREQBODY, (st), (i))
+#define sk_KRB5_APREQBODY_set(st, i, val) SKM_sk_set(KRB5_APREQBODY, (st), (i), (val))
+#define sk_KRB5_APREQBODY_zero(st) SKM_sk_zero(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_push(st, val) SKM_sk_push(KRB5_APREQBODY, (st), (val))
+#define sk_KRB5_APREQBODY_unshift(st, val) SKM_sk_unshift(KRB5_APREQBODY, (st), (val))
+#define sk_KRB5_APREQBODY_find(st, val) SKM_sk_find(KRB5_APREQBODY, (st), (val))
+#define sk_KRB5_APREQBODY_delete(st, i) SKM_sk_delete(KRB5_APREQBODY, (st), (i))
+#define sk_KRB5_APREQBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_APREQBODY, (st), (ptr))
+#define sk_KRB5_APREQBODY_insert(st, val, i) SKM_sk_insert(KRB5_APREQBODY, (st), (val), (i))
+#define sk_KRB5_APREQBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_APREQBODY, (st), (cmp))
+#define sk_KRB5_APREQBODY_dup(st) SKM_sk_dup(KRB5_APREQBODY, st)
+#define sk_KRB5_APREQBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_APREQBODY, (st), (free_func))
+#define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
+
+#define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA)
+#define sk_KRB5_AUTHDATA_free(st) SKM_sk_free(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_num(st) SKM_sk_num(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_value(st, i) SKM_sk_value(KRB5_AUTHDATA, (st), (i))
+#define sk_KRB5_AUTHDATA_set(st, i, val) SKM_sk_set(KRB5_AUTHDATA, (st), (i), (val))
+#define sk_KRB5_AUTHDATA_zero(st) SKM_sk_zero(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_push(st, val) SKM_sk_push(KRB5_AUTHDATA, (st), (val))
+#define sk_KRB5_AUTHDATA_unshift(st, val) SKM_sk_unshift(KRB5_AUTHDATA, (st), (val))
+#define sk_KRB5_AUTHDATA_find(st, val) SKM_sk_find(KRB5_AUTHDATA, (st), (val))
+#define sk_KRB5_AUTHDATA_delete(st, i) SKM_sk_delete(KRB5_AUTHDATA, (st), (i))
+#define sk_KRB5_AUTHDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHDATA, (st), (ptr))
+#define sk_KRB5_AUTHDATA_insert(st, val, i) SKM_sk_insert(KRB5_AUTHDATA, (st), (val), (i))
+#define sk_KRB5_AUTHDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHDATA, (st), (cmp))
+#define sk_KRB5_AUTHDATA_dup(st) SKM_sk_dup(KRB5_AUTHDATA, st)
+#define sk_KRB5_AUTHDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHDATA, (st), (free_func))
+#define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
+
+#define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY)
+#define sk_KRB5_AUTHENTBODY_free(st) SKM_sk_free(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_num(st) SKM_sk_num(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_value(st, i) SKM_sk_value(KRB5_AUTHENTBODY, (st), (i))
+#define sk_KRB5_AUTHENTBODY_set(st, i, val) SKM_sk_set(KRB5_AUTHENTBODY, (st), (i), (val))
+#define sk_KRB5_AUTHENTBODY_zero(st) SKM_sk_zero(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_push(st, val) SKM_sk_push(KRB5_AUTHENTBODY, (st), (val))
+#define sk_KRB5_AUTHENTBODY_unshift(st, val) SKM_sk_unshift(KRB5_AUTHENTBODY, (st), (val))
+#define sk_KRB5_AUTHENTBODY_find(st, val) SKM_sk_find(KRB5_AUTHENTBODY, (st), (val))
+#define sk_KRB5_AUTHENTBODY_delete(st, i) SKM_sk_delete(KRB5_AUTHENTBODY, (st), (i))
+#define sk_KRB5_AUTHENTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHENTBODY, (st), (ptr))
+#define sk_KRB5_AUTHENTBODY_insert(st, val, i) SKM_sk_insert(KRB5_AUTHENTBODY, (st), (val), (i))
+#define sk_KRB5_AUTHENTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHENTBODY, (st), (cmp))
+#define sk_KRB5_AUTHENTBODY_dup(st) SKM_sk_dup(KRB5_AUTHENTBODY, st)
+#define sk_KRB5_AUTHENTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHENTBODY, (st), (free_func))
+#define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
+
+#define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM)
+#define sk_KRB5_CHECKSUM_free(st) SKM_sk_free(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_num(st) SKM_sk_num(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_value(st, i) SKM_sk_value(KRB5_CHECKSUM, (st), (i))
+#define sk_KRB5_CHECKSUM_set(st, i, val) SKM_sk_set(KRB5_CHECKSUM, (st), (i), (val))
+#define sk_KRB5_CHECKSUM_zero(st) SKM_sk_zero(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_push(st, val) SKM_sk_push(KRB5_CHECKSUM, (st), (val))
+#define sk_KRB5_CHECKSUM_unshift(st, val) SKM_sk_unshift(KRB5_CHECKSUM, (st), (val))
+#define sk_KRB5_CHECKSUM_find(st, val) SKM_sk_find(KRB5_CHECKSUM, (st), (val))
+#define sk_KRB5_CHECKSUM_delete(st, i) SKM_sk_delete(KRB5_CHECKSUM, (st), (i))
+#define sk_KRB5_CHECKSUM_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_CHECKSUM, (st), (ptr))
+#define sk_KRB5_CHECKSUM_insert(st, val, i) SKM_sk_insert(KRB5_CHECKSUM, (st), (val), (i))
+#define sk_KRB5_CHECKSUM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_CHECKSUM, (st), (cmp))
+#define sk_KRB5_CHECKSUM_dup(st) SKM_sk_dup(KRB5_CHECKSUM, st)
+#define sk_KRB5_CHECKSUM_pop_free(st, free_func) SKM_sk_pop_free(KRB5_CHECKSUM, (st), (free_func))
+#define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
+
+#define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA)
+#define sk_KRB5_ENCDATA_free(st) SKM_sk_free(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_num(st) SKM_sk_num(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_value(st, i) SKM_sk_value(KRB5_ENCDATA, (st), (i))
+#define sk_KRB5_ENCDATA_set(st, i, val) SKM_sk_set(KRB5_ENCDATA, (st), (i), (val))
+#define sk_KRB5_ENCDATA_zero(st) SKM_sk_zero(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_push(st, val) SKM_sk_push(KRB5_ENCDATA, (st), (val))
+#define sk_KRB5_ENCDATA_unshift(st, val) SKM_sk_unshift(KRB5_ENCDATA, (st), (val))
+#define sk_KRB5_ENCDATA_find(st, val) SKM_sk_find(KRB5_ENCDATA, (st), (val))
+#define sk_KRB5_ENCDATA_delete(st, i) SKM_sk_delete(KRB5_ENCDATA, (st), (i))
+#define sk_KRB5_ENCDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCDATA, (st), (ptr))
+#define sk_KRB5_ENCDATA_insert(st, val, i) SKM_sk_insert(KRB5_ENCDATA, (st), (val), (i))
+#define sk_KRB5_ENCDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCDATA, (st), (cmp))
+#define sk_KRB5_ENCDATA_dup(st) SKM_sk_dup(KRB5_ENCDATA, st)
+#define sk_KRB5_ENCDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCDATA, (st), (free_func))
+#define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
+
+#define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY)
+#define sk_KRB5_ENCKEY_free(st) SKM_sk_free(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_num(st) SKM_sk_num(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_value(st, i) SKM_sk_value(KRB5_ENCKEY, (st), (i))
+#define sk_KRB5_ENCKEY_set(st, i, val) SKM_sk_set(KRB5_ENCKEY, (st), (i), (val))
+#define sk_KRB5_ENCKEY_zero(st) SKM_sk_zero(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_push(st, val) SKM_sk_push(KRB5_ENCKEY, (st), (val))
+#define sk_KRB5_ENCKEY_unshift(st, val) SKM_sk_unshift(KRB5_ENCKEY, (st), (val))
+#define sk_KRB5_ENCKEY_find(st, val) SKM_sk_find(KRB5_ENCKEY, (st), (val))
+#define sk_KRB5_ENCKEY_delete(st, i) SKM_sk_delete(KRB5_ENCKEY, (st), (i))
+#define sk_KRB5_ENCKEY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCKEY, (st), (ptr))
+#define sk_KRB5_ENCKEY_insert(st, val, i) SKM_sk_insert(KRB5_ENCKEY, (st), (val), (i))
+#define sk_KRB5_ENCKEY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCKEY, (st), (cmp))
+#define sk_KRB5_ENCKEY_dup(st) SKM_sk_dup(KRB5_ENCKEY, st)
+#define sk_KRB5_ENCKEY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCKEY, (st), (free_func))
+#define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
+
+#define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME)
+#define sk_KRB5_PRINCNAME_free(st) SKM_sk_free(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_num(st) SKM_sk_num(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_value(st, i) SKM_sk_value(KRB5_PRINCNAME, (st), (i))
+#define sk_KRB5_PRINCNAME_set(st, i, val) SKM_sk_set(KRB5_PRINCNAME, (st), (i), (val))
+#define sk_KRB5_PRINCNAME_zero(st) SKM_sk_zero(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_push(st, val) SKM_sk_push(KRB5_PRINCNAME, (st), (val))
+#define sk_KRB5_PRINCNAME_unshift(st, val) SKM_sk_unshift(KRB5_PRINCNAME, (st), (val))
+#define sk_KRB5_PRINCNAME_find(st, val) SKM_sk_find(KRB5_PRINCNAME, (st), (val))
+#define sk_KRB5_PRINCNAME_delete(st, i) SKM_sk_delete(KRB5_PRINCNAME, (st), (i))
+#define sk_KRB5_PRINCNAME_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_PRINCNAME, (st), (ptr))
+#define sk_KRB5_PRINCNAME_insert(st, val, i) SKM_sk_insert(KRB5_PRINCNAME, (st), (val), (i))
+#define sk_KRB5_PRINCNAME_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_PRINCNAME, (st), (cmp))
+#define sk_KRB5_PRINCNAME_dup(st) SKM_sk_dup(KRB5_PRINCNAME, st)
+#define sk_KRB5_PRINCNAME_pop_free(st, free_func) SKM_sk_pop_free(KRB5_PRINCNAME, (st), (free_func))
+#define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
+
+#define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY)
+#define sk_KRB5_TKTBODY_free(st) SKM_sk_free(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_num(st) SKM_sk_num(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_value(st, i) SKM_sk_value(KRB5_TKTBODY, (st), (i))
+#define sk_KRB5_TKTBODY_set(st, i, val) SKM_sk_set(KRB5_TKTBODY, (st), (i), (val))
+#define sk_KRB5_TKTBODY_zero(st) SKM_sk_zero(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_push(st, val) SKM_sk_push(KRB5_TKTBODY, (st), (val))
+#define sk_KRB5_TKTBODY_unshift(st, val) SKM_sk_unshift(KRB5_TKTBODY, (st), (val))
+#define sk_KRB5_TKTBODY_find(st, val) SKM_sk_find(KRB5_TKTBODY, (st), (val))
+#define sk_KRB5_TKTBODY_delete(st, i) SKM_sk_delete(KRB5_TKTBODY, (st), (i))
+#define sk_KRB5_TKTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_TKTBODY, (st), (ptr))
+#define sk_KRB5_TKTBODY_insert(st, val, i) SKM_sk_insert(KRB5_TKTBODY, (st), (val), (i))
+#define sk_KRB5_TKTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_TKTBODY, (st), (cmp))
+#define sk_KRB5_TKTBODY_dup(st) SKM_sk_dup(KRB5_TKTBODY, st)
+#define sk_KRB5_TKTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_TKTBODY, (st), (free_func))
+#define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
+
 #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
 #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
 #define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
@@ -484,6 +764,66 @@ STACK_OF(type) \
 #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
 
+#define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID)
+#define sk_OCSP_CERTID_free(st) SKM_sk_free(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_num(st) SKM_sk_num(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_value(st, i) SKM_sk_value(OCSP_CERTID, (st), (i))
+#define sk_OCSP_CERTID_set(st, i, val) SKM_sk_set(OCSP_CERTID, (st), (i), (val))
+#define sk_OCSP_CERTID_zero(st) SKM_sk_zero(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_push(st, val) SKM_sk_push(OCSP_CERTID, (st), (val))
+#define sk_OCSP_CERTID_unshift(st, val) SKM_sk_unshift(OCSP_CERTID, (st), (val))
+#define sk_OCSP_CERTID_find(st, val) SKM_sk_find(OCSP_CERTID, (st), (val))
+#define sk_OCSP_CERTID_delete(st, i) SKM_sk_delete(OCSP_CERTID, (st), (i))
+#define sk_OCSP_CERTID_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_CERTID, (st), (ptr))
+#define sk_OCSP_CERTID_insert(st, val, i) SKM_sk_insert(OCSP_CERTID, (st), (val), (i))
+#define sk_OCSP_CERTID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_CERTID, (st), (cmp))
+#define sk_OCSP_CERTID_dup(st) SKM_sk_dup(OCSP_CERTID, st)
+#define sk_OCSP_CERTID_pop_free(st, free_func) SKM_sk_pop_free(OCSP_CERTID, (st), (free_func))
+#define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
+
+#define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ)
+#define sk_OCSP_ONEREQ_free(st) SKM_sk_free(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_num(st) SKM_sk_num(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_value(st, i) SKM_sk_value(OCSP_ONEREQ, (st), (i))
+#define sk_OCSP_ONEREQ_set(st, i, val) SKM_sk_set(OCSP_ONEREQ, (st), (i), (val))
+#define sk_OCSP_ONEREQ_zero(st) SKM_sk_zero(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_push(st, val) SKM_sk_push(OCSP_ONEREQ, (st), (val))
+#define sk_OCSP_ONEREQ_unshift(st, val) SKM_sk_unshift(OCSP_ONEREQ, (st), (val))
+#define sk_OCSP_ONEREQ_find(st, val) SKM_sk_find(OCSP_ONEREQ, (st), (val))
+#define sk_OCSP_ONEREQ_delete(st, i) SKM_sk_delete(OCSP_ONEREQ, (st), (i))
+#define sk_OCSP_ONEREQ_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_ONEREQ, (st), (ptr))
+#define sk_OCSP_ONEREQ_insert(st, val, i) SKM_sk_insert(OCSP_ONEREQ, (st), (val), (i))
+#define sk_OCSP_ONEREQ_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_ONEREQ, (st), (cmp))
+#define sk_OCSP_ONEREQ_dup(st) SKM_sk_dup(OCSP_ONEREQ, st)
+#define sk_OCSP_ONEREQ_pop_free(st, free_func) SKM_sk_pop_free(OCSP_ONEREQ, (st), (free_func))
+#define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
+
+#define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP)
+#define sk_OCSP_SINGLERESP_free(st) SKM_sk_free(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_num(st) SKM_sk_num(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_value(st, i) SKM_sk_value(OCSP_SINGLERESP, (st), (i))
+#define sk_OCSP_SINGLERESP_set(st, i, val) SKM_sk_set(OCSP_SINGLERESP, (st), (i), (val))
+#define sk_OCSP_SINGLERESP_zero(st) SKM_sk_zero(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_push(st, val) SKM_sk_push(OCSP_SINGLERESP, (st), (val))
+#define sk_OCSP_SINGLERESP_unshift(st, val) SKM_sk_unshift(OCSP_SINGLERESP, (st), (val))
+#define sk_OCSP_SINGLERESP_find(st, val) SKM_sk_find(OCSP_SINGLERESP, (st), (val))
+#define sk_OCSP_SINGLERESP_delete(st, i) SKM_sk_delete(OCSP_SINGLERESP, (st), (i))
+#define sk_OCSP_SINGLERESP_delete_ptr(st, ptr) SKM_sk_delete_ptr(OCSP_SINGLERESP, (st), (ptr))
+#define sk_OCSP_SINGLERESP_insert(st, val, i) SKM_sk_insert(OCSP_SINGLERESP, (st), (val), (i))
+#define sk_OCSP_SINGLERESP_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(OCSP_SINGLERESP, (st), (cmp))
+#define sk_OCSP_SINGLERESP_dup(st) SKM_sk_dup(OCSP_SINGLERESP, st)
+#define sk_OCSP_SINGLERESP_pop_free(st, free_func) SKM_sk_pop_free(OCSP_SINGLERESP, (st), (free_func))
+#define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
+
 #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG)
 #define sk_PKCS12_SAFEBAG_free(st) SKM_sk_free(PKCS12_SAFEBAG, (st))
@@ -664,6 +1004,26 @@ STACK_OF(type) \
 #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
 #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
 
+#define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st))
+#define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING)
+#define sk_UI_STRING_free(st) SKM_sk_free(UI_STRING, (st))
+#define sk_UI_STRING_num(st) SKM_sk_num(UI_STRING, (st))
+#define sk_UI_STRING_value(st, i) SKM_sk_value(UI_STRING, (st), (i))
+#define sk_UI_STRING_set(st, i, val) SKM_sk_set(UI_STRING, (st), (i), (val))
+#define sk_UI_STRING_zero(st) SKM_sk_zero(UI_STRING, (st))
+#define sk_UI_STRING_push(st, val) SKM_sk_push(UI_STRING, (st), (val))
+#define sk_UI_STRING_unshift(st, val) SKM_sk_unshift(UI_STRING, (st), (val))
+#define sk_UI_STRING_find(st, val) SKM_sk_find(UI_STRING, (st), (val))
+#define sk_UI_STRING_delete(st, i) SKM_sk_delete(UI_STRING, (st), (i))
+#define sk_UI_STRING_delete_ptr(st, ptr) SKM_sk_delete_ptr(UI_STRING, (st), (ptr))
+#define sk_UI_STRING_insert(st, val, i) SKM_sk_insert(UI_STRING, (st), (val), (i))
+#define sk_UI_STRING_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(UI_STRING, (st), (cmp))
+#define sk_UI_STRING_dup(st) SKM_sk_dup(UI_STRING, st)
+#define sk_UI_STRING_pop_free(st, free_func) SKM_sk_pop_free(UI_STRING, (st), (free_func))
+#define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
+#define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
+#define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
+
 #define sk_X509_new(st) SKM_sk_new(X509, (st))
 #define sk_X509_new_null() SKM_sk_new_null(X509)
 #define sk_X509_free(st) SKM_sk_free(X509, (st))
@@ -998,6 +1358,24 @@ STACK_OF(type) \
 #define ASN1_seq_unpack_GENERAL_NAME(buf, len, d2i_func, free_func) \
         SKM_ASN1_seq_unpack(GENERAL_NAME, (buf), (len), (d2i_func), (free_func))
 
+#define d2i_ASN1_SET_OF_OCSP_ONEREQ(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
+        SKM_ASN1_SET_OF_d2i(OCSP_ONEREQ, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
+#define i2d_ASN1_SET_OF_OCSP_ONEREQ(st, pp, i2d_func, ex_tag, ex_class, is_set) \
+        SKM_ASN1_SET_OF_i2d(OCSP_ONEREQ, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
+#define ASN1_seq_pack_OCSP_ONEREQ(st, i2d_func, buf, len) \
+        SKM_ASN1_seq_pack(OCSP_ONEREQ, (st), (i2d_func), (buf), (len))
+#define ASN1_seq_unpack_OCSP_ONEREQ(buf, len, d2i_func, free_func) \
+        SKM_ASN1_seq_unpack(OCSP_ONEREQ, (buf), (len), (d2i_func), (free_func))
+
+#define d2i_ASN1_SET_OF_OCSP_SINGLERESP(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
+        SKM_ASN1_SET_OF_d2i(OCSP_SINGLERESP, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
+#define i2d_ASN1_SET_OF_OCSP_SINGLERESP(st, pp, i2d_func, ex_tag, ex_class, is_set) \
+        SKM_ASN1_SET_OF_i2d(OCSP_SINGLERESP, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set))
+#define ASN1_seq_pack_OCSP_SINGLERESP(st, i2d_func, buf, len) \
+        SKM_ASN1_seq_pack(OCSP_SINGLERESP, (st), (i2d_func), (buf), (len))
+#define ASN1_seq_unpack_OCSP_SINGLERESP(buf, len, d2i_func, free_func) \
+        SKM_ASN1_seq_unpack(OCSP_SINGLERESP, (buf), (len), (d2i_func), (free_func))
+
 #define d2i_ASN1_SET_OF_PKCS12_SAFEBAG(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
         SKM_ASN1_SET_OF_d2i(PKCS12_SAFEBAG, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
 #define i2d_ASN1_SET_OF_PKCS12_SAFEBAG(st, pp, i2d_func, ex_tag, ex_class, is_set) \
diff --git a/src/lib/libcrypto/stack/stack.c b/src/lib/libcrypto/stack/stack.c
index 02857f0446..2496f28a8c 100644
--- a/src/lib/libcrypto/stack/stack.c
+++ b/src/lib/libcrypto/stack/stack.c
@@ -106,6 +106,8 @@ STACK *sk_dup(STACK *sk)
         ret->comp=sk->comp;
         return(ret);
 err:
+        if(ret)
+                sk_free(ret);
         return(NULL);
         }
 
@@ -120,9 +122,9 @@ STACK *sk_new(int (*c)(const char * const *, const char * const *))
         int i;
 
         if ((ret=(STACK *)OPENSSL_malloc(sizeof(STACK))) == NULL)
-                goto err0;
+                goto err;
         if ((ret->data=(char **)OPENSSL_malloc(sizeof(char *)*MIN_NODES)) == NULL)
-                goto err1;
+                goto err;
         for (i=0; i<MIN_NODES; i++)
                 ret->data[i]=NULL;
         ret->comp=c;
@@ -130,9 +132,9 @@ STACK *sk_new(int (*c)(const char * const *, const char * const *))
         ret->num=0;
         ret->sorted=0;
         return(ret);
-err1:
-        OPENSSL_free(ret);
-err0:
+err:
+        if(ret)
+                OPENSSL_free(ret);
         return(NULL);
         }
 
@@ -316,7 +318,7 @@ char *sk_set(STACK *st, int i, char *value)
 
 void sk_sort(STACK *st)
         {
-        if (!st->sorted)
+        if (st && !st->sorted)
                 {
                 int (*comp_func)(const void *,const void *);
 
diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h
index 358ad355bb..de0f452b47 100644
--- a/src/lib/libcrypto/symhacks.h
+++ b/src/lib/libcrypto/symhacks.h
@@ -55,10 +55,18 @@
 #ifndef HEADER_SYMHACKS_H
 #define HEADER_SYMHACKS_H
 
+#include <openssl/e_os2.h>
+
 /* Hacks to solve the problem with linkers incapable of handling very long
    symbol names.  In the case of VMS, the limit is 31 characters on VMS for
    VAX. */
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
+
+/* Hack a long name in crypto/ex_data.c */
+#undef CRYPTO_get_ex_data_implementation
+#define CRYPTO_get_ex_data_implementation       CRYPTO_get_ex_data_impl
+#undef CRYPTO_set_ex_data_implementation
+#define CRYPTO_set_ex_data_implementation       CRYPTO_set_ex_data_impl
 
 /* Hack a long name in crypto/asn1/a_mbstr.c */
 #undef ASN1_STRING_set_default_mask_asc
@@ -121,33 +129,146 @@
 #define X509_REVOKED_get_ext_by_critical        X509_REVOKED_get_ext_by_critic
 
 /* Hack some long CRYPTO names */
+#undef CRYPTO_set_dynlock_destroy_callback
 #define CRYPTO_set_dynlock_destroy_callback     CRYPTO_set_dynlock_destroy_cb
+#undef CRYPTO_set_dynlock_create_callback
 #define CRYPTO_set_dynlock_create_callback      CRYPTO_set_dynlock_create_cb
+#undef CRYPTO_set_dynlock_lock_callback
 #define CRYPTO_set_dynlock_lock_callback        CRYPTO_set_dynlock_lock_cb
+#undef CRYPTO_get_dynlock_lock_callback
 #define CRYPTO_get_dynlock_lock_callback        CRYPTO_get_dynlock_lock_cb
+#undef CRYPTO_get_dynlock_destroy_callback
 #define CRYPTO_get_dynlock_destroy_callback     CRYPTO_get_dynlock_destroy_cb
+#undef CRYPTO_get_dynlock_create_callback
 #define CRYPTO_get_dynlock_create_callback      CRYPTO_get_dynlock_create_cb
+#undef CRYPTO_set_locked_mem_ex_functions
+#define CRYPTO_set_locked_mem_ex_functions      CRYPTO_set_locked_mem_ex_funcs
+#undef CRYPTO_get_locked_mem_ex_functions
+#define CRYPTO_get_locked_mem_ex_functions      CRYPTO_get_locked_mem_ex_funcs
 
 /* Hack some long SSL names */
+#undef SSL_CTX_set_default_verify_paths
 #define SSL_CTX_set_default_verify_paths        SSL_CTX_set_def_verify_paths
+#undef SSL_get_ex_data_X509_STORE_CTX_idx
 #define SSL_get_ex_data_X509_STORE_CTX_idx      SSL_get_ex_d_X509_STORE_CTX_idx
+#undef SSL_add_file_cert_subjects_to_stack
 #define SSL_add_file_cert_subjects_to_stack     SSL_add_file_cert_subjs_to_stk
+#if 0 /* This function is not defined i VMS. */
+#undef SSL_add_dir_cert_subjects_to_stack
 #define SSL_add_dir_cert_subjects_to_stack      SSL_add_dir_cert_subjs_to_stk
+#endif
+#undef SSL_CTX_use_certificate_chain_file
 #define SSL_CTX_use_certificate_chain_file      SSL_CTX_use_cert_chain_file
+#undef SSL_CTX_set_cert_verify_callback
 #define SSL_CTX_set_cert_verify_callback        SSL_CTX_set_cert_verify_cb
+#undef SSL_CTX_set_default_passwd_cb_userdata
 #define SSL_CTX_set_default_passwd_cb_userdata  SSL_CTX_set_def_passwd_cb_ud
 
 /* Hack some long ENGINE names */
-#define ENGINE_get_default_BN_mod_exp_crt       ENGINE_get_def_BN_mod_exp_crt
-#define ENGINE_set_default_BN_mod_exp_crt       ENGINE_set_def_BN_mod_exp_crt
+#undef ENGINE_get_default_BN_mod_exp_crt
+#define ENGINE_get_default_BN_mod_exp_crt       ENGINE_get_def_BN_mod_exp_crt
+#undef ENGINE_set_default_BN_mod_exp_crt
+#define ENGINE_set_default_BN_mod_exp_crt       ENGINE_set_def_BN_mod_exp_crt
+#undef ENGINE_set_load_privkey_function
+#define ENGINE_set_load_privkey_function        ENGINE_set_load_privkey_fn
+#undef ENGINE_get_load_privkey_function
+#define ENGINE_get_load_privkey_function        ENGINE_get_load_privkey_fn
+
+/* Hack some long OCSP names */
+#undef OCSP_REQUEST_get_ext_by_critical
+#define OCSP_REQUEST_get_ext_by_critical        OCSP_REQUEST_get_ext_by_crit
+#undef OCSP_BASICRESP_get_ext_by_critical
+#define OCSP_BASICRESP_get_ext_by_critical      OCSP_BASICRESP_get_ext_by_crit
+#undef OCSP_SINGLERESP_get_ext_by_critical
+#define OCSP_SINGLERESP_get_ext_by_critical     OCSP_SINGLERESP_get_ext_by_crit
+
+/* Hack some long DES names */
+#undef _ossl_old_des_ede3_cfb64_encrypt
+#define _ossl_old_des_ede3_cfb64_encrypt        _ossl_odes_ede3_cfb64_encrypt
+#undef _ossl_old_des_ede3_ofb64_encrypt
+#define _ossl_old_des_ede3_ofb64_encrypt        _ossl_odes_ede3_ofb64_encrypt
 
-#endif /* defined VMS */
+/* Hack some long EVP names */
+#undef OPENSSL_add_all_algorithms_noconf
+#define OPENSSL_add_all_algorithms_noconf       OPENSSL_add_all_algo_noconf
+#undef OPENSSL_add_all_algorithms_conf
+#define OPENSSL_add_all_algorithms_conf         OPENSSL_add_all_algo_conf
+
+/* Hack some long EC names */
+#undef EC_POINT_set_Jprojective_coordinates_GFp
+#define EC_POINT_set_Jprojective_coordinates_GFp \
+                                                EC_POINT_set_Jproj_coords_GFp
+#undef EC_POINT_get_Jprojective_coordinates_GFp
+#define EC_POINT_get_Jprojective_coordinates_GFp \
+                                                EC_POINT_get_Jproj_coords_GFp
+#undef EC_POINT_set_affine_coordinates_GFp
+#define EC_POINT_set_affine_coordinates_GFp     EC_POINT_set_affine_coords_GFp
+#undef EC_POINT_get_affine_coordinates_GFp
+#define EC_POINT_get_affine_coordinates_GFp     EC_POINT_get_affine_coords_GFp
+#undef EC_POINT_set_compressed_coordinates_GFp
+#define EC_POINT_set_compressed_coordinates_GFp EC_POINT_set_compr_coords_GFp
+#undef ec_GFp_simple_group_set_curve_GFp
+#define ec_GFp_simple_group_set_curve_GFp       ec_GFp_simple_grp_set_curve_GFp
+#undef ec_GFp_simple_group_get_curve_GFp
+#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp
+#undef ec_GFp_simple_group_clear_finish
+#define ec_GFp_simple_group_clear_finish        ec_GFp_simple_grp_clear_finish
+#undef ec_GFp_simple_group_set_generator
+#define ec_GFp_simple_group_set_generator       ec_GFp_simple_grp_set_generator
+#undef ec_GFp_simple_group_get0_generator
+#define ec_GFp_simple_group_get0_generator      ec_GFp_simple_grp_gt0_generator
+#undef ec_GFp_simple_group_get_cofactor
+#define ec_GFp_simple_group_get_cofactor        ec_GFp_simple_grp_get_cofactor
+#undef ec_GFp_simple_point_clear_finish
+#define ec_GFp_simple_point_clear_finish        ec_GFp_simple_pt_clear_finish
+#undef ec_GFp_simple_point_set_to_infinity
+#define ec_GFp_simple_point_set_to_infinity     ec_GFp_simple_pt_set_to_inf
+#undef ec_GFp_simple_points_make_affine
+#define ec_GFp_simple_points_make_affine        ec_GFp_simple_pts_make_affine
+#undef ec_GFp_simple_group_get_curve_GFp
+#define ec_GFp_simple_group_get_curve_GFp       ec_GFp_simple_grp_get_curve_GFp
+#undef ec_GFp_simple_set_Jprojective_coordinates_GFp
+#define ec_GFp_simple_set_Jprojective_coordinates_GFp \
+                                                ec_GFp_smp_set_Jproj_coords_GFp
+#undef ec_GFp_simple_get_Jprojective_coordinates_GFp
+#define ec_GFp_simple_get_Jprojective_coordinates_GFp \
+                                                ec_GFp_smp_get_Jproj_coords_GFp
+#undef ec_GFp_simple_point_set_affine_coordinates_GFp
+#define ec_GFp_simple_point_set_affine_coordinates_GFp \
+                                                ec_GFp_smp_pt_set_af_coords_GFp
+#undef ec_GFp_simple_point_get_affine_coordinates_GFp
+#define ec_GFp_simple_point_get_affine_coordinates_GFp \
+                                                ec_GFp_smp_pt_get_af_coords_GFp
+#undef ec_GFp_simple_set_compressed_coordinates_GFp
+#define ec_GFp_simple_set_compressed_coordinates_GFp \
+                                                ec_GFp_smp_set_compr_coords_GFp
+
+#endif /* defined OPENSSL_SYS_VMS */
 
 
 /* Case insensiteve linking causes problems.... */
-#if defined(WIN16) || defined(VMS)
+#if defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_VMS)
 #undef ERR_load_CRYPTO_strings
 #define ERR_load_CRYPTO_strings                 ERR_load_CRYPTOlib_strings
+#undef OCSP_crlID_new
+#define OCSP_crlID_new                          OCSP_crlID2_new
+
+/* These functions do not seem to exist!  However, I'm paranoid...
+   Original command in x509v3.h:
+   These functions are being redefined in another directory,
+   and clash when the linker is case-insensitive, so let's
+   hide them a little, by giving them an extra 'o' at the
+   beginning of the name... */
+#undef X509v3_cleanup_extensions
+#define X509v3_cleanup_extensions               oX509v3_cleanup_extensions
+#undef X509v3_add_extension
+#define X509v3_add_extension                    oX509v3_add_extension
+#undef X509v3_add_netscape_extensions
+#define X509v3_add_netscape_extensions          oX509v3_add_netscape_extensions
+#undef X509v3_add_standard_extensions
+#define X509v3_add_standard_extensions          oX509v3_add_standard_extensions
+
+
 #endif
 
 
diff --git a/src/lib/libcrypto/threads/mttest.c b/src/lib/libcrypto/threads/mttest.c
index 019add4d9c..c474a63c74 100644
--- a/src/lib/libcrypto/threads/mttest.c
+++ b/src/lib/libcrypto/threads/mttest.c
@@ -63,7 +63,7 @@
 #ifdef LINUX
 #include <typedefs.h>
 #endif
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 #include <windows.h>
 #endif
 #ifdef SOLARIS
@@ -86,7 +86,7 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#ifdef NO_FP_API
+#ifdef OPENSSL_NO_FP_API
 #define APPS_WIN16
 #include "../buffer/bss_file.c"
 #endif
@@ -692,7 +692,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 
 #define THREAD_STACK_SIZE (16*1024)
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 
 static HANDLE *lock_cs;
 
@@ -783,7 +783,7 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
         printf("win32 threads done - %.3f seconds\n",ret);
         }
 
-#endif /* WIN32 */
+#endif /* OPENSSL_SYS_WIN32 */
 
 #ifdef SOLARIS
 
diff --git a/src/lib/libcrypto/threads/th-lock.c b/src/lib/libcrypto/threads/th-lock.c
index 553d2218de..a6a79b9f45 100644
--- a/src/lib/libcrypto/threads/th-lock.c
+++ b/src/lib/libcrypto/threads/th-lock.c
@@ -63,7 +63,7 @@
 #ifdef LINUX
 #include <typedefs.h>
 #endif
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 #include <windows.h>
 #endif
 #ifdef SOLARIS
@@ -105,7 +105,7 @@ static unsigned long pthreads_thread_id(void );
 
 #define THREAD_STACK_SIZE (16*1024)
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 
 static HANDLE *lock_cs;
 
@@ -146,7 +146,7 @@ void win32_locking_callback(int mode, int type, char *file, int line)
                 }
         }
 
-#endif /* WIN32 */
+#endif /* OPENSSL_SYS_WIN32 */
 
 #ifdef SOLARIS
 
diff --git a/src/lib/libcrypto/tmdiff.c b/src/lib/libcrypto/tmdiff.c
index 7773928666..7ebf2b202a 100644
--- a/src/lib/libcrypto/tmdiff.c
+++ b/src/lib/libcrypto/tmdiff.c
@@ -61,16 +61,12 @@
 #include <openssl/tmdiff.h>
 
 #ifdef TIMEB
-#undef WIN32
+#undef OPENSSL_SYS_WIN32
 #undef TIMES
 #endif
 
-#ifndef MSDOS
-#  ifndef WIN32
-#    if !defined(VMS) || defined(__DECC)
-#      define TIMES
-#    endif
-#  endif
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS)
+# define TIMES
 #endif
 
 #ifndef _IRIX
@@ -85,7 +81,7 @@
    The __TMS macro will show if it was.  If it wasn't defined, we should
    undefine TIMES, since that tells the rest of the program how things
    should be handled.                           -- Richard Levitte */
-#if defined(VMS) && defined(__DECC) && !defined(__TMS)
+#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__TMS)
 #undef TIMES
 #endif
 
@@ -95,11 +91,11 @@
 #include <sys/param.h>
 #endif
 
-#ifndef TIMES
+#if !defined(TIMES) && !defined(OPENSSL_SYS_VXWORKS)
 #include <sys/timeb.h>
 #endif
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 #include <windows.h>
 #endif
 
@@ -121,11 +117,15 @@ typedef struct ms_tm
 #ifdef TIMES
         struct tms ms_tms;
 #else
-#  ifdef WIN32
+#  ifdef OPENSSL_SYS_WIN32
         HANDLE thread_id;
         FILETIME ms_win32;
 #  else
+#    ifdef OPENSSL_SYS_VSWORKS
+          unsigned long ticks;
+#    else
         struct timeb ms_timeb;
+#    endif
 #  endif
 #endif
         } MS_TM;
@@ -138,7 +138,7 @@ char *ms_time_new(void)
         if (ret == NULL)
                 return(NULL);
         memset(ret,0,sizeof(MS_TM));
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
         ret->thread_id=GetCurrentThread();
 #endif
         return((char *)ret);
@@ -153,17 +153,21 @@ void ms_time_free(char *a)
 void ms_time_get(char *a)
         {
         MS_TM *tm=(MS_TM *)a;
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
         FILETIME tmpa,tmpb,tmpc;
 #endif
 
 #ifdef TIMES
         times(&tm->ms_tms);
 #else
-#  ifdef WIN32
+#  ifdef OPENSSL_SYS_WIN32
         GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32));
 #  else
+#    ifdef OPENSSL_SYS_VSWORKS
+        tm->ticks = tickGet();
+#    else
         ftime(&tm->ms_timeb);
+#    endif
 #  endif
 #endif
         }
@@ -177,7 +181,7 @@ double ms_time_diff(char *ap, char *bp)
 #ifdef TIMES
         ret=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
 #else
-# ifdef WIN32
+# ifdef OPENSSL_SYS_WIN32
         {
 #ifdef __GNUC__
         signed long long la,lb;
@@ -193,10 +197,14 @@ double ms_time_diff(char *ap, char *bp)
         ret=((double)(lb-la))/1e7;
         }
 # else
+#  ifdef OPENSSL_SYS_VSWORKS
+        ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet();
+#  else
         ret=     (double)(b->ms_timeb.time-a->ms_timeb.time)+
                 (((double)b->ms_timeb.millitm)-
                 ((double)a->ms_timeb.millitm))/1000.0;
 #  endif
+# endif
 #endif
         return((ret < 0.0000001)?0.0000001:ret);
         }
@@ -210,13 +218,17 @@ int ms_time_cmp(char *ap, char *bp)
 #ifdef TIMES
         d=(b->ms_tms.tms_utime-a->ms_tms.tms_utime)/HZ;
 #else
-# ifdef WIN32
+# ifdef OPENSSL_SYS_WIN32
         d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7;
         d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7;
 # else
+#  ifdef OPENSSL_SYS_VSWORKS
+        d = (b->ticks - a->ticks);
+#  else
         d=       (double)(b->ms_timeb.time-a->ms_timeb.time)+
                 (((double)b->ms_timeb.millitm)-(double)a->ms_timeb.millitm)/1000.0;
 #  endif
+# endif
 #endif
         if (d == 0.0)
                 ret=0;
diff --git a/src/lib/libcrypto/txt_db/Makefile.ssl b/src/lib/libcrypto/txt_db/Makefile.ssl
index ee054e91f2..8af2fa4cd6 100644
--- a/src/lib/libcrypto/txt_db/Makefile.ssl
+++ b/src/lib/libcrypto/txt_db/Makefile.ssl
@@ -11,7 +11,8 @@ INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -39,8 +40,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -79,10 +79,10 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-txt_db.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-txt_db.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+txt_db.o: ../../e_os.h ../../include/openssl/bio.h
+txt_db.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 txt_db.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 txt_db.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 txt_db.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 txt_db.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-txt_db.o: ../../include/openssl/txt_db.h ../cryptlib.h
+txt_db.o: ../../include/openssl/txt_db.h ../cryptlib.h txt_db.c
diff --git a/src/lib/libcrypto/txt_db/txt_db.c b/src/lib/libcrypto/txt_db/txt_db.c
index 3b04fe280c..e6334d6add 100644
--- a/src/lib/libcrypto/txt_db/txt_db.c
+++ b/src/lib/libcrypto/txt_db/txt_db.c
@@ -155,7 +155,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
                 *(p++)='\0';
                 if ((n != num) || (*f != '\0'))
                         {
-#if !defined(NO_STDIO) && !defined(WIN16)       /* temporaty fix :-( */
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)   /* temporaty fix :-( */
                         fprintf(stderr,"wrong number of fields on line %ld (looking for field %d, got %d, '%s' left)\n",ln,num,n,f);
 #endif
                         er=2;
@@ -164,7 +164,7 @@ TXT_DB *TXT_DB_read(BIO *in, int num)
                 pp[n]=p;
                 if (!sk_push(ret->data,(char *)pp))
                         {
-#if !defined(NO_STDIO) && !defined(WIN16)       /* temporaty fix :-( */
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)   /* temporaty fix :-( */
                         fprintf(stderr,"failure in sk_push\n");
 #endif
                         er=2;
@@ -176,7 +176,7 @@ err:
         BUF_MEM_free(buf);
         if (er)
                 {
-#if !defined(NO_STDIO) && !defined(WIN16)
+#if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16)
                 if (er == 1) fprintf(stderr,"OPENSSL_malloc failure\n");
 #endif
                 if (ret->data != NULL) sk_free(ret->data);
@@ -211,7 +211,7 @@ char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value)
         }
 
 int TXT_DB_create_index(TXT_DB *db, int field, int (*qual)(),
-             unsigned long (*hash)(), int (*cmp)())
+                LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp)
         {
         LHASH *idx;
         char *r;
diff --git a/src/lib/libcrypto/txt_db/txt_db.h b/src/lib/libcrypto/txt_db/txt_db.h
index 342533d40d..563392aeff 100644
--- a/src/lib/libcrypto/txt_db/txt_db.h
+++ b/src/lib/libcrypto/txt_db/txt_db.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_TXT_DB_H
 #define HEADER_TXT_DB_H
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/stack.h>
@@ -88,7 +88,7 @@ typedef struct txt_db_st
         char **arg_row;
         } TXT_DB;
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 TXT_DB *TXT_DB_read(BIO *in, int num);
 long TXT_DB_write(BIO *out, TXT_DB *db);
 #else
@@ -96,7 +96,7 @@ TXT_DB *TXT_DB_read(char *in, int num);
 long TXT_DB_write(char *out, TXT_DB *db);
 #endif
 int TXT_DB_create_index(TXT_DB *db,int field,int (*qual)(),
-         unsigned long (*hash)(),int (*cmp)());
+                LHASH_HASH_FN_TYPE hash, LHASH_COMP_FN_TYPE cmp);
 void TXT_DB_free(TXT_DB *db);
 char **TXT_DB_get_by_index(TXT_DB *db, int idx, char **value);
 int TXT_DB_insert(TXT_DB *db,char **value);
diff --git a/src/lib/libcrypto/ui/Makefile.ssl b/src/lib/libcrypto/ui/Makefile.ssl
new file mode 100644
index 0000000000..d51c1ff67a
--- /dev/null
+++ b/src/lib/libcrypto/ui/Makefile.ssl
@@ -0,0 +1,117 @@
+#
+# OpenSSL/crypto/ui/Makefile
+#
+
+DIR=    ui
+TOP=    ../..
+CC=     cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR=     /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE=           make -f Makefile.ssl
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
+MAKEFILE=       Makefile.ssl
+AR=             ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+#TEST= uitest.c
+TEST=
+APPS=
+
+COMPATSRC= ui_compat.c
+COMPATOBJ= ui_compat.o
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= ui_err.c ui_lib.c ui_openssl.c ui_util.c $(COMPATSRC)
+LIBOBJ= ui_err.o ui_lib.o ui_openssl.o ui_util.o $(COMPATOBJ)
+
+SRC= $(LIBSRC)
+
+EXHEADER= ui.h ui_compat.h
+HEADER= $(EXHEADER) ui_locl.h
+
+ALL=    $(GENERAL) $(SRC) $(HEADER)
+
+top:
+        (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+all:    lib
+
+lib:    $(LIBOBJ)
+        $(AR) $(LIB) $(LIBOBJ)
+        $(RANLIB) $(LIB)
+        @touch lib
+
+files:
+        $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+        @$(TOP)/util/point.sh Makefile.ssl Makefile
+        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
+        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
+        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+
+install:
+        @for i in $(EXHEADER) ; \
+        do  \
+        (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+        chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+        done;
+
+tags:
+        ctags $(SRC)
+
+tests:
+
+lint:
+        lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+        $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+        $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+        mv -f Makefile.new $(MAKEFILE)
+
+clean:
+        rm -f *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ui_compat.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ui_compat.o: ../../include/openssl/opensslconf.h
+ui_compat.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ui_compat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ui_compat.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+ui_compat.o: ui_compat.c
+ui_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+ui_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ui_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ui_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+ui_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ui_err.o: ../../include/openssl/ui.h ui_err.c
+ui_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+ui_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ui_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+ui_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ui_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ui_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h ui_lib.c
+ui_lib.o: ui_locl.h
+ui_openssl.o: ../../e_os.h ../../include/openssl/bio.h
+ui_openssl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ui_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+ui_openssl.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+ui_openssl.o: ../../include/openssl/opensslv.h
+ui_openssl.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ui_openssl.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ui_openssl.o: ../cryptlib.h ui_locl.h ui_openssl.c
+ui_util.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+ui_util.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ui_util.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+ui_util.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+ui_util.o: ui_util.c
diff --git a/src/lib/libcrypto/ui/ui.h b/src/lib/libcrypto/ui/ui.h
new file mode 100644
index 0000000000..735a2d988e
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui.h
@@ -0,0 +1,387 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_H
+#define HEADER_UI_H
+
+#include <openssl/crypto.h>
+#include <openssl/safestack.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The UI type is a holder for a specific user interface session.  It can
+   contain an illimited number of informational or error strings as well
+   as things to prompt for, both passwords (noecho mode) and others (echo
+   mode), and verification of the same.  All of these are called strings,
+   and are further described below. */
+typedef struct ui_st UI;
+
+/* All instances of UI have a reference to a method structure, which is a
+   ordered vector of functions that implement the lower level things to do.
+   There is an instruction on the implementation further down, in the section
+   for method implementors. */
+typedef struct ui_method_st UI_METHOD;
+
+
+/* All the following functions return -1 or NULL on error and in some cases
+   (UI_process()) -2 if interrupted or in some other way cancelled.
+   When everything is fine, they return 0, a positive value or a non-NULL
+   pointer, all depending on their purpose. */
+
+/* Creators and destructor.   */
+UI *UI_new(void);
+UI *UI_new_method(const UI_METHOD *method);
+void UI_free(UI *ui);
+
+/* The following functions are used to add strings to be printed and prompt
+   strings to prompt for data.  The names are UI_{add,dup}_<function>_string
+   and UI_{add,dup}_input_boolean.
+
+   UI_{add,dup}_<function>_string have the following meanings:
+        add     add a text or prompt string.  The pointers given to these
+                functions are used verbatim, no copying is done.
+        dup     make a copy of the text or prompt string, then add the copy
+                to the collection of strings in the user interface.
+        <function>
+                The function is a name for the functionality that the given
+                string shall be used for.  It can be one of:
+                        input   use the string as data prompt.
+                        verify  use the string as verification prompt.  This
+                                is used to verify a previous input.
+                        info    use the string for informational output.
+                        error   use the string for error output.
+   Honestly, there's currently no difference between info and error for the
+   moment.
+
+   UI_{add,dup}_input_boolean have the same semantics for "add" and "dup",
+   and are typically used when one wants to prompt for a yes/no response.
+
+
+   All of the functions in this group take a UI and a prompt string.
+   The string input and verify addition functions also take a flag argument,
+   a buffer for the result to end up with, a minimum input size and a maximum
+   input size (the result buffer MUST be large enough to be able to contain
+   the maximum number of characters).  Additionally, the verify addition
+   functions takes another buffer to compare the result against.
+   The boolean input functions take an action description string (which should
+   be safe to ignore if the expected user action is obvious, for example with
+   a dialog box with an OK button and a Cancel button), a string of acceptable
+   characters to mean OK and to mean Cancel.  The two last strings are checked
+   to make sure they don't have common characters.  Additionally, the same
+   flag argument as for the string input is taken, as well as a result buffer.
+   The result buffer is required to be at least one byte long.  Depending on
+   the answer, the first character from the OK or the Cancel character strings
+   will be stored in the first byte of the result buffer.  No NUL will be
+   added, so the result is *not* a string.
+
+   On success, the all return an index of the added information.  That index
+   is usefull when retrieving results with UI_get0_result(). */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize);
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf);
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf);
+int UI_add_info_string(UI *ui, const char *text);
+int UI_dup_info_string(UI *ui, const char *text);
+int UI_add_error_string(UI *ui, const char *text);
+int UI_dup_error_string(UI *ui, const char *text);
+
+/* These are the possible flags.  They can be or'ed together. */
+/* Use to have echoing of input */
+#define UI_INPUT_FLAG_ECHO              0x01
+/* Use a default password.  Where that password is found is completely
+   up to the application, it might for example be in the user data set
+   with UI_add_user_data().  It is not recommended to have more than
+   one input in each UI being marked with this flag, or the application
+   might get confused. */
+#define UI_INPUT_FLAG_DEFAULT_PWD       0x02
+
+/* The user of these routines may want to define flags of their own.  The core
+   UI won't look at those, but will pass them on to the method routines.  They
+   must use higher bits so they don't get confused with the UI bits above.
+   UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use.  A good
+   example of use is this:
+
+        #define MY_UI_FLAG1     (0x01 << UI_INPUT_FLAG_USER_BASE)
+
+*/
+#define UI_INPUT_FLAG_USER_BASE 16
+
+
+/* The following function helps construct a prompt.  object_desc is a
+   textual short description of the object, for example "pass phrase",
+   and object_name is the name of the object (might be a card name or
+   a file name.
+   The returned string shall always be allocated on the heap with
+   OPENSSL_malloc(), and need to be free'd with OPENSSL_free().
+
+   If the ui_method doesn't contain a pointer to a user-defined prompt
+   constructor, a default string is built, looking like this:
+
+        "Enter {object_desc} for {object_name}:"
+
+   So, if object_desc has the value "pass phrase" and object_name has
+   the value "foo.key", the resulting string is:
+
+        "Enter pass phrase for foo.key:"
+*/
+char *UI_construct_prompt(UI *ui_method,
+        const char *object_desc, const char *object_name);
+
+
+/* The following function is used to store a pointer to user-specific data.
+   Any previous such pointer will be returned and replaced.
+
+   For callback purposes, this function makes a lot more sense than using
+   ex_data, since the latter requires that different parts of OpenSSL or
+   applications share the same ex_data index.
+
+   Note that the UI_OpenSSL() method completely ignores the user data.
+   Other methods may not, however.  */
+void *UI_add_user_data(UI *ui, void *user_data);
+/* We need a user data retrieving function as well.  */
+void *UI_get0_user_data(UI *ui);
+
+/* Return the result associated with a prompt given with the index i. */
+const char *UI_get0_result(UI *ui, int i);
+
+/* When all strings have been added, process the whole thing. */
+int UI_process(UI *ui);
+
+/* Give a user interface parametrised control commands.  This can be used to
+   send down an integer, a data pointer or a function pointer, as well as
+   be used to get information from a UI. */
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
+
+/* The commands */
+/* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the
+   OpenSSL error stack before printing any info or added error messages and
+   before any prompting. */
+#define UI_CTRL_PRINT_ERRORS            1
+/* Check if a UI_process() is possible to do again with the same instance of
+   a user interface.  This makes UI_ctrl() return 1 if it is redoable, and 0
+   if not. */
+#define UI_CTRL_IS_REDOABLE             2
+
+
+/* Some methods may use extra data */
+#define UI_set_app_data(s,arg)         UI_set_ex_data(s,0,arg)
+#define UI_get_app_data(s)             UI_get_ex_data(s,0)
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+        CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+int UI_set_ex_data(UI *r,int idx,void *arg);
+void *UI_get_ex_data(UI *r, int idx);
+
+/* Use specific methods instead of the built-in one */
+void UI_set_default_method(const UI_METHOD *meth);
+const UI_METHOD *UI_get_default_method(void);
+const UI_METHOD *UI_get_method(UI *ui);
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth);
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void);
+
+
+/* ---------- For method writers ---------- */
+/* A method contains a number of functions that implement the low level
+   of the User Interface.  The functions are:
+
+        an opener       This function starts a session, maybe by opening
+                        a channel to a tty, or by opening a window.
+        a writer        This function is called to write a given string,
+                        maybe to the tty, maybe as a field label in a
+                        window.
+        a flusher       This function is called to flush everything that
+                        has been output so far.  It can be used to actually
+                        display a dialog box after it has been built.
+        a reader        This function is called to read a given prompt,
+                        maybe from the tty, maybe from a field in a
+                        window.  Note that it's called wth all string
+                        structures, not only the prompt ones, so it must
+                        check such things itself.
+        a closer        This function closes the session, maybe by closing
+                        the channel to the tty, or closing the window.
+
+   All these functions are expected to return:
+
+        0       on error.
+        1       on success.
+        -1      on out-of-band events, for example if some prompting has
+                been canceled (by pressing Ctrl-C, for example).  This is
+                only checked when returned by the flusher or the reader.
+
+   The way this is used, the opener is first called, then the writer for all
+   strings, then the flusher, then the reader for all strings and finally the
+   closer.  Note that if you want to prompt from a terminal or other command
+   line interface, the best is to have the reader also write the prompts
+   instead of having the writer do it.  If you want to prompt from a dialog
+   box, the writer can be used to build up the contents of the box, and the
+   flusher to actually display the box and run the event loop until all data
+   has been given, after which the reader only grabs the given data and puts
+   them back into the UI strings.
+
+   All method functions take a UI as argument.  Additionally, the writer and
+   the reader take a UI_STRING.
+*/
+
+/* The UI_STRING type is the data structure that contains all the needed info
+   about a string or a prompt, including test data for a verification prompt.
+*/
+DECLARE_STACK_OF(UI_STRING)
+typedef struct ui_string_st UI_STRING;
+
+/* The different types of strings that are currently supported.
+   This is only needed by method authors. */
+enum UI_string_types
+        {
+        UIT_NONE=0,
+        UIT_PROMPT,             /* Prompt for a string */
+        UIT_VERIFY,             /* Prompt for a string and verify */
+        UIT_BOOLEAN,            /* Prompt for a yes/no response */
+        UIT_INFO,               /* Send info to the user */
+        UIT_ERROR               /* Send an error message to the user */
+        };
+
+/* Create and manipulate methods */
+UI_METHOD *UI_create_method(char *name);
+void UI_destroy_method(UI_METHOD *ui_method);
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui));
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis));
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui));
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis));
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui));
+int (*UI_method_get_opener(UI_METHOD *method))(UI*);
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*);
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*);
+int (*UI_method_get_closer(UI_METHOD *method))(UI*);
+
+/* The following functions are helpers for method writers to access relevant
+   data from a UI_STRING. */
+
+/* Return type of the UI_STRING */
+enum UI_string_types UI_get_string_type(UI_STRING *uis);
+/* Return input flags of the UI_STRING */
+int UI_get_input_flags(UI_STRING *uis);
+/* Return the actual string to output (the prompt, info or error) */
+const char *UI_get0_output_string(UI_STRING *uis);
+/* Return the optional action string to output (the boolean promtp instruction) */
+const char *UI_get0_action_string(UI_STRING *uis);
+/* Return the result of a prompt */
+const char *UI_get0_result_string(UI_STRING *uis);
+/* Return the string to test the result against.  Only useful with verifies. */
+const char *UI_get0_test_string(UI_STRING *uis);
+/* Return the required minimum size of the result */
+int UI_get_result_minsize(UI_STRING *uis);
+/* Return the required maximum size of the result */
+int UI_get_result_maxsize(UI_STRING *uis);
+/* Set the result of a UI_STRING. */
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result);
+
+
+/* A couple of popular utility functions */
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_UI_strings(void);
+
+/* Error codes for the UI functions. */
+
+/* Function codes. */
+#define UI_F_GENERAL_ALLOCATE_BOOLEAN                    108
+#define UI_F_GENERAL_ALLOCATE_PROMPT                     109
+#define UI_F_GENERAL_ALLOCATE_STRING                     100
+#define UI_F_UI_CTRL                                     111
+#define UI_F_UI_DUP_ERROR_STRING                         101
+#define UI_F_UI_DUP_INFO_STRING                          102
+#define UI_F_UI_DUP_INPUT_BOOLEAN                        110
+#define UI_F_UI_DUP_INPUT_STRING                         103
+#define UI_F_UI_DUP_VERIFY_STRING                        106
+#define UI_F_UI_GET0_RESULT                              107
+#define UI_F_UI_NEW_METHOD                               104
+#define UI_F_UI_SET_RESULT                               105
+
+/* Reason codes. */
+#define UI_R_COMMON_OK_AND_CANCEL_CHARACTERS             104
+#define UI_R_INDEX_TOO_LARGE                             102
+#define UI_R_INDEX_TOO_SMALL                             103
+#define UI_R_NO_RESULT_BUFFER                            105
+#define UI_R_RESULT_TOO_LARGE                            100
+#define UI_R_RESULT_TOO_SMALL                            101
+#define UI_R_UNKNOWN_CONTROL_COMMAND                     106
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ui/ui_compat.c b/src/lib/libcrypto/ui/ui_compat.c
new file mode 100644
index 0000000000..13e0f70d90
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_compat.c
@@ -0,0 +1,67 @@
+/* crypto/ui/ui_compat.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/ui_compat.h>
+
+int _ossl_old_des_read_pw_string(char *buf,int length,const char *prompt,int verify)
+        {
+        return UI_UTIL_read_pw_string(buf, length, prompt, verify);
+        }
+
+int _ossl_old_des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
+        {
+        return UI_UTIL_read_pw(buf, buff, size, prompt, verify);
+        }
diff --git a/src/lib/libcrypto/ui/ui_compat.h b/src/lib/libcrypto/ui/ui_compat.h
new file mode 100644
index 0000000000..b35c9bb7fd
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_compat.h
@@ -0,0 +1,83 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_COMPAT_H
+#define HEADER_UI_COMPAT_H
+
+#include <openssl/opensslconf.h>
+#include <openssl/ui.h>
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+/* The following functions were previously part of the DES section,
+   and are provided here for backward compatibility reasons. */
+
+#define des_read_pw_string(b,l,p,v) \
+        _ossl_old_des_read_pw_string((b),(l),(p),(v))
+#define des_read_pw(b,bf,s,p,v) \
+        _ossl_old_des_read_pw((b),(bf),(s),(p),(v))
+
+int _ossl_old_des_read_pw_string(char *buf,int length,const char *prompt,int verify);
+int _ossl_old_des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify);
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/ui/ui_err.c b/src/lib/libcrypto/ui/ui_err.c
new file mode 100644
index 0000000000..39a62ae737
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_err.c
@@ -0,0 +1,111 @@
+/* crypto/ui/ui_err.c */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/ui.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA UI_str_functs[]=
+        {
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_BOOLEAN,0),   "GENERAL_ALLOCATE_BOOLEAN"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_PROMPT,0),    "GENERAL_ALLOCATE_PROMPT"},
+{ERR_PACK(0,UI_F_GENERAL_ALLOCATE_STRING,0),    "GENERAL_ALLOCATE_STRING"},
+{ERR_PACK(0,UI_F_UI_CTRL,0),    "UI_ctrl"},
+{ERR_PACK(0,UI_F_UI_DUP_ERROR_STRING,0),        "UI_dup_error_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INFO_STRING,0), "UI_dup_info_string"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_BOOLEAN,0),       "UI_dup_input_boolean"},
+{ERR_PACK(0,UI_F_UI_DUP_INPUT_STRING,0),        "UI_dup_input_string"},
+{ERR_PACK(0,UI_F_UI_DUP_VERIFY_STRING,0),       "UI_dup_verify_string"},
+{ERR_PACK(0,UI_F_UI_GET0_RESULT,0),     "UI_get0_result"},
+{ERR_PACK(0,UI_F_UI_NEW_METHOD,0),      "UI_new_method"},
+{ERR_PACK(0,UI_F_UI_SET_RESULT,0),      "UI_set_result"},
+{0,NULL}
+        };
+
+static ERR_STRING_DATA UI_str_reasons[]=
+        {
+{UI_R_COMMON_OK_AND_CANCEL_CHARACTERS    ,"common ok and cancel characters"},
+{UI_R_INDEX_TOO_LARGE                    ,"index too large"},
+{UI_R_INDEX_TOO_SMALL                    ,"index too small"},
+{UI_R_NO_RESULT_BUFFER                   ,"no result buffer"},
+{UI_R_RESULT_TOO_LARGE                   ,"result too large"},
+{UI_R_RESULT_TOO_SMALL                   ,"result too small"},
+{UI_R_UNKNOWN_CONTROL_COMMAND            ,"unknown control command"},
+{0,NULL}
+        };
+
+#endif
+
+void ERR_load_UI_strings(void)
+        {
+        static int init=1;
+
+        if (init)
+                {
+                init=0;
+#ifndef OPENSSL_NO_ERR
+                ERR_load_strings(ERR_LIB_UI,UI_str_functs);
+                ERR_load_strings(ERR_LIB_UI,UI_str_reasons);
+#endif
+
+                }
+        }
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
new file mode 100644
index 0000000000..16946cad95
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -0,0 +1,899 @@
+/* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/e_os2.h>
+#include <openssl/buffer.h>
+#include <openssl/ui.h>
+#include <openssl/err.h>
+#include "ui_locl.h"
+
+IMPLEMENT_STACK_OF(UI_STRING_ST)
+
+static const UI_METHOD *default_UI_meth=NULL;
+
+UI *UI_new(void)
+        {
+        return(UI_new_method(NULL));
+        }
+
+UI *UI_new_method(const UI_METHOD *method)
+        {
+        UI *ret;
+
+        ret=(UI *)OPENSSL_malloc(sizeof(UI));
+        if (ret == NULL)
+                {
+                UIerr(UI_F_UI_NEW_METHOD,ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        if (method == NULL)
+                ret->meth=UI_get_default_method();
+        else
+                ret->meth=method;
+
+        ret->strings=NULL;
+        ret->user_data=NULL;
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
+        return ret;
+        }
+
+static void free_string(UI_STRING *uis)
+        {
+        if (uis->flags & OUT_STRING_FREEABLE)
+                {
+                OPENSSL_free((char *)uis->out_string);
+                switch(uis->type)
+                        {
+                case UIT_BOOLEAN:
+                        OPENSSL_free((char *)uis->_.boolean_data.action_desc);
+                        OPENSSL_free((char *)uis->_.boolean_data.ok_chars);
+                        OPENSSL_free((char *)uis->_.boolean_data.cancel_chars);
+                        break;
+                default:
+                        break;
+                        }
+                }
+        OPENSSL_free(uis);
+        }
+
+void UI_free(UI *ui)
+        {
+        if (ui == NULL)
+                return;
+        sk_UI_STRING_pop_free(ui->strings,free_string);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data);
+        OPENSSL_free(ui);
+        }
+
+static int allocate_string_stack(UI *ui)
+        {
+        if (ui->strings == NULL)
+                {
+                ui->strings=sk_UI_STRING_new_null();
+                if (ui->strings == NULL)
+                        {
+                        return -1;
+                        }
+                }
+        return 0;
+        }
+
+static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        UI_STRING *ret = NULL;
+
+        if (prompt == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (result_buf == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_PROMPT,UI_R_NO_RESULT_BUFFER);
+                }
+        else if ((ret = (UI_STRING *)OPENSSL_malloc(sizeof(UI_STRING))))
+                {
+                ret->out_string=prompt;
+                ret->flags=prompt_freeable ? OUT_STRING_FREEABLE : 0;
+                ret->input_flags=input_flags;
+                ret->type=type;
+                ret->result_buf=result_buf;
+                }
+        return ret;
+        }
+
+static int general_allocate_string(UI *ui, const char *prompt,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        int ret = -1;
+        UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                type, input_flags, result_buf);
+
+        if (s)
+                {
+                if (allocate_string_stack(ui) >= 0)
+                        {
+                        s->_.string_data.result_minsize=minsize;
+                        s->_.string_data.result_maxsize=maxsize;
+                        s->_.string_data.test_buf=test_buf;
+                        ret=sk_UI_STRING_push(ui->strings, s);
+                        /* sk_push() returns 0 on error.  Let's addapt that */
+                        if (ret <= 0) ret--;
+                        }
+                else
+                        free_string(s);
+                }
+        return ret;
+        }
+
+static int general_allocate_boolean(UI *ui,
+        const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int prompt_freeable, enum UI_string_types type, int input_flags,
+        char *result_buf)
+        {
+        int ret = -1;
+        UI_STRING *s;
+        const char *p;
+
+        if (ok_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else if (cancel_chars == NULL)
+                {
+                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,ERR_R_PASSED_NULL_PARAMETER);
+                }
+        else
+                {
+                for(p = ok_chars; *p; p++)
+                        {
+                        if (strchr(cancel_chars, *p))
+                                {
+                                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
+                                        UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
+                                }
+                        }
+
+                s = general_allocate_prompt(ui, prompt, prompt_freeable,
+                        type, input_flags, result_buf);
+
+                if (s)
+                        {
+                        if (allocate_string_stack(ui) >= 0)
+                                {
+                                s->_.boolean_data.action_desc = action_desc;
+                                s->_.boolean_data.ok_chars = ok_chars;
+                                s->_.boolean_data.cancel_chars = cancel_chars;
+                                ret=sk_UI_STRING_push(ui->strings, s);
+                                /* sk_push() returns 0 on error.
+                                   Let's addapt that */
+                                if (ret <= 0) ret--;
+                                }
+                        else
+                                free_string(s);
+                        }
+                }
+        return ret;
+        }
+
+/* Returns the index to the place in the stack or 0 for error.  Uses a
+   direct reference to the prompt.  */
+int UI_add_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+/* Same as UI_add_input_string(), excepts it takes a copy of the prompt */
+int UI_dup_input_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_STRING,ERR_R_MALLOC_FAILURE);
+                        return 0;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL);
+        }
+
+int UI_add_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        return general_allocate_string(ui, prompt, 0,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
+        char *result_buf, int minsize, int maxsize, const char *test_buf)
+        {
+        char *prompt_copy=NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_VERIFY_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        
+        return general_allocate_string(ui, prompt_copy, 1,
+                UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf);
+        }
+
+int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        return general_allocate_boolean(ui, prompt, action_desc,
+                ok_chars, cancel_chars, 0, UIT_BOOLEAN, flags, result_buf);
+        }
+
+int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
+        const char *ok_chars, const char *cancel_chars,
+        int flags, char *result_buf)
+        {
+        char *prompt_copy = NULL;
+        char *action_desc_copy = NULL;
+        char *ok_chars_copy = NULL;
+        char *cancel_chars_copy = NULL;
+
+        if (prompt)
+                {
+                prompt_copy=BUF_strdup(prompt);
+                if (prompt_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (action_desc)
+                {
+                action_desc_copy=BUF_strdup(action_desc);
+                if (action_desc_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (ok_chars)
+                {
+                ok_chars_copy=BUF_strdup(ok_chars);
+                if (ok_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        if (cancel_chars)
+                {
+                cancel_chars_copy=BUF_strdup(cancel_chars);
+                if (cancel_chars_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INPUT_BOOLEAN,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                }
+        
+        return general_allocate_boolean(ui, prompt_copy, action_desc_copy,
+                ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags,
+                result_buf);
+ err:
+        if (prompt_copy) OPENSSL_free(prompt_copy);
+        if (action_desc_copy) OPENSSL_free(action_desc_copy);
+        if (ok_chars_copy) OPENSSL_free(ok_chars_copy);
+        if (cancel_chars_copy) OPENSSL_free(cancel_chars_copy);
+        return -1;
+        }
+
+int UI_add_info_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_INFO, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_info_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_INFO_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+
+        return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL,
+                0, 0, NULL);
+        }
+
+int UI_add_error_string(UI *ui, const char *text)
+        {
+        return general_allocate_string(ui, text, 0, UIT_ERROR, 0, NULL, 0, 0,
+                NULL);
+        }
+
+int UI_dup_error_string(UI *ui, const char *text)
+        {
+        char *text_copy=NULL;
+
+        if (text)
+                {
+                text_copy=BUF_strdup(text);
+                if (text_copy == NULL)
+                        {
+                        UIerr(UI_F_UI_DUP_ERROR_STRING,ERR_R_MALLOC_FAILURE);
+                        return -1;
+                        }
+                }
+        return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL,
+                0, 0, NULL);
+        }
+
+char *UI_construct_prompt(UI *ui, const char *object_desc,
+        const char *object_name)
+        {
+        char *prompt = NULL;
+
+        if (ui->meth->ui_construct_prompt)
+                prompt = ui->meth->ui_construct_prompt(ui,
+                        object_desc, object_name);
+        else
+                {
+                char prompt1[] = "Enter ";
+                char prompt2[] = " for ";
+                char prompt3[] = ":";
+                int len = 0;
+
+                if (object_desc == NULL)
+                        return NULL;
+                len = sizeof(prompt1) - 1 + strlen(object_desc);
+                if (object_name)
+                        len += sizeof(prompt2) - 1 + strlen(object_name);
+                len += sizeof(prompt3) - 1;
+
+                prompt = (char *)OPENSSL_malloc(len + 1);
+                strcpy(prompt, prompt1);
+                strcat(prompt, object_desc);
+                if (object_name)
+                        {
+                        strcat(prompt, prompt2);
+                        strcat(prompt, object_name);
+                        }
+                strcat(prompt, prompt3);
+                }
+        return prompt;
+        }
+
+void *UI_add_user_data(UI *ui, void *user_data)
+        {
+        void *old_data = ui->user_data;
+        ui->user_data = user_data;
+        return old_data;
+        }
+
+void *UI_get0_user_data(UI *ui)
+        {
+        return ui->user_data;
+        }
+
+const char *UI_get0_result(UI *ui, int i)
+        {
+        if (i < 0)
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_SMALL);
+                return NULL;
+                }
+        if (i >= sk_UI_STRING_num(ui->strings))
+                {
+                UIerr(UI_F_UI_GET0_RESULT,UI_R_INDEX_TOO_LARGE);
+                return NULL;
+                }
+        return UI_get0_result_string(sk_UI_STRING_value(ui->strings, i));
+        }
+
+static int print_error(const char *str, size_t len, UI *ui)
+        {
+        UI_STRING uis;
+
+        memset(&uis, 0, sizeof(uis));
+        uis.type = UIT_ERROR;
+        uis.out_string = str;
+
+        if (ui->meth->ui_write_string
+                && !ui->meth->ui_write_string(ui, &uis))
+                return -1;
+        return 0;
+        }
+
+int UI_process(UI *ui)
+        {
+        int i, ok=0;
+
+        if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
+                return -1;
+
+        if (ui->flags & UI_FLAG_PRINT_ERRORS)
+                ERR_print_errors_cb(
+                        (int (*)(const char *, size_t, void *))print_error,
+                        (void *)ui);
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_write_string
+                        && !ui->meth->ui_write_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                        {
+                        ok=-1;
+                        goto err;
+                        }
+                }
+
+        if (ui->meth->ui_flush)
+                switch(ui->meth->ui_flush(ui))
+                        {
+                case -1: /* Interrupt/Cancel/something... */
+                        ok = -2;
+                        goto err;
+                case 0: /* Errors */
+                        ok = -1;
+                        goto err;
+                default: /* Success */
+                        ok = 0;
+                        break;
+                        }
+
+        for(i=0; i<sk_UI_STRING_num(ui->strings); i++)
+                {
+                if (ui->meth->ui_read_string)
+                        {
+                        switch(ui->meth->ui_read_string(ui,
+                                sk_UI_STRING_value(ui->strings, i)))
+                                {
+                        case -1: /* Interrupt/Cancel/something... */
+                                ok = -2;
+                                goto err;
+                        case 0: /* Errors */
+                                ok = -1;
+                                goto err;
+                        default: /* Success */
+                                ok = 0;
+                                break;
+                                }
+                        }
+                }
+ err:
+        if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
+                return -1;
+        return ok;
+        }
+
+int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)())
+        {
+        if (ui == NULL)
+                {
+                UIerr(UI_F_UI_CTRL,ERR_R_PASSED_NULL_PARAMETER);
+                return -1;
+                }
+        switch(cmd)
+                {
+        case UI_CTRL_PRINT_ERRORS:
+                {
+                int save_flag = !!(ui->flags & UI_FLAG_PRINT_ERRORS);
+                if (i)
+                        ui->flags |= UI_FLAG_PRINT_ERRORS;
+                else
+                        ui->flags &= ~UI_FLAG_PRINT_ERRORS;
+                return save_flag;
+                }
+        case UI_CTRL_IS_REDOABLE:
+                return !!(ui->flags & UI_FLAG_REDOABLE);
+        default:
+                break;
+                }
+        UIerr(UI_F_UI_CTRL,UI_R_UNKNOWN_CONTROL_COMMAND);
+        return -1;
+        }
+
+int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
+        {
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp,
+                                new_func, dup_func, free_func);
+        }
+
+int UI_set_ex_data(UI *r, int idx, void *arg)
+        {
+        return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
+        }
+
+void *UI_get_ex_data(UI *r, int idx)
+        {
+        return(CRYPTO_get_ex_data(&r->ex_data,idx));
+        }
+
+void UI_set_default_method(const UI_METHOD *meth)
+        {
+        default_UI_meth=meth;
+        }
+
+const UI_METHOD *UI_get_default_method(void)
+        {
+        if (default_UI_meth == NULL)
+                {
+                default_UI_meth=UI_OpenSSL();
+                }
+        return default_UI_meth;
+        }
+
+const UI_METHOD *UI_get_method(UI *ui)
+        {
+        return ui->meth;
+        }
+
+const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth)
+        {
+        ui->meth=meth;
+        return ui->meth;
+        }
+
+
+UI_METHOD *UI_create_method(char *name)
+        {
+        UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD));
+
+        if (ui_method)
+                memset(ui_method, 0, sizeof(*ui_method));
+        ui_method->name = BUF_strdup(name);
+        return ui_method;
+        }
+
+/* BIG FSCKING WARNING!!!!  If you use this on a statically allocated method
+   (that is, it hasn't been allocated using UI_create_method(), you deserve
+   anything Murphy can throw at you and more!  You have been warned. */
+void UI_destroy_method(UI_METHOD *ui_method)
+        {
+        OPENSSL_free(ui_method->name);
+        ui_method->name = NULL;
+        OPENSSL_free(ui_method);
+        }
+
+int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_open_session = opener;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_write_string = writer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_flush = flusher;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis))
+        {
+        if (method)
+                {
+                method->ui_read_string = reader;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui))
+        {
+        if (method)
+                {
+                method->ui_close_session = closer;
+                return 0;
+                }
+        else
+                return -1;
+        }
+
+int (*UI_method_get_opener(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_open_session;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_write_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_flusher(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_flush;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*)
+        {
+        if (method)
+                return method->ui_read_string;
+        else
+                return NULL;
+        }
+
+int (*UI_method_get_closer(UI_METHOD *method))(UI*)
+        {
+        if (method)
+                return method->ui_close_session;
+        else
+                return NULL;
+        }
+
+enum UI_string_types UI_get_string_type(UI_STRING *uis)
+        {
+        if (!uis)
+                return UIT_NONE;
+        return uis->type;
+        }
+
+int UI_get_input_flags(UI_STRING *uis)
+        {
+        if (!uis)
+                return 0;
+        return uis->input_flags;
+        }
+
+const char *UI_get0_output_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        return uis->out_string;
+        }
+
+const char *UI_get0_action_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_BOOLEAN:
+                return uis->_.boolean_data.action_desc;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_result_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->result_buf;
+        default:
+                return NULL;
+                }
+        }
+
+const char *UI_get0_test_string(UI_STRING *uis)
+        {
+        if (!uis)
+                return NULL;
+        switch(uis->type)
+                {
+        case UIT_VERIFY:
+                return uis->_.string_data.test_buf;
+        default:
+                return NULL;
+                }
+        }
+
+int UI_get_result_minsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_minsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_get_result_maxsize(UI_STRING *uis)
+        {
+        if (!uis)
+                return -1;
+        switch(uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                return uis->_.string_data.result_maxsize;
+        default:
+                return -1;
+                }
+        }
+
+int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
+        {
+        int l = strlen(result);
+
+        ui->flags &= ~UI_FLAG_REDOABLE;
+
+        if (!uis)
+                return -1;
+        switch (uis->type)
+                {
+        case UIT_PROMPT:
+        case UIT_VERIFY:
+                {
+                char number1[20];
+                char number2[20];
+
+                BIO_snprintf(number1, sizeof(number1), "%d",
+                        uis->_.string_data.result_minsize);
+                BIO_snprintf(number2, sizeof(number2), "%d",
+                        uis->_.string_data.result_maxsize);
+
+                if (l < uis->_.string_data.result_minsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_SMALL);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                if (l > uis->_.string_data.result_maxsize)
+                        {
+                        ui->flags |= UI_FLAG_REDOABLE;
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_RESULT_TOO_LARGE);
+                        ERR_add_error_data(5,"You must type in ",
+                                number1," to ",number2," characters");
+                        return -1;
+                        }
+                }
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                strcpy(uis->result_buf, result);
+                break;
+        case UIT_BOOLEAN:
+                {
+                const char *p;
+
+                if (!uis->result_buf)
+                        {
+                        UIerr(UI_F_UI_SET_RESULT,UI_R_NO_RESULT_BUFFER);
+                        return -1;
+                        }
+
+                uis->result_buf[0] = '\0';
+                for(p = result; *p; p++)
+                        {
+                        if (strchr(uis->_.boolean_data.ok_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.ok_chars[0];
+                                break;
+                                }
+                        if (strchr(uis->_.boolean_data.cancel_chars, *p))
+                                {
+                                uis->result_buf[0] =
+                                        uis->_.boolean_data.cancel_chars[0];
+                                break;
+                                }
+                        }
+        default:
+                break;
+                }
+                }
+        return 0;
+        }
diff --git a/src/lib/libcrypto/ui/ui_locl.h b/src/lib/libcrypto/ui/ui_locl.h
new file mode 100644
index 0000000000..7d3a75a619
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_locl.h
@@ -0,0 +1,148 @@
+/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_UI_LOCL_H
+#define HEADER_UI_LOCL_H
+
+#include <openssl/ui.h>
+
+struct ui_method_st
+        {
+        char *name;
+
+        /* All the functions return 1 or non-NULL for success and 0 or NULL
+           for failure */
+
+        /* Open whatever channel for this, be it the console, an X window
+           or whatever.
+           This function should use the ex_data structure to save
+           intermediate data. */
+        int (*ui_open_session)(UI *ui);
+
+        int (*ui_write_string)(UI *ui, UI_STRING *uis);
+
+        /* Flush the output.  If a GUI dialog box is used, this function can
+           be used to actually display it. */
+        int (*ui_flush)(UI *ui);
+
+        int (*ui_read_string)(UI *ui, UI_STRING *uis);
+
+        int (*ui_close_session)(UI *ui);
+
+        /* Construct a prompt in a user-defined manner.  object_desc is a
+           textual short description of the object, for example "pass phrase",
+           and object_name is the name of the object (might be a card name or
+           a file name.
+           The returned string shall always be allocated on the heap with
+           OPENSSL_malloc(), and need to be free'd with OPENSSL_free(). */
+        char *(*ui_construct_prompt)(UI *ui, const char *object_desc,
+                const char *object_name);
+        };
+
+struct ui_string_st
+        {
+        enum UI_string_types type; /* Input */
+        const char *out_string; /* Input */
+        int input_flags;        /* Flags from the user */
+
+        /* The following parameters are completely irrelevant for UIT_INFO,
+           and can therefore be set to 0 or NULL */
+        char *result_buf;       /* Input and Output: If not NULL, user-defined
+                                   with size in result_maxsize.  Otherwise, it
+                                   may be allocated by the UI routine, meaning
+                                   result_minsize is going to be overwritten.*/
+        union
+                {
+                struct
+                        {
+                        int result_minsize;     /* Input: minimum required
+                                                   size of the result.
+                                                */
+                        int result_maxsize;     /* Input: maximum permitted
+                                                   size of the result */
+
+                        const char *test_buf;   /* Input: test string to verify
+                                                   against */
+                        } string_data;
+                struct
+                        {
+                        const char *action_desc; /* Input */
+                        const char *ok_chars; /* Input */
+                        const char *cancel_chars; /* Input */
+                        } boolean_data;
+                } _;
+
+#define OUT_STRING_FREEABLE 0x01
+        int flags;              /* flags for internal use */
+        };
+
+struct ui_st
+        {
+        const UI_METHOD *meth;
+        STACK_OF(UI_STRING) *strings; /* We might want to prompt for more
+                                         than one thing at a time, and
+                                         with different echoing status.  */
+        void *user_data;
+        CRYPTO_EX_DATA ex_data;
+
+#define UI_FLAG_REDOABLE        0x0001
+#define UI_FLAG_PRINT_ERRORS    0x0100
+        int flags;
+        };
+
+#endif
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
new file mode 100644
index 0000000000..3aa03f74aa
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -0,0 +1,661 @@
+/* crypto/ui/ui_openssl.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) and others
+ * for the OpenSSL project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* The lowest level part of this file was previously in crypto/des/read_pwd.c,
+ * Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+
+#include <openssl/e_os2.h>
+
+#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
+# ifdef OPENSSL_UNISTD
+#  include OPENSSL_UNISTD
+# else
+#  include <unistd.h>
+# endif
+/* If unistd.h defines _POSIX_VERSION, we conclude that we
+ * are on a POSIX system and have sigaction and termios. */
+# if defined(_POSIX_VERSION)
+
+#  define SIGACTION
+#  if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
+#   define TERMIOS
+#  endif
+
+# endif
+#endif
+
+#ifdef WIN16TTY
+# undef OPENSSL_SYS_WIN16
+# undef WIN16
+# undef _WINDOWS
+# include <graph.h>
+#endif
+
+/* 06-Apr-92 Luke Brennan    Support for VMS */
+#include "ui_locl.h"
+#include "cryptlib.h"
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef OPENSSL_SYS_VMS          /* prototypes for sys$whatever */
+# include <starlet.h>
+# ifdef __DECC
+#  pragma message disable DOLLARID
+# endif
+#endif
+
+#ifdef WIN_CONSOLE_BUG
+# include <windows.h>
+# include <wincon.h>
+#endif
+
+
+/* There are 5 types of terminal interface supported,
+ * TERMIO, TERMIOS, VMS, MSDOS and SGTTY
+ */
+
+#if defined(__sgi) && !defined(TERMIOS)
+# define TERMIOS
+# undef  TERMIO
+# undef  SGTTY
+#endif
+
+#if defined(linux) && !defined(TERMIO)
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#ifdef _LIBC
+# undef  TERMIOS
+# define TERMIO
+# undef  SGTTY
+#endif
+
+#if !defined(TERMIO) && !defined(TERMIOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(MAC_OS_GUSI_SOURCE)
+# undef  TERMIOS
+# undef  TERMIO
+# define SGTTY
+#endif
+
+#if defined(OPENSSL_SYS_VSWORKS)
+#undef TERMIOS
+#undef TERMIO
+#undef SGTTY
+#endif
+
+#ifdef TERMIOS
+# include <termios.h>
+# define TTY_STRUCT             struct termios
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      tcgetattr(tty,data)
+# define TTY_set(tty,data)      tcsetattr(tty,TCSANOW,data)
+#endif
+
+#ifdef TERMIO
+# include <termio.h>
+# define TTY_STRUCT             struct termio
+# define TTY_FLAGS              c_lflag
+# define TTY_get(tty,data)      ioctl(tty,TCGETA,data)
+# define TTY_set(tty,data)      ioctl(tty,TCSETA,data)
+#endif
+
+#ifdef SGTTY
+# include <sgtty.h>
+# define TTY_STRUCT             struct sgttyb
+# define TTY_FLAGS              sg_flags
+# define TTY_get(tty,data)      ioctl(tty,TIOCGETP,data)
+# define TTY_set(tty,data)      ioctl(tty,TIOCSETP,data)
+#endif
+
+#if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC)
+# include <sys/ioctl.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+# include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+# include <ssdef.h>
+# include <iodef.h>
+# include <ttdef.h>
+# include <descrip.h>
+struct IOSB {
+        short iosb$w_value;
+        short iosb$w_count;
+        long  iosb$l_info;
+        };
+#endif
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(MAC_OS_GUSI_SOURCE)
+/*
+ * This one needs work. As a matter of fact the code is unoperational
+ * and this is only a trick to get it compiled.
+ *                                      <appro@fy.chalmers.se>
+ */
+# define TTY_STRUCT int
+#endif
+
+#ifndef NX509_SIG
+# define NX509_SIG 32
+#endif
+
+
+/* Define globals.  They are protected by a lock */
+#ifdef SIGACTION
+static struct sigaction savsig[NX509_SIG];
+#else
+static void (*savsig[NX509_SIG])(int );
+#endif
+
+#ifdef OPENSSL_SYS_VMS
+static struct IOSB iosb;
+static $DESCRIPTOR(terminal,"TT");
+static long tty_orig[3], tty_new[3]; /* XXX   Is there any guarantee that this will always suffice for the actual structures? */
+static long status;
+static unsigned short channel = 0;
+#else
+#ifndef OPENSSL_SYS_MSDOS
+static TTY_STRUCT tty_orig,tty_new;
+#endif
+#endif
+static FILE *tty_in, *tty_out;
+static int is_a_tty;
+
+/* Declare static functions */
+static void read_till_nl(FILE *);
+static void recsig(int);
+static void pushsig(void);
+static void popsig(void);
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty);
+#endif
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl);
+
+static int read_string(UI *ui, UI_STRING *uis);
+static int write_string(UI *ui, UI_STRING *uis);
+
+static int open_console(UI *ui);
+static int echo_console(UI *ui);
+static int noecho_console(UI *ui);
+static int close_console(UI *ui);
+
+static UI_METHOD ui_openssl =
+        {
+        "OpenSSL default user interface",
+        open_console,
+        write_string,
+        NULL,                   /* No flusher is needed for command lines */
+        read_string,
+        close_console,
+        NULL
+        };
+
+/* The method with all the built-in thingies */
+UI_METHOD *UI_OpenSSL(void)
+        {
+        return &ui_openssl;
+        }
+
+/* The following function makes sure that info and error strings are printed
+   before any prompt. */
+static int write_string(UI *ui, UI_STRING *uis)
+        {
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_ERROR:
+        case UIT_INFO:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+static int read_string(UI *ui, UI_STRING *uis)
+        {
+        int ok = 0;
+
+        switch (UI_get_string_type(uis))
+                {
+        case UIT_BOOLEAN:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fputs(UI_get0_action_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 0);
+        case UIT_PROMPT:
+                fputs(UI_get0_output_string(uis), tty_out);
+                fflush(tty_out);
+                return read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1);
+        case UIT_VERIFY:
+                fprintf(tty_out,"Verifying - %s",
+                        UI_get0_output_string(uis));
+                fflush(tty_out);
+                if ((ok = read_string_inner(ui, uis,
+                        UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO, 1)) <= 0)
+                        return ok;
+                if (strcmp(UI_get0_result_string(uis),
+                        UI_get0_test_string(uis)) != 0)
+                        {
+                        fprintf(tty_out,"Verify failure\n");
+                        fflush(tty_out);
+                        return 0;
+                        }
+                break;
+        default:
+                break;
+                }
+        return 1;
+        }
+
+
+/* Internal functions to read a string without echoing */
+static void read_till_nl(FILE *in)
+        {
+#define SIZE 4
+        char buf[SIZE+1];
+
+        do      {
+                fgets(buf,SIZE,in);
+                } while (strchr(buf,'\n') == NULL);
+        }
+
+static sig_atomic_t intr_signal;
+
+static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
+        {
+        static int ps;
+        int ok;
+        char result[BUFSIZ];
+        int maxsize = BUFSIZ-1;
+        char *p;
+
+#ifndef OPENSSL_SYS_WIN16
+        intr_signal=0;
+        ok=0;
+        ps=0;
+
+        pushsig();
+        ps=1;
+
+        if (!echo && !noecho_console(ui))
+                goto error;
+        ps=2;
+
+        result[0]='\0';
+#ifdef OPENSSL_SYS_MSDOS
+        if (!echo)
+                {
+                noecho_fgets(result,maxsize,tty_in);
+                p=result; /* FIXME: noecho_fgets doesn't return errors */
+                }
+        else
+                p=fgets(result,maxsize,tty_in);
+#else
+        p=fgets(result,maxsize,tty_in);
+#endif
+        if(!p)
+                goto error;
+        if (feof(tty_in)) goto error;
+        if (ferror(tty_in)) goto error;
+        if ((p=(char *)strchr(result,'\n')) != NULL)
+                {
+                if (strip_nl)
+                        *p='\0';
+                }
+        else
+                read_till_nl(tty_in);
+        if (UI_set_result(ui, uis, result) >= 0)
+                ok=1;
+
+error:
+        if (intr_signal == SIGINT)
+                ok=-1;
+        if (!echo) fprintf(tty_out,"\n");
+        if (ps >= 2 && !echo && !echo_console(ui))
+                ok=0;
+
+        if (ps >= 1)
+                popsig();
+#else
+        ok=1;
+#endif
+
+        memset(result,0,BUFSIZ);
+        return ok;
+        }
+
+
+/* Internal functions to open, handle and close a channel to the console.  */
+static int open_console(UI *ui)
+        {
+        CRYPTO_w_lock(CRYPTO_LOCK_UI);
+        is_a_tty = 1;
+
+#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS)
+        tty_in=stdin;
+        tty_out=stderr;
+#else
+#  ifdef OPENSSL_SYS_MSDOS
+#    define DEV_TTY "con"
+#  else
+#    define DEV_TTY "/dev/tty"
+#  endif
+        if ((tty_in=fopen(DEV_TTY,"r")) == NULL)
+                tty_in=stdin;
+        if ((tty_out=fopen(DEV_TTY,"w")) == NULL)
+                tty_out=stderr;
+#endif
+
+#if defined(TTY_get) && !defined(VMS)
+        if (TTY_get(fileno(tty_in),&tty_orig) == -1)
+                {
+#ifdef ENOTTY
+                if (errno == ENOTTY)
+                        is_a_tty=0;
+                else
+#endif
+#ifdef EINVAL
+                /* Ariel Glenn ariel@columbia.edu reports that solaris
+                 * can return EINVAL instead.  This should be ok */
+                if (errno == EINVAL)
+                        is_a_tty=0;
+                else
+#endif
+                        return 0;
+                }
+#endif
+#ifdef OPENSSL_SYS_VMS
+        status = sys$assign(&terminal,&channel,0,0);
+        if (status != SS$_NORMAL)
+                return 0;
+        status=sys$qiow(0,channel,IO$_SENSEMODE,&iosb,0,0,tty_orig,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int noecho_console(UI *ui)
+        {
+#ifdef TTY_FLAGS
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS &= ~ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] | TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int echo_console(UI *ui)
+        {
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig));
+        tty_new.TTY_FLAGS |= ECHO;
+#endif
+
+#if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
+        if (is_a_tty && (TTY_set(fileno(tty_in),&tty_new) == -1))
+                return 0;
+#endif
+#ifdef OPENSSL_SYS_VMS
+        tty_new[0] = tty_orig[0];
+        tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
+        tty_new[2] = tty_orig[2];
+        status = sys$qiow(0,channel,IO$_SETMODE,&iosb,0,0,tty_new,12,0,0,0,0);
+        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
+                return 0;
+#endif
+        return 1;
+        }
+
+static int close_console(UI *ui)
+        {
+        if (tty_in != stderr) fclose(tty_in);
+        if (tty_out != stderr) fclose(tty_out);
+#ifdef OPENSSL_SYS_VMS
+        status = sys$dassgn(channel);
+#endif
+        CRYPTO_w_unlock(CRYPTO_LOCK_UI);
+
+        return 1;
+        }
+
+
+/* Internal functions to handle signals and act on them */
+static void pushsig(void)
+        {
+        int i;
+#ifdef SIGACTION
+        struct sigaction sa;
+
+        memset(&sa,0,sizeof sa);
+        sa.sa_handler=recsig;
+#endif
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGKILL
+                if (i == SIGKILL) /* We can't make any action on that. */
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&sa,&savsig[i]);
+#else
+                savsig[i]=signal(i,recsig);
+#endif
+                }
+
+#ifdef SIGWINCH
+        signal(SIGWINCH,SIG_DFL);
+#endif
+        }
+
+static void popsig(void)
+        {
+        int i;
+
+        for (i=1; i<NX509_SIG; i++)
+                {
+#ifdef SIGUSR1
+                if (i == SIGUSR1)
+                        continue;
+#endif
+#ifdef SIGUSR2
+                if (i == SIGUSR2)
+                        continue;
+#endif
+#ifdef SIGACTION
+                sigaction(i,&savsig[i],NULL);
+#else
+                signal(i,savsig[i]);
+#endif
+                }
+        }
+
+static void recsig(int i)
+        {
+        intr_signal=i;
+        }
+
+/* Internal functions specific for Windows */
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN16)
+static int noecho_fgets(char *buf, int size, FILE *tty)
+        {
+        int i;
+        char *p;
+
+        p=buf;
+        for (;;)
+                {
+                if (size == 0)
+                        {
+                        *p='\0';
+                        break;
+                        }
+                size--;
+#ifdef WIN16TTY
+                i=_inchar();
+#else
+                i=getch();
+#endif
+                if (i == '\r') i='\n';
+                *(p++)=i;
+                if (i == '\n')
+                        {
+                        *p='\0';
+                        break;
+                        }
+                }
+#ifdef WIN_CONSOLE_BUG
+/* Win95 has several evil console bugs: one of these is that the
+ * last character read using getch() is passed to the next read: this is
+ * usually a CR so this can be trouble. No STDIO fix seems to work but
+ * flushing the console appears to do the trick.
+ */
+                {
+                        HANDLE inh;
+                        inh = GetStdHandle(STD_INPUT_HANDLE);
+                        FlushConsoleInputBuffer(inh);
+                }
+#endif
+        return(strlen(buf));
+        }
+#endif
diff --git a/src/lib/libcrypto/ui/ui_util.c b/src/lib/libcrypto/ui/ui_util.c
new file mode 100644
index 0000000000..7c6f7d3a73
--- /dev/null
+++ b/src/lib/libcrypto/ui/ui_util.c
@@ -0,0 +1,86 @@
+/* crypto/ui/ui_util.c -*- mode:C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 2001-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/ui.h>
+
+int UI_UTIL_read_pw_string(char *buf,int length,const char *prompt,int verify)
+        {
+        char buff[BUFSIZ];
+        int ret;
+
+        ret=UI_UTIL_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify);
+        memset(buff,0,BUFSIZ);
+        return(ret);
+        }
+
+int UI_UTIL_read_pw(char *buf,char *buff,int size,const char *prompt,int verify)
+        {
+        int ok = 0;
+        UI *ui;
+
+        ui = UI_new();
+        if (ui)
+                {
+                ok = UI_add_input_string(ui,prompt,0,buf,0,BUFSIZ-1);
+                if (ok == 0 && verify)
+                        ok = UI_add_verify_string(ui,prompt,0,buff,0,BUFSIZ-1,
+                                buf);
+                if (ok == 0)
+                        ok=UI_process(ui);
+                UI_free(ui);
+                }
+        return(ok);
+        }
diff --git a/src/lib/libcrypto/uid.c b/src/lib/libcrypto/uid.c
index b5b61b76d4..d3d249c36f 100644
--- a/src/lib/libcrypto/uid.c
+++ b/src/lib/libcrypto/uid.c
@@ -54,17 +54,18 @@
  */
 
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 
 #if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2)
 
-#include <unistd.h>
+#include OPENSSL_UNISTD
 
 int OPENSSL_issetugid(void)
         {
         return issetugid();
         }
 
-#elif defined(WIN32)
+#elif defined(OPENSSL_SYS_WIN32)
 
 int OPENSSL_issetugid(void)
         {
@@ -73,7 +74,7 @@ int OPENSSL_issetugid(void)
 
 #else
 
-#include <unistd.h>
+#include OPENSSL_UNISTD
 #include <sys/types.h>
 
 int OPENSSL_issetugid(void)
diff --git a/src/lib/libcrypto/util/clean-depend.pl b/src/lib/libcrypto/util/clean-depend.pl
index 0193e726fe..6c485d1e2f 100644
--- a/src/lib/libcrypto/util/clean-depend.pl
+++ b/src/lib/libcrypto/util/clean-depend.pl
@@ -11,20 +11,36 @@ while(<STDIN>) {
 
 my %files;
 
+my $thisfile="";
 while(<STDIN>) {
-    my ($file,$deps)=/^(.*): (.*)$/;
+    my ($dummy, $file,$deps)=/^((.*):)? (.*)$/;
+    my $origfile="";
+    $thisfile=$file if defined $file;
     next if !defined $deps;
+    $origfile=$thisfile;
+    $origfile=~s/\.o$/.c/;
     my @deps=split ' ',$deps;
     @deps=grep(!/^\//,@deps);
     @deps=grep(!/^\\$/,@deps);
-    push @{$files{$file}},@deps;
+    @deps=grep(!/^$origfile$/,@deps);
+# pull out the kludged kerberos header (if present).
+    @deps=grep(!/^[.\/]+\/krb5.h/,@deps);
+    push @{$files{$thisfile}},@deps;
 }
 
 my $file;
 foreach $file (sort keys %files) {
     my $len=0;
     my $dep;
+    my $origfile=$file;
+    $origfile=~s/\.o$/.c/;
+    $file=~s/^\.\///;
+    push @{$files{$file}},$origfile;
+    my $prevdep="";
     foreach $dep (sort @{$files{$file}}) {
+        $dep=~s/^\.\///;
+        next if $prevdep eq $dep; # to exterminate duplicates...
+        $prevdep = $dep;
         $len=0 if $len+length($dep)+1 >= 80;
         if($len == 0) {
             print "\n$file:";
diff --git a/src/lib/libcrypto/util/cygwin.sh b/src/lib/libcrypto/util/cygwin.sh
new file mode 100644
index 0000000000..b607399b02
--- /dev/null
+++ b/src/lib/libcrypto/util/cygwin.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+# This script configures, builds and packs the binary package for
+# the Cygwin net distribution version of OpenSSL
+#
+
+# Uncomment when debugging
+#set -x
+
+CONFIG_OPTIONS="--prefix=/usr shared no-idea no-rc5 no-mdc2"
+INSTALL_PREFIX=/tmp/install
+
+VERSION=
+SUBVERSION=$1
+
+function cleanup()
+{
+  rm -rf ${INSTALL_PREFIX}/etc
+  rm -rf ${INSTALL_PREFIX}/usr
+}
+
+function get_openssl_version()
+{
+  eval `grep '^VERSION=' Makefile.ssl`
+  if [ -z "${VERSION}" ]
+  then
+    echo "Error: Couldn't retrieve OpenSSL version from Makefile.ssl."
+    echo "       Check value of variable VERSION in Makefile.ssl."
+    exit 1
+  fi
+}
+
+function base_install()
+{
+  mkdir -p ${INSTALL_PREFIX}
+  cleanup
+  make install INSTALL_PREFIX="${INSTALL_PREFIX}"
+}
+
+function doc_install()
+{
+  DOC_DIR=${INSTALL_PREFIX}/usr/doc/openssl
+
+  mkdir -p ${DOC_DIR}
+  cp CHANGES CHANGES.SSLeay INSTALL LICENSE NEWS README ${DOC_DIR}
+
+  create_cygwin_readme
+}
+
+function create_cygwin_readme()
+{
+  README_DIR=${INSTALL_PREFIX}/usr/doc/Cygwin
+  README_FILE=${README_DIR}/openssl-${VERSION}.README
+
+  mkdir -p ${README_DIR}
+  cat > ${README_FILE} <<- EOF
+        The Cygwin version has been built using the following configure:
+
+          ./config ${CONFIG_OPTIONS}
+
+        The IDEA, RC5 and MDC2 algorithms are disabled due to patent and/or
+        licensing issues.
+        EOF
+}
+
+function create_profile_files()
+{
+  PROFILE_DIR=${INSTALL_PREFIX}/etc/profile.d
+
+  mkdir -p $PROFILE_DIR
+  cat > ${PROFILE_DIR}/openssl.sh <<- "EOF"
+        export MANPATH="${MANPATH}:/usr/ssl/man"
+        EOF
+  cat > ${PROFILE_DIR}/openssl.csh <<- "EOF"
+        if ( $?MANPATH ) then
+          setenv MANPATH "${MANPATH}:/usr/ssl/man"
+        else
+          setenv MANPATH ":/usr/ssl/man"
+        endif
+        EOF
+}
+
+if [ -z "${SUBVERSION}" ]
+then
+  echo "Usage: $0 subversion"
+  exit 1
+fi
+
+if [ ! -f config ]
+then
+  echo "You must start this script in the OpenSSL toplevel source dir."
+  exit 1
+fi
+
+./config ${CONFIG_OPTIONS}
+
+get_openssl_version
+
+make || exit 1
+
+base_install
+
+doc_install
+
+create_cygwin_readme
+
+create_profile_files
+
+cd ${INSTALL_PREFIX}
+strip usr/bin/*.exe usr/bin/*.dll
+
+# Runtime package
+find etc usr/bin usr/doc usr/ssl/certs usr/ssl/man/man[157] usr/ssl/misc \
+     usr/ssl/openssl.cnf usr/ssl/private -empty -o \! -type d |
+tar cjfT openssl-${VERSION}-${SUBVERSION}.tar.bz2 -
+# Development package
+find usr/include usr/lib usr/ssl/man/man3 -empty -o \! -type d |
+tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -
+
+ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2
+ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2
+
+cleanup
+
+exit 0
diff --git a/src/lib/libcrypto/util/domd b/src/lib/libcrypto/util/domd
index 9f75131f22..aa99cb0523 100644
--- a/src/lib/libcrypto/util/domd
+++ b/src/lib/libcrypto/util/domd
@@ -4,8 +4,26 @@
 
 TOP=$1
 shift
+if [ "$1" = "-MD" ]; then
+    shift
+    MAKEDEPEND=$1
+    shift
+fi
+if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
 
 cp Makefile.ssl Makefile.save
-makedepend -f Makefile.ssl $@
-perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+# fake the presence of Kerberos
+touch $TOP/krb5.h
+if [ "$MAKEDEPEND" = "gcc" ]; then
+    sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp
+    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp
+    gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp
+    perl $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new
+    rm -f Makefile.tmp
+else
+    ${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND -f Makefile.ssl $@
+    perl $TOP/util/clean-depend.pl < Makefile.ssl > Makefile.new
+fi
 mv Makefile.new Makefile.ssl
+# unfake the presence of Kerberos
+rm $TOP/krb5.h
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 84ae840804..b74749e5de 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -15,28 +15,28 @@ ASN1_STRING_cmp                         14	EXIST::FUNCTION:
 ASN1_STRING_dup                         15      EXIST::FUNCTION:
 ASN1_STRING_free                        16      EXIST::FUNCTION:
 ASN1_STRING_new                         17      EXIST::FUNCTION:
-ASN1_STRING_print                       18      EXIST::FUNCTION:
+ASN1_STRING_print                       18      EXIST::FUNCTION:BIO
 ASN1_STRING_set                         19      EXIST::FUNCTION:
 ASN1_STRING_type_new                    20      EXIST::FUNCTION:
 ASN1_TYPE_free                          21      EXIST::FUNCTION:
 ASN1_TYPE_new                           22      EXIST::FUNCTION:
 ASN1_UNIVERSALSTRING_to_string          23      EXIST::FUNCTION:
 ASN1_UTCTIME_check                      24      EXIST::FUNCTION:
-ASN1_UTCTIME_print                      25      EXIST::FUNCTION:
+ASN1_UTCTIME_print                      25      EXIST::FUNCTION:BIO
 ASN1_UTCTIME_set                        26      EXIST::FUNCTION:
 ASN1_check_infinite_end                 27      EXIST::FUNCTION:
-ASN1_d2i_bio                            28      EXIST::FUNCTION:
+ASN1_d2i_bio                            28      EXIST::FUNCTION:BIO
 ASN1_d2i_fp                             29      EXIST::FUNCTION:FP_API
-ASN1_digest                             30      EXIST::FUNCTION:
+ASN1_digest                             30      EXIST::FUNCTION:EVP
 ASN1_dup                                31      EXIST::FUNCTION:
 ASN1_get_object                         32      EXIST::FUNCTION:
-ASN1_i2d_bio                            33      EXIST::FUNCTION:
+ASN1_i2d_bio                            33      EXIST::FUNCTION:BIO
 ASN1_i2d_fp                             34      EXIST::FUNCTION:FP_API
 ASN1_object_size                        35      EXIST::FUNCTION:
-ASN1_parse                              36      EXIST::FUNCTION:
+ASN1_parse                              36      EXIST::FUNCTION:BIO
 ASN1_put_object                         37      EXIST::FUNCTION:
-ASN1_sign                               38      EXIST::FUNCTION:
-ASN1_verify                             39      EXIST::FUNCTION:
+ASN1_sign                               38      EXIST::FUNCTION:EVP
+ASN1_verify                             39      EXIST::FUNCTION:EVP
 BF_cbc_encrypt                          40      EXIST::FUNCTION:BF
 BF_cfb64_encrypt                        41      EXIST::FUNCTION:BF
 BF_ecb_encrypt                          42      EXIST::FUNCTION:BF
@@ -52,10 +52,10 @@ BIO_int_ctrl                            53	EXIST::FUNCTION:
 BIO_debug_callback                      54      EXIST::FUNCTION:
 BIO_dump                                55      EXIST::FUNCTION:
 BIO_dup_chain                           56      EXIST::FUNCTION:
-BIO_f_base64                            57      EXIST::FUNCTION:
+BIO_f_base64                            57      EXIST::FUNCTION:BIO
 BIO_f_buffer                            58      EXIST::FUNCTION:
-BIO_f_cipher                            59      EXIST::FUNCTION:
-BIO_f_md                                60      EXIST::FUNCTION:
+BIO_f_cipher                            59      EXIST::FUNCTION:BIO
+BIO_f_md                                60      EXIST::FUNCTION:BIO
 BIO_f_null                              61      EXIST::FUNCTION:
 BIO_f_proxy_server                      62      NOEXIST::FUNCTION:
 BIO_fd_non_fatal_error                  63      EXIST::FUNCTION:
@@ -92,7 +92,7 @@ BIO_s_null                              96	EXIST::FUNCTION:
 BIO_s_proxy_client                      97      NOEXIST::FUNCTION:
 BIO_s_socket                            98      EXIST::FUNCTION:
 BIO_set                                 100     EXIST::FUNCTION:
-BIO_set_cipher                          101     EXIST::FUNCTION:
+BIO_set_cipher                          101     EXIST::FUNCTION:BIO
 BIO_set_tcp_ndelay                      102     EXIST::FUNCTION:
 BIO_sock_cleanup                        103     EXIST::FUNCTION:
 BIO_sock_error                          104     EXIST::FUNCTION:
@@ -130,7 +130,7 @@ BN_is_prime                             135	EXIST::FUNCTION:
 BN_lshift                               136     EXIST::FUNCTION:
 BN_lshift1                              137     EXIST::FUNCTION:
 BN_mask_bits                            138     EXIST::FUNCTION:
-BN_mod                                  139     EXIST::FUNCTION:
+BN_mod                                  139     NOEXIST::FUNCTION:
 BN_mod_exp                              140     EXIST::FUNCTION:
 BN_mod_exp_mont                         141     EXIST::FUNCTION:
 BN_mod_exp_simple                       143     EXIST::FUNCTION:
@@ -196,30 +196,30 @@ DH_generate_key                         203	EXIST::FUNCTION:DH
 DH_generate_parameters                  204     EXIST::FUNCTION:DH
 DH_new                                  205     EXIST::FUNCTION:DH
 DH_size                                 206     EXIST::FUNCTION:DH
-DHparams_print                          207     EXIST::FUNCTION:DH
+DHparams_print                          207     EXIST::FUNCTION:BIO,DH
 DHparams_print_fp                       208     EXIST::FUNCTION:DH,FP_API
 DSA_free                                209     EXIST::FUNCTION:DSA
 DSA_generate_key                        210     EXIST::FUNCTION:DSA
 DSA_generate_parameters                 211     EXIST::FUNCTION:DSA
 DSA_is_prime                            212     NOEXIST::FUNCTION:
 DSA_new                                 213     EXIST::FUNCTION:DSA
-DSA_print                               214     EXIST::FUNCTION:DSA
+DSA_print                               214     EXIST::FUNCTION:BIO,DSA
 DSA_print_fp                            215     EXIST::FUNCTION:DSA,FP_API
 DSA_sign                                216     EXIST::FUNCTION:DSA
 DSA_sign_setup                          217     EXIST::FUNCTION:DSA
 DSA_size                                218     EXIST::FUNCTION:DSA
 DSA_verify                              219     EXIST::FUNCTION:DSA
-DSAparams_print                         220     EXIST::FUNCTION:DSA
+DSAparams_print                         220     EXIST::FUNCTION:BIO,DSA
 DSAparams_print_fp                      221     EXIST::FUNCTION:DSA,FP_API
 ERR_clear_error                         222     EXIST::FUNCTION:
 ERR_error_string                        223     EXIST::FUNCTION:
 ERR_free_strings                        224     EXIST::FUNCTION:
 ERR_func_error_string                   225     EXIST::FUNCTION:
-ERR_get_err_state_table                 226     EXIST::FUNCTION:
+ERR_get_err_state_table                 226     EXIST::FUNCTION:LHASH
 ERR_get_error                           227     EXIST::FUNCTION:
 ERR_get_error_line                      228     EXIST::FUNCTION:
 ERR_get_state                           229     EXIST::FUNCTION:
-ERR_get_string_table                    230     EXIST::FUNCTION:
+ERR_get_string_table                    230     EXIST::FUNCTION:LHASH
 ERR_lib_error_string                    231     EXIST::FUNCTION:
 ERR_load_ASN1_strings                   232     EXIST::FUNCTION:
 ERR_load_BIO_strings                    233     EXIST::FUNCTION:
@@ -239,7 +239,7 @@ ERR_load_crypto_strings                 246	EXIST::FUNCTION:
 ERR_load_strings                        247     EXIST::FUNCTION:
 ERR_peek_error                          248     EXIST::FUNCTION:
 ERR_peek_error_line                     249     EXIST::FUNCTION:
-ERR_print_errors                        250     EXIST::FUNCTION:
+ERR_print_errors                        250     EXIST::FUNCTION:BIO
 ERR_print_errors_fp                     251     EXIST::FUNCTION:FP_API
 ERR_put_error                           252     EXIST::FUNCTION:
 ERR_reason_error_string                 253     EXIST::FUNCTION:
@@ -340,8 +340,8 @@ NETSCAPE_SPKAC_free                     347	EXIST::FUNCTION:
 NETSCAPE_SPKAC_new                      348     EXIST::FUNCTION:
 NETSCAPE_SPKI_free                      349     EXIST::FUNCTION:
 NETSCAPE_SPKI_new                       350     EXIST::FUNCTION:
-NETSCAPE_SPKI_sign                      351     EXIST::FUNCTION:
-NETSCAPE_SPKI_verify                    352     EXIST::FUNCTION:
+NETSCAPE_SPKI_sign                      351     EXIST::FUNCTION:EVP
+NETSCAPE_SPKI_verify                    352     EXIST::FUNCTION:EVP
 OBJ_add_object                          353     EXIST::FUNCTION:
 OBJ_bsearch                             354     EXIST::FUNCTION:
 OBJ_cleanup                             355     EXIST::FUNCTION:
@@ -357,9 +357,9 @@ OBJ_obj2nid                             364	EXIST::FUNCTION:
 OBJ_sn2nid                              365     EXIST::FUNCTION:
 OBJ_txt2nid                             366     EXIST::FUNCTION:
 PEM_ASN1_read                           367     EXIST:!WIN16:FUNCTION:
-PEM_ASN1_read_bio                       368     EXIST::FUNCTION:
+PEM_ASN1_read_bio                       368     EXIST::FUNCTION:BIO
 PEM_ASN1_write                          369     EXIST:!WIN16:FUNCTION:
-PEM_ASN1_write_bio                      370     EXIST::FUNCTION:
+PEM_ASN1_write_bio                      370     EXIST::FUNCTION:BIO
 PEM_SealFinal                           371     EXIST::FUNCTION:RSA
 PEM_SealInit                            372     EXIST::FUNCTION:RSA
 PEM_SealUpdate                          373     EXIST::FUNCTION:RSA
@@ -367,8 +367,8 @@ PEM_SignFinal                           374	EXIST::FUNCTION:
 PEM_SignInit                            375     EXIST::FUNCTION:
 PEM_SignUpdate                          376     EXIST::FUNCTION:
 PEM_X509_INFO_read                      377     EXIST:!WIN16:FUNCTION:
-PEM_X509_INFO_read_bio                  378     EXIST::FUNCTION:
-PEM_X509_INFO_write_bio                 379     EXIST::FUNCTION:
+PEM_X509_INFO_read_bio                  378     EXIST::FUNCTION:BIO
+PEM_X509_INFO_write_bio                 379     EXIST::FUNCTION:BIO
 PEM_dek_info                            380     EXIST::FUNCTION:
 PEM_do_header                           381     EXIST::FUNCTION:
 PEM_get_EVP_CIPHER_INFO                 382     EXIST::FUNCTION:
@@ -383,7 +383,7 @@ PEM_read_RSAPrivateKey                  390	EXIST:!WIN16:FUNCTION:RSA
 PEM_read_X509                           391     EXIST:!WIN16:FUNCTION:
 PEM_read_X509_CRL                       392     EXIST:!WIN16:FUNCTION:
 PEM_read_X509_REQ                       393     EXIST:!WIN16:FUNCTION:
-PEM_read_bio                            394     EXIST::FUNCTION:
+PEM_read_bio                            394     EXIST::FUNCTION:BIO
 PEM_read_bio_DHparams                   395     EXIST::FUNCTION:DH
 PEM_read_bio_DSAPrivateKey              396     EXIST::FUNCTION:DSA
 PEM_read_bio_DSAparams                  397     EXIST::FUNCTION:DSA
@@ -403,7 +403,7 @@ PEM_write_RSAPrivateKey                 410	EXIST:!WIN16:FUNCTION:RSA
 PEM_write_X509                          411     EXIST:!WIN16:FUNCTION:
 PEM_write_X509_CRL                      412     EXIST:!WIN16:FUNCTION:
 PEM_write_X509_REQ                      413     EXIST:!WIN16:FUNCTION:
-PEM_write_bio                           414     EXIST::FUNCTION:
+PEM_write_bio                           414     EXIST::FUNCTION:BIO
 PEM_write_bio_DHparams                  415     EXIST::FUNCTION:DH
 PEM_write_bio_DSAPrivateKey             416     EXIST::FUNCTION:DSA
 PEM_write_bio_DSAparams                 417     EXIST::FUNCTION:DSA
@@ -457,7 +457,7 @@ RAND_bytes                              464	EXIST::FUNCTION:
 RAND_cleanup                            465     EXIST::FUNCTION:
 RAND_file_name                          466     EXIST::FUNCTION:
 RAND_load_file                          467     EXIST::FUNCTION:
-RAND_screen                             468     EXIST::FUNCTION:
+RAND_screen                             468     EXIST:WIN32:FUNCTION:
 RAND_seed                               469     EXIST::FUNCTION:
 RAND_write_file                         470     EXIST::FUNCTION:
 RC2_cbc_encrypt                         471     EXIST::FUNCTION:RC2
@@ -477,8 +477,8 @@ RSA_free                                484	EXIST::FUNCTION:RSA
 RSA_generate_key                        485     EXIST::FUNCTION:RSA
 RSA_new                                 486     EXIST::FUNCTION:RSA
 RSA_new_method                          487     EXIST::FUNCTION:RSA
-RSA_print                               488     EXIST::FUNCTION:RSA
-RSA_print_fp                            489     EXIST::FUNCTION:RSA,FP_API
+RSA_print                               488     EXIST::FUNCTION:BIO,RSA
+RSA_print_fp                            489     EXIST::FUNCTION:FP_API,RSA
 RSA_private_decrypt                     490     EXIST::FUNCTION:RSA
 RSA_private_encrypt                     491     EXIST::FUNCTION:RSA
 RSA_public_decrypt                      492     EXIST::FUNCTION:RSA
@@ -489,23 +489,23 @@ RSA_sign_ASN1_OCTET_STRING              496	EXIST::FUNCTION:RSA
 RSA_size                                497     EXIST::FUNCTION:RSA
 RSA_verify                              498     EXIST::FUNCTION:RSA
 RSA_verify_ASN1_OCTET_STRING            499     EXIST::FUNCTION:RSA
-SHA                                     500     EXIST::FUNCTION:SHA
-SHA1                                    501     EXIST::FUNCTION:SHA
-SHA1_Final                              502     EXIST::FUNCTION:SHA
-SHA1_Init                               503     EXIST::FUNCTION:SHA
-SHA1_Update                             504     EXIST::FUNCTION:SHA
-SHA_Final                               505     EXIST::FUNCTION:SHA
-SHA_Init                                506     EXIST::FUNCTION:SHA
-SHA_Update                              507     EXIST::FUNCTION:SHA
-OpenSSL_add_all_algorithms              508     EXIST::FUNCTION:
+SHA                                     500     EXIST::FUNCTION:SHA,SHA0
+SHA1                                    501     EXIST::FUNCTION:SHA,SHA1
+SHA1_Final                              502     EXIST::FUNCTION:SHA,SHA1
+SHA1_Init                               503     EXIST::FUNCTION:SHA,SHA1
+SHA1_Update                             504     EXIST::FUNCTION:SHA,SHA1
+SHA_Final                               505     EXIST::FUNCTION:SHA,SHA0
+SHA_Init                                506     EXIST::FUNCTION:SHA,SHA0
+SHA_Update                              507     EXIST::FUNCTION:SHA,SHA0
+OpenSSL_add_all_algorithms              508     NOEXIST::FUNCTION:
 OpenSSL_add_all_ciphers                 509     EXIST::FUNCTION:
 OpenSSL_add_all_digests                 510     EXIST::FUNCTION:
 TXT_DB_create_index                     511     EXIST::FUNCTION:
 TXT_DB_free                             512     EXIST::FUNCTION:
 TXT_DB_get_by_index                     513     EXIST::FUNCTION:
 TXT_DB_insert                           514     EXIST::FUNCTION:
-TXT_DB_read                             515     EXIST::FUNCTION:
-TXT_DB_write                            516     EXIST::FUNCTION:
+TXT_DB_read                             515     EXIST::FUNCTION:BIO
+TXT_DB_write                            516     EXIST::FUNCTION:BIO
 X509_ALGOR_free                         517     EXIST::FUNCTION:
 X509_ALGOR_new                          518     EXIST::FUNCTION:
 X509_ATTRIBUTE_free                     519     EXIST::FUNCTION:
@@ -525,8 +525,8 @@ X509_CRL_get_ext_by_OBJ                 532	EXIST::FUNCTION:
 X509_CRL_get_ext_by_critical            533     EXIST::FUNCTION:
 X509_CRL_get_ext_count                  534     EXIST::FUNCTION:
 X509_CRL_new                            535     EXIST::FUNCTION:
-X509_CRL_sign                           536     EXIST::FUNCTION:
-X509_CRL_verify                         537     EXIST::FUNCTION:
+X509_CRL_sign                           536     EXIST::FUNCTION:EVP
+X509_CRL_verify                         537     EXIST::FUNCTION:EVP
 X509_EXTENSION_create_by_NID            538     EXIST::FUNCTION:
 X509_EXTENSION_create_by_OBJ            539     EXIST::FUNCTION:
 X509_EXTENSION_dup                      540     EXIST::FUNCTION:
@@ -538,8 +538,8 @@ X509_EXTENSION_new                      545	EXIST::FUNCTION:
 X509_EXTENSION_set_critical             546     EXIST::FUNCTION:
 X509_EXTENSION_set_data                 547     EXIST::FUNCTION:
 X509_EXTENSION_set_object               548     EXIST::FUNCTION:
-X509_INFO_free                          549     EXIST::FUNCTION:
-X509_INFO_new                           550     EXIST::FUNCTION:
+X509_INFO_free                          549     EXIST::FUNCTION:EVP
+X509_INFO_new                           550     EXIST::FUNCTION:EVP
 X509_LOOKUP_by_alias                    551     EXIST::FUNCTION:
 X509_LOOKUP_by_fingerprint              552     EXIST::FUNCTION:
 X509_LOOKUP_by_issuer_serial            553     EXIST::FUNCTION:
@@ -563,7 +563,7 @@ X509_NAME_ENTRY_set_object              570	EXIST::FUNCTION:
 X509_NAME_add_entry                     571     EXIST::FUNCTION:
 X509_NAME_cmp                           572     EXIST::FUNCTION:
 X509_NAME_delete_entry                  573     EXIST::FUNCTION:
-X509_NAME_digest                        574     EXIST::FUNCTION:
+X509_NAME_digest                        574     EXIST::FUNCTION:EVP
 X509_NAME_dup                           575     EXIST::FUNCTION:
 X509_NAME_entry_count                   576     EXIST::FUNCTION:
 X509_NAME_free                          577     EXIST::FUNCTION:
@@ -574,8 +574,8 @@ X509_NAME_get_text_by_NID               581	EXIST::FUNCTION:
 X509_NAME_get_text_by_OBJ               582     EXIST::FUNCTION:
 X509_NAME_hash                          583     EXIST::FUNCTION:
 X509_NAME_new                           584     EXIST::FUNCTION:
-X509_NAME_oneline                       585     EXIST::FUNCTION:
-X509_NAME_print                         586     EXIST::FUNCTION:
+X509_NAME_oneline                       585     EXIST::FUNCTION:EVP
+X509_NAME_print                         586     EXIST::FUNCTION:BIO
 X509_NAME_set                           587     EXIST::FUNCTION:
 X509_OBJECT_free_contents               588     EXIST::FUNCTION:
 X509_OBJECT_retrieve_by_subject         589     EXIST::FUNCTION:
@@ -592,14 +592,14 @@ X509_REQ_dup                            599	EXIST::FUNCTION:
 X509_REQ_free                           600     EXIST::FUNCTION:
 X509_REQ_get_pubkey                     601     EXIST::FUNCTION:
 X509_REQ_new                            602     EXIST::FUNCTION:
-X509_REQ_print                          603     EXIST::FUNCTION:
+X509_REQ_print                          603     EXIST::FUNCTION:BIO
 X509_REQ_print_fp                       604     EXIST::FUNCTION:FP_API
 X509_REQ_set_pubkey                     605     EXIST::FUNCTION:
 X509_REQ_set_subject_name               606     EXIST::FUNCTION:
 X509_REQ_set_version                    607     EXIST::FUNCTION:
-X509_REQ_sign                           608     EXIST::FUNCTION:
+X509_REQ_sign                           608     EXIST::FUNCTION:EVP
 X509_REQ_to_X509                        609     EXIST::FUNCTION:
-X509_REQ_verify                         610     EXIST::FUNCTION:
+X509_REQ_verify                         610     EXIST::FUNCTION:EVP
 X509_REVOKED_add_ext                    611     EXIST::FUNCTION:
 X509_REVOKED_delete_ext                 612     EXIST::FUNCTION:
 X509_REVOKED_free                       613     EXIST::FUNCTION:
@@ -618,9 +618,9 @@ X509_STORE_add_cert                     624	EXIST::FUNCTION:
 X509_STORE_add_lookup                   625     EXIST::FUNCTION:
 X509_STORE_free                         626     EXIST::FUNCTION:
 X509_STORE_get_by_subject               627     EXIST::FUNCTION:
-X509_STORE_load_locations               628     EXIST::FUNCTION:
+X509_STORE_load_locations               628     EXIST::FUNCTION:STDIO
 X509_STORE_new                          629     EXIST::FUNCTION:
-X509_STORE_set_default_paths            630     EXIST::FUNCTION:
+X509_STORE_set_default_paths            630     EXIST::FUNCTION:STDIO
 X509_VAL_free                           631     EXIST::FUNCTION:
 X509_VAL_new                            632     EXIST::FUNCTION:
 X509_add_ext                            633     EXIST::FUNCTION:
@@ -629,7 +629,7 @@ X509_certificate_type                   635	EXIST::FUNCTION:
 X509_check_private_key                  636     EXIST::FUNCTION:
 X509_cmp_current_time                   637     EXIST::FUNCTION:
 X509_delete_ext                         638     EXIST::FUNCTION:
-X509_digest                             639     EXIST::FUNCTION:
+X509_digest                             639     EXIST::FUNCTION:EVP
 X509_dup                                640     EXIST::FUNCTION:
 X509_free                               641     EXIST::FUNCTION:
 X509_get_default_cert_area              642     EXIST::FUNCTION:
@@ -653,9 +653,9 @@ X509_issuer_and_serial_cmp              659	EXIST::FUNCTION:
 X509_issuer_and_serial_hash             660     EXIST::FUNCTION:
 X509_issuer_name_cmp                    661     EXIST::FUNCTION:
 X509_issuer_name_hash                   662     EXIST::FUNCTION:
-X509_load_cert_file                     663     EXIST::FUNCTION:
+X509_load_cert_file                     663     EXIST::FUNCTION:STDIO
 X509_new                                664     EXIST::FUNCTION:
-X509_print                              665     EXIST::FUNCTION:
+X509_print                              665     EXIST::FUNCTION:BIO
 X509_print_fp                           666     EXIST::FUNCTION:FP_API
 X509_set_issuer_name                    667     EXIST::FUNCTION:
 X509_set_notAfter                       668     EXIST::FUNCTION:
@@ -664,11 +664,11 @@ X509_set_pubkey                         670	EXIST::FUNCTION:
 X509_set_serialNumber                   671     EXIST::FUNCTION:
 X509_set_subject_name                   672     EXIST::FUNCTION:
 X509_set_version                        673     EXIST::FUNCTION:
-X509_sign                               674     EXIST::FUNCTION:
+X509_sign                               674     EXIST::FUNCTION:EVP
 X509_subject_name_cmp                   675     EXIST::FUNCTION:
 X509_subject_name_hash                  676     EXIST::FUNCTION:
 X509_to_X509_REQ                        677     EXIST::FUNCTION:
-X509_verify                             678     EXIST::FUNCTION:
+X509_verify                             678     EXIST::FUNCTION:EVP
 X509_verify_cert                        679     EXIST::FUNCTION:
 X509_verify_cert_error_string           680     EXIST::FUNCTION:
 X509v3_add_ext                          681     EXIST::FUNCTION:
@@ -690,8 +690,8 @@ X509v3_pack_type_by_OBJ                 696	NOEXIST::FUNCTION:
 X509v3_unpack_string                    697     NOEXIST::FUNCTION:
 _des_crypt                              698     NOEXIST::FUNCTION:
 a2d_ASN1_OBJECT                         699     EXIST::FUNCTION:
-a2i_ASN1_INTEGER                        700     EXIST::FUNCTION:
-a2i_ASN1_STRING                         701     EXIST::FUNCTION:
+a2i_ASN1_INTEGER                        700     EXIST::FUNCTION:BIO
+a2i_ASN1_STRING                         701     EXIST::FUNCTION:BIO
 asn1_Finish                             702     EXIST::FUNCTION:
 asn1_GetSequence                        703     EXIST::FUNCTION:
 bn_div_words                            704     EXIST::FUNCTION:
@@ -701,7 +701,7 @@ bn_mul_words                            707	EXIST::FUNCTION:
 BN_uadd                                 708     EXIST::FUNCTION:
 BN_usub                                 709     EXIST::FUNCTION:
 bn_sqr_words                            710     EXIST::FUNCTION:
-crypt                                   711     EXIST:!PERL5,!NeXT,!__FreeBSD__:FUNCTION:DES
+_ossl_old_crypt                         711     EXIST:!NeXT,!PERL5,!__FreeBSD__:FUNCTION:DES
 d2i_ASN1_BIT_STRING                     712     EXIST::FUNCTION:
 d2i_ASN1_BOOLEAN                        713     EXIST::FUNCTION:
 d2i_ASN1_HEADER                         714     EXIST::FUNCTION:
@@ -719,7 +719,7 @@ d2i_ASN1_bytes                          725	EXIST::FUNCTION:
 d2i_ASN1_type_bytes                     726     EXIST::FUNCTION:
 d2i_DHparams                            727     EXIST::FUNCTION:DH
 d2i_DSAPrivateKey                       728     EXIST::FUNCTION:DSA
-d2i_DSAPrivateKey_bio                   729     EXIST::FUNCTION:DSA
+d2i_DSAPrivateKey_bio                   729     EXIST::FUNCTION:BIO,DSA
 d2i_DSAPrivateKey_fp                    730     EXIST::FUNCTION:DSA,FP_API
 d2i_DSAPublicKey                        731     EXIST::FUNCTION:DSA
 d2i_DSAparams                           732     EXIST::FUNCTION:DSA
@@ -741,8 +741,8 @@ d2i_PKCS7_fp                            747	EXIST::FUNCTION:FP_API
 d2i_PrivateKey                          748     EXIST::FUNCTION:
 d2i_PublicKey                           749     EXIST::FUNCTION:
 d2i_RSAPrivateKey                       750     EXIST::FUNCTION:RSA
-d2i_RSAPrivateKey_bio                   751     EXIST::FUNCTION:RSA
-d2i_RSAPrivateKey_fp                    752     EXIST::FUNCTION:RSA,FP_API
+d2i_RSAPrivateKey_bio                   751     EXIST::FUNCTION:BIO,RSA
+d2i_RSAPrivateKey_fp                    752     EXIST::FUNCTION:FP_API,RSA
 d2i_RSAPublicKey                        753     EXIST::FUNCTION:RSA
 d2i_X509                                754     EXIST::FUNCTION:
 d2i_X509_ALGOR                          755     EXIST::FUNCTION:
@@ -750,7 +750,7 @@ d2i_X509_ATTRIBUTE                      756	EXIST::FUNCTION:
 d2i_X509_CINF                           757     EXIST::FUNCTION:
 d2i_X509_CRL                            758     EXIST::FUNCTION:
 d2i_X509_CRL_INFO                       759     EXIST::FUNCTION:
-d2i_X509_CRL_bio                        760     EXIST::FUNCTION:
+d2i_X509_CRL_bio                        760     EXIST::FUNCTION:BIO
 d2i_X509_CRL_fp                         761     EXIST::FUNCTION:FP_API
 d2i_X509_EXTENSION                      762     EXIST::FUNCTION:
 d2i_X509_NAME                           763     EXIST::FUNCTION:
@@ -759,54 +759,54 @@ d2i_X509_PKEY                           765	EXIST::FUNCTION:
 d2i_X509_PUBKEY                         766     EXIST::FUNCTION:
 d2i_X509_REQ                            767     EXIST::FUNCTION:
 d2i_X509_REQ_INFO                       768     EXIST::FUNCTION:
-d2i_X509_REQ_bio                        769     EXIST::FUNCTION:
+d2i_X509_REQ_bio                        769     EXIST::FUNCTION:BIO
 d2i_X509_REQ_fp                         770     EXIST::FUNCTION:FP_API
 d2i_X509_REVOKED                        771     EXIST::FUNCTION:
 d2i_X509_SIG                            772     EXIST::FUNCTION:
 d2i_X509_VAL                            773     EXIST::FUNCTION:
-d2i_X509_bio                            774     EXIST::FUNCTION:
+d2i_X509_bio                            774     EXIST::FUNCTION:BIO
 d2i_X509_fp                             775     EXIST::FUNCTION:FP_API
-des_cbc_cksum                           777     EXIST::FUNCTION:DES
-des_cbc_encrypt                         778     EXIST::FUNCTION:DES
-des_cblock_print_file                   779     NOEXIST::FUNCTION:
-des_cfb64_encrypt                       780     EXIST::FUNCTION:DES
-des_cfb_encrypt                         781     EXIST::FUNCTION:DES
-des_decrypt3                            782     EXIST::FUNCTION:DES
-des_ecb3_encrypt                        783     EXIST::FUNCTION:DES
-des_ecb_encrypt                         784     EXIST::FUNCTION:DES
-des_ede3_cbc_encrypt                    785     EXIST::FUNCTION:DES
-des_ede3_cfb64_encrypt                  786     EXIST::FUNCTION:DES
-des_ede3_ofb64_encrypt                  787     EXIST::FUNCTION:DES
-des_enc_read                            788     EXIST::FUNCTION:DES
-des_enc_write                           789     EXIST::FUNCTION:DES
-des_encrypt1                            790     EXIST::FUNCTION:DES
-des_encrypt2                            791     EXIST::FUNCTION:DES
-des_encrypt3                            792     EXIST::FUNCTION:DES
-des_fcrypt                              793     EXIST::FUNCTION:DES
-des_is_weak_key                         794     EXIST::FUNCTION:DES
-des_key_sched                           795     EXIST::FUNCTION:DES
-des_ncbc_encrypt                        796     EXIST::FUNCTION:DES
-des_ofb64_encrypt                       797     EXIST::FUNCTION:DES
-des_ofb_encrypt                         798     EXIST::FUNCTION:DES
-des_options                             799     EXIST::FUNCTION:DES
-des_pcbc_encrypt                        800     EXIST::FUNCTION:DES
-des_quad_cksum                          801     EXIST::FUNCTION:DES
-des_random_key                          802     EXIST::FUNCTION:DES
-des_random_seed                         803     EXIST::FUNCTION:DES
-des_read_2passwords                     804     EXIST::FUNCTION:DES
-des_read_password                       805     EXIST::FUNCTION:DES
-des_read_pw                             806     EXIST::FUNCTION:DES
-des_read_pw_string                      807     EXIST::FUNCTION:DES
-des_set_key                             808     EXIST::FUNCTION:DES
-des_set_odd_parity                      809     EXIST::FUNCTION:DES
-des_string_to_2keys                     810     EXIST::FUNCTION:DES
-des_string_to_key                       811     EXIST::FUNCTION:DES
-des_xcbc_encrypt                        812     EXIST::FUNCTION:DES
-des_xwhite_in2out                       813     EXIST::FUNCTION:DES
+DES_cbc_cksum                           777     EXIST::FUNCTION:DES
+DES_cbc_encrypt                         778     EXIST::FUNCTION:DES
+DES_cblock_print_file                   779     NOEXIST::FUNCTION:
+DES_cfb64_encrypt                       780     EXIST::FUNCTION:DES
+DES_cfb_encrypt                         781     EXIST::FUNCTION:DES
+DES_decrypt3                            782     EXIST::FUNCTION:DES
+DES_ecb3_encrypt                        783     EXIST::FUNCTION:DES
+DES_ecb_encrypt                         784     EXIST::FUNCTION:DES
+DES_ede3_cbc_encrypt                    785     EXIST::FUNCTION:DES
+DES_ede3_cfb64_encrypt                  786     EXIST::FUNCTION:DES
+DES_ede3_ofb64_encrypt                  787     EXIST::FUNCTION:DES
+DES_enc_read                            788     EXIST::FUNCTION:DES
+DES_enc_write                           789     EXIST::FUNCTION:DES
+DES_encrypt1                            790     EXIST::FUNCTION:DES
+DES_encrypt2                            791     EXIST::FUNCTION:DES
+DES_encrypt3                            792     EXIST::FUNCTION:DES
+DES_fcrypt                              793     EXIST::FUNCTION:DES
+DES_is_weak_key                         794     EXIST::FUNCTION:DES
+DES_key_sched                           795     EXIST::FUNCTION:DES
+DES_ncbc_encrypt                        796     EXIST::FUNCTION:DES
+DES_ofb64_encrypt                       797     EXIST::FUNCTION:DES
+DES_ofb_encrypt                         798     EXIST::FUNCTION:DES
+DES_options                             799     EXIST::FUNCTION:DES
+DES_pcbc_encrypt                        800     EXIST::FUNCTION:DES
+DES_quad_cksum                          801     EXIST::FUNCTION:DES
+DES_random_key                          802     EXIST::FUNCTION:DES
+_ossl_old_des_random_seed               803     EXIST::FUNCTION:DES
+_ossl_old_des_read_2passwords           804     EXIST::FUNCTION:DES
+_ossl_old_des_read_password             805     EXIST::FUNCTION:DES
+_ossl_old_des_read_pw                   806     EXIST::FUNCTION:
+_ossl_old_des_read_pw_string            807     EXIST::FUNCTION:
+DES_set_key                             808     EXIST::FUNCTION:DES
+DES_set_odd_parity                      809     EXIST::FUNCTION:DES
+DES_string_to_2keys                     810     EXIST::FUNCTION:DES
+DES_string_to_key                       811     EXIST::FUNCTION:DES
+DES_xcbc_encrypt                        812     EXIST::FUNCTION:DES
+DES_xwhite_in2out                       813     EXIST::FUNCTION:DES
 fcrypt_body                             814     NOEXIST::FUNCTION:
-i2a_ASN1_INTEGER                        815     EXIST::FUNCTION:
-i2a_ASN1_OBJECT                         816     EXIST::FUNCTION:
-i2a_ASN1_STRING                         817     EXIST::FUNCTION:
+i2a_ASN1_INTEGER                        815     EXIST::FUNCTION:BIO
+i2a_ASN1_OBJECT                         816     EXIST::FUNCTION:BIO
+i2a_ASN1_STRING                         817     EXIST::FUNCTION:BIO
 i2d_ASN1_BIT_STRING                     818     EXIST::FUNCTION:
 i2d_ASN1_BOOLEAN                        819     EXIST::FUNCTION:
 i2d_ASN1_HEADER                         820     EXIST::FUNCTION:
@@ -821,7 +821,7 @@ i2d_ASN1_UTCTIME                        828	EXIST::FUNCTION:
 i2d_ASN1_bytes                          829     EXIST::FUNCTION:
 i2d_DHparams                            830     EXIST::FUNCTION:DH
 i2d_DSAPrivateKey                       831     EXIST::FUNCTION:DSA
-i2d_DSAPrivateKey_bio                   832     EXIST::FUNCTION:DSA
+i2d_DSAPrivateKey_bio                   832     EXIST::FUNCTION:BIO,DSA
 i2d_DSAPrivateKey_fp                    833     EXIST::FUNCTION:DSA,FP_API
 i2d_DSAPublicKey                        834     EXIST::FUNCTION:DSA
 i2d_DSAparams                           835     EXIST::FUNCTION:DSA
@@ -843,8 +843,8 @@ i2d_PKCS7_fp                            850	EXIST::FUNCTION:FP_API
 i2d_PrivateKey                          851     EXIST::FUNCTION:
 i2d_PublicKey                           852     EXIST::FUNCTION:
 i2d_RSAPrivateKey                       853     EXIST::FUNCTION:RSA
-i2d_RSAPrivateKey_bio                   854     EXIST::FUNCTION:RSA
-i2d_RSAPrivateKey_fp                    855     EXIST::FUNCTION:RSA,FP_API
+i2d_RSAPrivateKey_bio                   854     EXIST::FUNCTION:BIO,RSA
+i2d_RSAPrivateKey_fp                    855     EXIST::FUNCTION:FP_API,RSA
 i2d_RSAPublicKey                        856     EXIST::FUNCTION:RSA
 i2d_X509                                857     EXIST::FUNCTION:
 i2d_X509_ALGOR                          858     EXIST::FUNCTION:
@@ -852,7 +852,7 @@ i2d_X509_ATTRIBUTE                      859	EXIST::FUNCTION:
 i2d_X509_CINF                           860     EXIST::FUNCTION:
 i2d_X509_CRL                            861     EXIST::FUNCTION:
 i2d_X509_CRL_INFO                       862     EXIST::FUNCTION:
-i2d_X509_CRL_bio                        863     EXIST::FUNCTION:
+i2d_X509_CRL_bio                        863     EXIST::FUNCTION:BIO
 i2d_X509_CRL_fp                         864     EXIST::FUNCTION:FP_API
 i2d_X509_EXTENSION                      865     EXIST::FUNCTION:
 i2d_X509_NAME                           866     EXIST::FUNCTION:
@@ -861,12 +861,12 @@ i2d_X509_PKEY                           868	EXIST::FUNCTION:
 i2d_X509_PUBKEY                         869     EXIST::FUNCTION:
 i2d_X509_REQ                            870     EXIST::FUNCTION:
 i2d_X509_REQ_INFO                       871     EXIST::FUNCTION:
-i2d_X509_REQ_bio                        872     EXIST::FUNCTION:
+i2d_X509_REQ_bio                        872     EXIST::FUNCTION:BIO
 i2d_X509_REQ_fp                         873     EXIST::FUNCTION:FP_API
 i2d_X509_REVOKED                        874     EXIST::FUNCTION:
 i2d_X509_SIG                            875     EXIST::FUNCTION:
 i2d_X509_VAL                            876     EXIST::FUNCTION:
-i2d_X509_bio                            877     EXIST::FUNCTION:
+i2d_X509_bio                            877     EXIST::FUNCTION:BIO
 i2d_X509_fp                             878     EXIST::FUNCTION:FP_API
 idea_cbc_encrypt                        879     EXIST::FUNCTION:IDEA
 idea_cfb64_encrypt                      880     EXIST::FUNCTION:IDEA
@@ -883,12 +883,12 @@ lh_free                                 890	EXIST::FUNCTION:
 lh_insert                               891     EXIST::FUNCTION:
 lh_new                                  892     EXIST::FUNCTION:
 lh_node_stats                           893     EXIST::FUNCTION:FP_API
-lh_node_stats_bio                       894     EXIST::FUNCTION:
+lh_node_stats_bio                       894     EXIST::FUNCTION:BIO
 lh_node_usage_stats                     895     EXIST::FUNCTION:FP_API
-lh_node_usage_stats_bio                 896     EXIST::FUNCTION:
+lh_node_usage_stats_bio                 896     EXIST::FUNCTION:BIO
 lh_retrieve                             897     EXIST::FUNCTION:
 lh_stats                                898     EXIST::FUNCTION:FP_API
-lh_stats_bio                            899     EXIST::FUNCTION:
+lh_stats_bio                            899     EXIST::FUNCTION:BIO
 lh_strhash                              900     EXIST::FUNCTION:
 sk_delete                               901     EXIST::FUNCTION:
 sk_delete_ptr                           902     EXIST::FUNCTION:
@@ -907,7 +907,7 @@ sk_zero                                 914	EXIST::FUNCTION:
 BIO_f_nbio_test                         915     EXIST::FUNCTION:
 ASN1_TYPE_get                           916     EXIST::FUNCTION:
 ASN1_TYPE_set                           917     EXIST::FUNCTION:
-PKCS7_content_free                      918     EXIST::FUNCTION:
+PKCS7_content_free                      918     NOEXIST::FUNCTION:
 ERR_load_PKCS7_strings                  919     EXIST::FUNCTION:
 X509_find_by_issuer_and_serial          920     EXIST::FUNCTION:
 X509_find_by_subject                    921     EXIST::FUNCTION:
@@ -929,16 +929,16 @@ EVP_delete_alias                        941	NOEXIST::FUNCTION:
 EVP_mdc2                                942     EXIST::FUNCTION:MDC2
 PEM_read_bio_RSAPublicKey               943     EXIST::FUNCTION:RSA
 PEM_write_bio_RSAPublicKey              944     EXIST::FUNCTION:RSA
-d2i_RSAPublicKey_bio                    945     EXIST::FUNCTION:RSA
-i2d_RSAPublicKey_bio                    946     EXIST::FUNCTION:RSA
+d2i_RSAPublicKey_bio                    945     EXIST::FUNCTION:BIO,RSA
+i2d_RSAPublicKey_bio                    946     EXIST::FUNCTION:BIO,RSA
 PEM_read_RSAPublicKey                   947     EXIST:!WIN16:FUNCTION:RSA
 PEM_write_RSAPublicKey                  949     EXIST:!WIN16:FUNCTION:RSA
-d2i_RSAPublicKey_fp                     952     EXIST::FUNCTION:RSA,FP_API
-i2d_RSAPublicKey_fp                     954     EXIST::FUNCTION:RSA,FP_API
+d2i_RSAPublicKey_fp                     952     EXIST::FUNCTION:FP_API,RSA
+i2d_RSAPublicKey_fp                     954     EXIST::FUNCTION:FP_API,RSA
 BIO_copy_next_retry                     955     EXIST::FUNCTION:
 RSA_flags                               956     EXIST::FUNCTION:RSA
 X509_STORE_add_crl                      957     EXIST::FUNCTION:
-X509_load_crl_file                      958     EXIST::FUNCTION:
+X509_load_crl_file                      958     EXIST::FUNCTION:STDIO
 EVP_rc2_40_cbc                          959     EXIST::FUNCTION:RC2
 EVP_rc4_40                              960     EXIST::FUNCTION:RC4
 EVP_CIPHER_CTX_init                     961     EXIST::FUNCTION:
@@ -948,7 +948,7 @@ HMAC_Update                             964	EXIST::FUNCTION:HMAC
 HMAC_Final                              965     EXIST::FUNCTION:HMAC
 ERR_get_next_error_library              966     EXIST::FUNCTION:
 EVP_PKEY_cmp_parameters                 967     EXIST::FUNCTION:
-HMAC_cleanup                            968     EXIST::FUNCTION:HMAC
+HMAC_cleanup                            968     NOEXIST::FUNCTION:
 BIO_ptr_ctrl                            969     EXIST::FUNCTION:
 BIO_new_file_internal                   970     EXIST:WIN16:FUNCTION:FP_API
 BIO_new_fp_internal                     971     EXIST:WIN16:FUNCTION:FP_API
@@ -984,12 +984,12 @@ BIO_ghbn_ctrl                           1003	EXIST::FUNCTION:
 CRYPTO_free_ex_data                     1004    EXIST::FUNCTION:
 CRYPTO_get_ex_data                      1005    EXIST::FUNCTION:
 CRYPTO_set_ex_data                      1007    EXIST::FUNCTION:
-ERR_load_CRYPTO_strings                 1009    EXIST:!WIN16,!VMS:FUNCTION:
-ERR_load_CRYPTOlib_strings              1009    EXIST:WIN16,VMS:FUNCTION:
+ERR_load_CRYPTO_strings                 1009    EXIST:!VMS,!WIN16:FUNCTION:
+ERR_load_CRYPTOlib_strings              1009    EXIST:VMS,WIN16:FUNCTION:
 EVP_PKEY_bits                           1010    EXIST::FUNCTION:
 MD5_Transform                           1011    EXIST::FUNCTION:MD5
-SHA1_Transform                          1012    EXIST::FUNCTION:SHA
-SHA_Transform                           1013    EXIST::FUNCTION:SHA
+SHA1_Transform                          1012    EXIST::FUNCTION:SHA,SHA1
+SHA_Transform                           1013    EXIST::FUNCTION:SHA,SHA0
 X509_STORE_CTX_get_chain                1014    EXIST::FUNCTION:
 X509_STORE_CTX_get_current_cert         1015    EXIST::FUNCTION:
 X509_STORE_CTX_get_error                1016    EXIST::FUNCTION:
@@ -1014,7 +1014,7 @@ RSA_padding_check_PKCS1_type_2          1036	EXIST::FUNCTION:RSA
 RSA_padding_check_SSLv23                1037    EXIST::FUNCTION:RSA
 RSA_padding_check_none                  1038    EXIST::FUNCTION:RSA
 bn_add_words                            1039    EXIST::FUNCTION:
-d2i_Netscape_RSA_2                      1040    EXIST::FUNCTION:RSA
+d2i_Netscape_RSA_2                      1040    NOEXIST::FUNCTION:
 CRYPTO_get_ex_new_index                 1041    EXIST::FUNCTION:
 RIPEMD160_Init                          1042    EXIST::FUNCTION:RIPEMD
 RIPEMD160_Update                        1043    EXIST::FUNCTION:RIPEMD
@@ -1050,7 +1050,7 @@ ASN1_TYPE_get_octetstring               1077	EXIST::FUNCTION:
 ASN1_TYPE_set_int_octetstring           1078    EXIST::FUNCTION:
 ASN1_TYPE_set_octetstring               1079    EXIST::FUNCTION:
 ASN1_UTCTIME_set_string                 1080    EXIST::FUNCTION:
-ERR_add_error_data                      1081    EXIST::FUNCTION:
+ERR_add_error_data                      1081    EXIST::FUNCTION:BIO
 ERR_set_error_data                      1082    EXIST::FUNCTION:
 EVP_CIPHER_asn1_to_param                1083    EXIST::FUNCTION:
 EVP_CIPHER_param_to_asn1                1084    EXIST::FUNCTION:
@@ -1127,20 +1127,24 @@ PKCS7_set_signed_attributes             1154	EXIST::FUNCTION:
 X509_ATTRIBUTE_create                   1155    EXIST::FUNCTION:
 X509_ATTRIBUTE_dup                      1156    EXIST::FUNCTION:
 ASN1_GENERALIZEDTIME_check              1157    EXIST::FUNCTION:
-ASN1_GENERALIZEDTIME_print              1158    EXIST::FUNCTION:
+ASN1_GENERALIZEDTIME_print              1158    EXIST::FUNCTION:BIO
 ASN1_GENERALIZEDTIME_set                1159    EXIST::FUNCTION:
 ASN1_GENERALIZEDTIME_set_string         1160    EXIST::FUNCTION:
-ASN1_TIME_print                         1161    EXIST::FUNCTION:
+ASN1_TIME_print                         1161    EXIST::FUNCTION:BIO
 BASIC_CONSTRAINTS_free                  1162    EXIST::FUNCTION:
 BASIC_CONSTRAINTS_new                   1163    EXIST::FUNCTION:
 ERR_load_X509V3_strings                 1164    EXIST::FUNCTION:
 NETSCAPE_CERT_SEQUENCE_free             1165    EXIST::FUNCTION:
 NETSCAPE_CERT_SEQUENCE_new              1166    EXIST::FUNCTION:
 OBJ_txt2obj                             1167    EXIST::FUNCTION:
-PEM_read_NETSCAPE_CERT_SEQUENCE         1168    EXIST:!WIN16:FUNCTION:
-PEM_read_bio_NETSCAPE_CERT_SEQUENCE     1169    EXIST::FUNCTION:
-PEM_write_NETSCAPE_CERT_SEQUENCE        1170    EXIST:!WIN16:FUNCTION:
-PEM_write_bio_NETSCAPE_CERT_SEQUENCE    1171    EXIST::FUNCTION:
+PEM_read_NETSCAPE_CERT_SEQUENCE         1168    EXIST:!VMS,!WIN16:FUNCTION:
+PEM_read_NS_CERT_SEQ                    1168    EXIST:VMS:FUNCTION:
+PEM_read_bio_NETSCAPE_CERT_SEQUENCE     1169    EXIST:!VMS:FUNCTION:
+PEM_read_bio_NS_CERT_SEQ                1169    EXIST:VMS:FUNCTION:
+PEM_write_NETSCAPE_CERT_SEQUENCE        1170    EXIST:!VMS,!WIN16:FUNCTION:
+PEM_write_NS_CERT_SEQ                   1170    EXIST:VMS:FUNCTION:
+PEM_write_bio_NETSCAPE_CERT_SEQUENCE    1171    EXIST:!VMS:FUNCTION:
+PEM_write_bio_NS_CERT_SEQ               1171    EXIST:VMS:FUNCTION:
 X509V3_EXT_add                          1172    EXIST::FUNCTION:
 X509V3_EXT_add_alias                    1173    EXIST::FUNCTION:
 X509V3_EXT_add_conf                     1174    EXIST::FUNCTION:
@@ -1163,14 +1167,14 @@ d2i_ASN1_GENERALIZEDTIME                1190	EXIST::FUNCTION:
 d2i_ASN1_TIME                           1191    EXIST::FUNCTION:
 d2i_BASIC_CONSTRAINTS                   1192    EXIST::FUNCTION:
 d2i_NETSCAPE_CERT_SEQUENCE              1193    EXIST::FUNCTION:
-d2i_ext_ku                              1194    EXIST::FUNCTION:
-ext_ku_free                             1195    EXIST::FUNCTION:
-ext_ku_new                              1196    EXIST::FUNCTION:
+d2i_ext_ku                              1194    NOEXIST::FUNCTION:
+ext_ku_free                             1195    NOEXIST::FUNCTION:
+ext_ku_new                              1196    NOEXIST::FUNCTION:
 i2d_ASN1_GENERALIZEDTIME                1197    EXIST::FUNCTION:
 i2d_ASN1_TIME                           1198    EXIST::FUNCTION:
 i2d_BASIC_CONSTRAINTS                   1199    EXIST::FUNCTION:
 i2d_NETSCAPE_CERT_SEQUENCE              1200    EXIST::FUNCTION:
-i2d_ext_ku                              1201    EXIST::FUNCTION:
+i2d_ext_ku                              1201    NOEXIST::FUNCTION:
 EVP_MD_CTX_copy                         1202    EXIST::FUNCTION:
 i2d_ASN1_ENUMERATED                     1203    EXIST::FUNCTION:
 d2i_ASN1_ENUMERATED                     1204    EXIST::FUNCTION:
@@ -1178,8 +1182,8 @@ ASN1_ENUMERATED_set                     1205	EXIST::FUNCTION:
 ASN1_ENUMERATED_get                     1206    EXIST::FUNCTION:
 BN_to_ASN1_ENUMERATED                   1207    EXIST::FUNCTION:
 ASN1_ENUMERATED_to_BN                   1208    EXIST::FUNCTION:
-i2a_ASN1_ENUMERATED                     1209    EXIST::FUNCTION:
-a2i_ASN1_ENUMERATED                     1210    EXIST::FUNCTION:
+i2a_ASN1_ENUMERATED                     1209    EXIST::FUNCTION:BIO
+a2i_ASN1_ENUMERATED                     1210    EXIST::FUNCTION:BIO
 i2d_GENERAL_NAME                        1211    EXIST::FUNCTION:
 d2i_GENERAL_NAME                        1212    EXIST::FUNCTION:
 GENERAL_NAME_new                        1213    EXIST::FUNCTION:
@@ -1194,11 +1198,11 @@ s2i_ASN1_OCTET_STRING                   1221	EXIST::FUNCTION:
 X509V3_EXT_check_conf                   1222    NOEXIST::FUNCTION:
 hex_to_string                           1223    EXIST::FUNCTION:
 string_to_hex                           1224    EXIST::FUNCTION:
-des_ede3_cbcm_encrypt                   1225    EXIST::FUNCTION:DES
+DES_ede3_cbcm_encrypt                   1225    EXIST::FUNCTION:DES
 RSA_padding_add_PKCS1_OAEP              1226    EXIST::FUNCTION:RSA
 RSA_padding_check_PKCS1_OAEP            1227    EXIST::FUNCTION:RSA
 X509_CRL_print_fp                       1228    EXIST::FUNCTION:FP_API
-X509_CRL_print                          1229    EXIST::FUNCTION:
+X509_CRL_print                          1229    EXIST::FUNCTION:BIO
 i2v_GENERAL_NAME                        1230    EXIST::FUNCTION:
 v2i_GENERAL_NAME                        1231    EXIST::FUNCTION:
 i2d_PKEY_USAGE_PERIOD                   1232    EXIST::FUNCTION:
@@ -1212,8 +1216,8 @@ name_cmp                                1239	EXIST::FUNCTION:
 str_dup                                 1240    NOEXIST::FUNCTION:
 i2s_ASN1_ENUMERATED                     1241    EXIST::FUNCTION:
 i2s_ASN1_ENUMERATED_TABLE               1242    EXIST::FUNCTION:
-BIO_s_log                               1243    EXIST:!WIN32,!WIN16,!macintosh:FUNCTION:
-BIO_f_reliable                          1244    EXIST::FUNCTION:
+BIO_s_log                               1243    EXIST:!WIN16,!WIN32,!macintosh:FUNCTION:
+BIO_f_reliable                          1244    EXIST::FUNCTION:BIO
 PKCS7_dataFinal                         1245    EXIST::FUNCTION:
 PKCS7_dataDecode                        1246    EXIST::FUNCTION:
 X509V3_EXT_CRL_add_conf                 1247    EXIST::FUNCTION:
@@ -1231,7 +1235,7 @@ ASN1_seq_unpack                         1258	EXIST::FUNCTION:
 ASN1_seq_pack                           1259    EXIST::FUNCTION:
 ASN1_unpack_string                      1260    EXIST::FUNCTION:
 ASN1_pack_string                        1261    EXIST::FUNCTION:
-PKCS12_pack_safebag                     1262    EXIST::FUNCTION:
+PKCS12_pack_safebag                     1262    NOEXIST::FUNCTION:
 PKCS12_MAKE_KEYBAG                      1263    EXIST::FUNCTION:
 PKCS8_encrypt                           1264    EXIST::FUNCTION:
 PKCS12_MAKE_SHKEYBAG                    1265    EXIST::FUNCTION:
@@ -1242,8 +1246,8 @@ PKCS12_add_friendlyname_asc             1269	EXIST::FUNCTION:
 PKCS12_add_friendlyname_uni             1270    EXIST::FUNCTION:
 PKCS12_get_friendlyname                 1271    EXIST::FUNCTION:
 PKCS12_pbe_crypt                        1272    EXIST::FUNCTION:
-PKCS12_decrypt_d2i                      1273    EXIST::FUNCTION:
-PKCS12_i2d_encrypt                      1274    EXIST::FUNCTION:
+PKCS12_decrypt_d2i                      1273    NOEXIST::FUNCTION:
+PKCS12_i2d_encrypt                      1274    NOEXIST::FUNCTION:
 PKCS12_init                             1275    EXIST::FUNCTION:
 PKCS12_key_gen_asc                      1276    EXIST::FUNCTION:
 PKCS12_key_gen_uni                      1277    EXIST::FUNCTION:
@@ -1423,21 +1427,25 @@ d2i_ASN1_SET_OF_PKCS7_RECIP_INFO        1753	NOEXIST::FUNCTION:
 PKCS5_PBE_add                           1775    EXIST::FUNCTION:
 PEM_write_bio_PKCS8                     1776    EXIST::FUNCTION:
 i2d_PKCS8_fp                            1777    EXIST::FUNCTION:FP_API
-PEM_read_bio_PKCS8_PRIV_KEY_INFO        1778    EXIST::FUNCTION:
-d2i_PKCS8_bio                           1779    EXIST::FUNCTION:
+PEM_read_bio_PKCS8_PRIV_KEY_INFO        1778    EXIST:!VMS:FUNCTION:
+PEM_read_bio_P8_PRIV_KEY_INFO           1778    EXIST:VMS:FUNCTION:
+d2i_PKCS8_bio                           1779    EXIST::FUNCTION:BIO
 d2i_PKCS8_PRIV_KEY_INFO_fp              1780    EXIST::FUNCTION:FP_API
-PEM_write_bio_PKCS8_PRIV_KEY_INFO       1781    EXIST::FUNCTION:
+PEM_write_bio_PKCS8_PRIV_KEY_INFO       1781    EXIST:!VMS:FUNCTION:
+PEM_write_bio_P8_PRIV_KEY_INFO          1781    EXIST:VMS:FUNCTION:
 PEM_read_PKCS8                          1782    EXIST:!WIN16:FUNCTION:
-d2i_PKCS8_PRIV_KEY_INFO_bio             1783    EXIST::FUNCTION:
+d2i_PKCS8_PRIV_KEY_INFO_bio             1783    EXIST::FUNCTION:BIO
 d2i_PKCS8_fp                            1784    EXIST::FUNCTION:FP_API
 PEM_write_PKCS8                         1785    EXIST:!WIN16:FUNCTION:
-PEM_read_PKCS8_PRIV_KEY_INFO            1786    EXIST:!WIN16:FUNCTION:
+PEM_read_PKCS8_PRIV_KEY_INFO            1786    EXIST:!VMS,!WIN16:FUNCTION:
+PEM_read_P8_PRIV_KEY_INFO               1786    EXIST:VMS:FUNCTION:
 PEM_read_bio_PKCS8                      1787    EXIST::FUNCTION:
-PEM_write_PKCS8_PRIV_KEY_INFO           1788    EXIST:!WIN16:FUNCTION:
+PEM_write_PKCS8_PRIV_KEY_INFO           1788    EXIST:!VMS,!WIN16:FUNCTION:
+PEM_write_P8_PRIV_KEY_INFO              1788    EXIST:VMS:FUNCTION:
 PKCS5_PBE_keyivgen                      1789    EXIST::FUNCTION:
-i2d_PKCS8_bio                           1790    EXIST::FUNCTION:
+i2d_PKCS8_bio                           1790    EXIST::FUNCTION:BIO
 i2d_PKCS8_PRIV_KEY_INFO_fp              1791    EXIST::FUNCTION:FP_API
-i2d_PKCS8_PRIV_KEY_INFO_bio             1792    EXIST::FUNCTION:
+i2d_PKCS8_PRIV_KEY_INFO_bio             1792    EXIST::FUNCTION:BIO
 BIO_s_bio                               1793    EXIST::FUNCTION:
 PKCS5_pbe2_set                          1794    EXIST::FUNCTION:
 PKCS5_PBKDF2_HMAC_SHA1                  1795    EXIST::FUNCTION:
@@ -1460,7 +1468,7 @@ RSA_get_method                          1847	EXIST::FUNCTION:RSA
 RSA_get_default_method                  1848    EXIST::FUNCTION:RSA
 RSA_check_key                           1869    EXIST::FUNCTION:RSA
 OBJ_obj2txt                             1870    EXIST::FUNCTION:
-DSA_dup_DH                              1871    EXIST::FUNCTION:DSA,DH
+DSA_dup_DH                              1871    EXIST::FUNCTION:DH,DSA
 X509_REQ_get_extensions                 1872    EXIST::FUNCTION:
 X509_REQ_set_extension_nids             1873    EXIST::FUNCTION:
 BIO_nwrite                              1874    EXIST::FUNCTION:
@@ -1486,11 +1494,11 @@ DSA_set_ex_data                         1893	EXIST::FUNCTION:DSA
 DH_set_default_method                   1894    EXIST::FUNCTION:DH
 DSA_get_ex_data                         1895    EXIST::FUNCTION:DSA
 X509V3_EXT_REQ_add_conf                 1896    EXIST::FUNCTION:
-NETSCAPE_SPKI_print                     1897    EXIST::FUNCTION:
-NETSCAPE_SPKI_set_pubkey                1898    EXIST::FUNCTION:
-NETSCAPE_SPKI_b64_encode                1899    EXIST::FUNCTION:
-NETSCAPE_SPKI_get_pubkey                1900    EXIST::FUNCTION:
-NETSCAPE_SPKI_b64_decode                1901    EXIST::FUNCTION:
+NETSCAPE_SPKI_print                     1897    EXIST::FUNCTION:EVP
+NETSCAPE_SPKI_set_pubkey                1898    EXIST::FUNCTION:EVP
+NETSCAPE_SPKI_b64_encode                1899    EXIST::FUNCTION:EVP
+NETSCAPE_SPKI_get_pubkey                1900    EXIST::FUNCTION:EVP
+NETSCAPE_SPKI_b64_decode                1901    EXIST::FUNCTION:EVP
 UTF8_putc                               1902    EXIST::FUNCTION:
 UTF8_getc                               1903    EXIST::FUNCTION:
 RSA_null_method                         1904    EXIST::FUNCTION:RSA
@@ -1535,22 +1543,22 @@ ASN1_STRING_set_default_mask_asc        1960	EXIST:!VMS:FUNCTION:
 ASN1_STRING_set_def_mask_asc            1960    EXIST:VMS:FUNCTION:
 PEM_write_bio_RSA_PUBKEY                1961    EXIST::FUNCTION:RSA
 ASN1_INTEGER_cmp                        1963    EXIST::FUNCTION:
-d2i_RSA_PUBKEY_fp                       1964    EXIST::FUNCTION:RSA,FP_API
+d2i_RSA_PUBKEY_fp                       1964    EXIST::FUNCTION:FP_API,RSA
 X509_trust_set_bit_asc                  1967    NOEXIST::FUNCTION:
-PEM_write_bio_DSA_PUBKEY                1968    EXIST::FUNCTION:
+PEM_write_bio_DSA_PUBKEY                1968    EXIST::FUNCTION:DSA
 X509_STORE_CTX_free                     1969    EXIST::FUNCTION:
 EVP_PKEY_set1_DSA                       1970    EXIST::FUNCTION:DSA
 i2d_DSA_PUBKEY_fp                       1971    EXIST::FUNCTION:DSA,FP_API
-X509_load_cert_crl_file                 1972    EXIST::FUNCTION:
+X509_load_cert_crl_file                 1972    EXIST::FUNCTION:STDIO
 ASN1_TIME_new                           1973    EXIST::FUNCTION:
 i2d_RSA_PUBKEY                          1974    EXIST::FUNCTION:RSA
 X509_STORE_CTX_purpose_inherit          1976    EXIST::FUNCTION:
 PEM_read_RSA_PUBKEY                     1977    EXIST:!WIN16:FUNCTION:RSA
 d2i_X509_AUX                            1980    EXIST::FUNCTION:
 i2d_DSA_PUBKEY                          1981    EXIST::FUNCTION:DSA
-X509_CERT_AUX_print                     1982    EXIST::FUNCTION:
-PEM_read_DSA_PUBKEY                     1984    EXIST:!WIN16:FUNCTION:
-i2d_RSA_PUBKEY_bio                      1985    EXIST::FUNCTION:RSA
+X509_CERT_AUX_print                     1982    EXIST::FUNCTION:BIO
+PEM_read_DSA_PUBKEY                     1984    EXIST:!WIN16:FUNCTION:DSA
+i2d_RSA_PUBKEY_bio                      1985    EXIST::FUNCTION:BIO,RSA
 ASN1_BIT_STRING_num_asc                 1986    EXIST::FUNCTION:
 i2d_PUBKEY                              1987    EXIST::FUNCTION:
 ASN1_UTCTIME_free                       1988    EXIST::FUNCTION:
@@ -1568,7 +1576,7 @@ X509_NAME_add_entry_by_OBJ              2008	EXIST::FUNCTION:
 X509_CRL_get_ext_d2i                    2009    EXIST::FUNCTION:
 X509_PURPOSE_get0_name                  2011    EXIST::FUNCTION:
 PEM_read_PUBKEY                         2012    EXIST:!WIN16:FUNCTION:
-i2d_DSA_PUBKEY_bio                      2014    EXIST::FUNCTION:DSA
+i2d_DSA_PUBKEY_bio                      2014    EXIST::FUNCTION:BIO,DSA
 i2d_OTHERNAME                           2015    EXIST::FUNCTION:
 ASN1_OCTET_STRING_free                  2016    EXIST::FUNCTION:
 ASN1_BIT_STRING_set_asc                 2017    EXIST::FUNCTION:
@@ -1598,7 +1606,7 @@ ASN1_IA5STRING_new                      2049	EXIST::FUNCTION:
 d2i_DSA_PUBKEY                          2050    EXIST::FUNCTION:DSA
 X509_check_purpose                      2051    EXIST::FUNCTION:
 ASN1_ENUMERATED_new                     2052    EXIST::FUNCTION:
-d2i_RSA_PUBKEY_bio                      2053    EXIST::FUNCTION:RSA
+d2i_RSA_PUBKEY_bio                      2053    EXIST::FUNCTION:BIO,RSA
 d2i_PUBKEY                              2054    EXIST::FUNCTION:
 X509_TRUST_get_trust                    2055    EXIST::FUNCTION:
 X509_TRUST_get_flags                    2056    EXIST::FUNCTION:
@@ -1622,15 +1630,15 @@ ASN1_BIT_STRING_free                    2080	EXIST::FUNCTION:
 PEM_read_bio_RSA_PUBKEY                 2081    EXIST::FUNCTION:RSA
 X509_add1_reject_object                 2082    EXIST::FUNCTION:
 X509_check_trust                        2083    EXIST::FUNCTION:
-PEM_read_bio_DSA_PUBKEY                 2088    EXIST::FUNCTION:
+PEM_read_bio_DSA_PUBKEY                 2088    EXIST::FUNCTION:DSA
 X509_PURPOSE_add                        2090    EXIST::FUNCTION:
 ASN1_STRING_TABLE_get                   2091    EXIST::FUNCTION:
 ASN1_UTF8STRING_free                    2092    EXIST::FUNCTION:
-d2i_DSA_PUBKEY_bio                      2093    EXIST::FUNCTION:DSA
+d2i_DSA_PUBKEY_bio                      2093    EXIST::FUNCTION:BIO,DSA
 PEM_write_RSA_PUBKEY                    2095    EXIST:!WIN16:FUNCTION:RSA
 d2i_OTHERNAME                           2096    EXIST::FUNCTION:
 X509_reject_set_bit                     2098    NOEXIST::FUNCTION:
-PEM_write_DSA_PUBKEY                    2101    EXIST:!WIN16:FUNCTION:
+PEM_write_DSA_PUBKEY                    2101    EXIST:!WIN16:FUNCTION:DSA
 X509_PURPOSE_get0_sname                 2105    EXIST::FUNCTION:
 EVP_PKEY_set1_DH                        2107    EXIST::FUNCTION:DH
 ASN1_OCTET_STRING_dup                   2108    EXIST::FUNCTION:
@@ -1638,7 +1646,7 @@ ASN1_BIT_STRING_set                     2109	EXIST::FUNCTION:
 X509_TRUST_get_count                    2110    EXIST::FUNCTION:
 ASN1_INTEGER_free                       2111    EXIST::FUNCTION:
 OTHERNAME_free                          2112    EXIST::FUNCTION:
-i2d_RSA_PUBKEY_fp                       2113    EXIST::FUNCTION:RSA,FP_API
+i2d_RSA_PUBKEY_fp                       2113    EXIST::FUNCTION:FP_API,RSA
 ASN1_INTEGER_dup                        2114    EXIST::FUNCTION:
 d2i_X509_CERT_AUX                       2115    EXIST::FUNCTION:
 PEM_write_bio_PUBKEY                    2117    EXIST::FUNCTION:
@@ -1650,7 +1658,7 @@ EVP_PKEY_get1_DH                        2128	EXIST::FUNCTION:DH
 ASN1_OCTET_STRING_new                   2130    EXIST::FUNCTION:
 ASN1_INTEGER_new                        2131    EXIST::FUNCTION:
 i2d_X509_AUX                            2132    EXIST::FUNCTION:
-ASN1_BIT_STRING_name_print              2134    EXIST::FUNCTION:
+ASN1_BIT_STRING_name_print              2134    EXIST::FUNCTION:BIO
 X509_cmp                                2135    EXIST::FUNCTION:
 ASN1_STRING_length_set                  2136    EXIST::FUNCTION:
 DIRECTORYSTRING_new                     2137    EXIST::FUNCTION:
@@ -1658,10 +1666,10 @@ X509_add1_trust_object                  2140	EXIST::FUNCTION:
 PKCS12_newpass                          2141    EXIST::FUNCTION:
 SMIME_write_PKCS7                       2142    EXIST::FUNCTION:
 SMIME_read_PKCS7                        2143    EXIST::FUNCTION:
-des_set_key_checked                     2144    EXIST::FUNCTION:DES
+DES_set_key_checked                     2144    EXIST::FUNCTION:DES
 PKCS7_verify                            2145    EXIST::FUNCTION:
 PKCS7_encrypt                           2146    EXIST::FUNCTION:
-des_set_key_unchecked                   2147    EXIST::FUNCTION:DES
+DES_set_key_unchecked                   2147    EXIST::FUNCTION:DES
 SMIME_crlf_copy                         2148    EXIST::FUNCTION:
 i2d_ASN1_PRINTABLESTRING                2149    EXIST::FUNCTION:
 PKCS7_get0_signers                      2150    EXIST::FUNCTION:
@@ -1693,12 +1701,12 @@ i2d_PKCS8PrivateKey_nid_fp              2174	EXIST::FUNCTION:
 d2i_PKCS8PrivateKey_fp                  2175    EXIST::FUNCTION:
 i2d_PKCS8PrivateKey_nid_bio             2176    EXIST::FUNCTION:
 i2d_PKCS8PrivateKeyInfo_fp              2177    EXIST::FUNCTION:FP_API
-i2d_PKCS8PrivateKeyInfo_bio             2178    EXIST::FUNCTION:
+i2d_PKCS8PrivateKeyInfo_bio             2178    EXIST::FUNCTION:BIO
 PEM_cb                                  2179    NOEXIST::FUNCTION:
 i2d_PrivateKey_fp                       2180    EXIST::FUNCTION:FP_API
-d2i_PrivateKey_bio                      2181    EXIST::FUNCTION:
+d2i_PrivateKey_bio                      2181    EXIST::FUNCTION:BIO
 d2i_PrivateKey_fp                       2182    EXIST::FUNCTION:FP_API
-i2d_PrivateKey_bio                      2183    EXIST::FUNCTION:
+i2d_PrivateKey_bio                      2183    EXIST::FUNCTION:BIO
 X509_reject_clear                       2184    EXIST::FUNCTION:
 X509_TRUST_set_default                  2185    EXIST::FUNCTION:
 d2i_AutoPrivateKey                      2186    EXIST::FUNCTION:
@@ -1745,21 +1753,21 @@ ASN1_STRING_TABLE_add                   2245	EXIST::FUNCTION:
 CRYPTO_dbg_get_options                  2246    EXIST::FUNCTION:
 AUTHORITY_INFO_ACCESS_new               2247    EXIST::FUNCTION:
 CRYPTO_get_mem_debug_options            2248    EXIST::FUNCTION:
-des_crypt                               2249    EXIST::FUNCTION:DES
+DES_crypt                               2249    EXIST::FUNCTION:DES
 PEM_write_bio_X509_REQ_NEW              2250    EXIST::FUNCTION:
 PEM_write_X509_REQ_NEW                  2251    EXIST:!WIN16:FUNCTION:
 BIO_callback_ctrl                       2252    EXIST::FUNCTION:
 RAND_egd                                2253    EXIST::FUNCTION:
 RAND_status                             2254    EXIST::FUNCTION:
 bn_dump1                                2255    NOEXIST::FUNCTION:
-des_check_key_parity                    2256    EXIST::FUNCTION:DES
+DES_check_key_parity                    2256    EXIST::FUNCTION:DES
 lh_num_items                            2257    EXIST::FUNCTION:
-RAND_event                              2258    EXIST::FUNCTION:
+RAND_event                              2258    EXIST:WIN32:FUNCTION:
 DSO_new                                 2259    EXIST::FUNCTION:
 DSO_new_method                          2260    EXIST::FUNCTION:
 DSO_free                                2261    EXIST::FUNCTION:
 DSO_flags                               2262    EXIST::FUNCTION:
-DSO_up                                  2263    EXIST::FUNCTION:
+DSO_up                                  2263    NOEXIST::FUNCTION:
 DSO_set_default_method                  2264    EXIST::FUNCTION:
 DSO_get_default_method                  2265    EXIST::FUNCTION:
 DSO_get_method                          2266    EXIST::FUNCTION:
@@ -1777,7 +1785,7 @@ NCONF_load_fp                           2278	EXIST::FUNCTION:FP_API
 NCONF_new                               2279    EXIST::FUNCTION:
 NCONF_get_string                        2280    EXIST::FUNCTION:
 NCONF_free                              2281    EXIST::FUNCTION:
-NCONF_get_number                        2282    EXIST::FUNCTION:
+NCONF_get_number                        2282    NOEXIST::FUNCTION:
 CONF_dump_fp                            2283    EXIST::FUNCTION:
 NCONF_load_bio                          2284    EXIST::FUNCTION:
 NCONF_dump_fp                           2285    EXIST::FUNCTION:
@@ -1795,9 +1803,9 @@ i2d_ASN1_SET_OF_PKCS7                   2328	NOEXIST::FUNCTION:
 BIO_vfree                               2334    EXIST::FUNCTION:
 d2i_ASN1_SET_OF_ASN1_INTEGER            2339    NOEXIST::FUNCTION:
 d2i_ASN1_SET_OF_PKCS12_SAFEBAG          2341    NOEXIST::FUNCTION:
-ASN1_UTCTIME_get                        2350    EXIST::FUNCTION:
-X509_REQ_digest                         2362    EXIST::FUNCTION:
-X509_CRL_digest                         2391    EXIST::FUNCTION:
+ASN1_UTCTIME_get                        2350    NOEXIST::FUNCTION:
+X509_REQ_digest                         2362    EXIST::FUNCTION:EVP
+X509_CRL_digest                         2391    EXIST::FUNCTION:EVP
 d2i_ASN1_SET_OF_PKCS7                   2397    NOEXIST::FUNCTION:
 EVP_CIPHER_CTX_set_key_length           2399    EXIST::FUNCTION:
 EVP_CIPHER_CTX_ctrl                     2400    EXIST::FUNCTION:
@@ -1807,7 +1815,7 @@ X509_REQ_get1_email                     2403	EXIST::FUNCTION:
 X509_get1_email                         2404    EXIST::FUNCTION:
 X509_email_free                         2405    EXIST::FUNCTION:
 i2d_RSA_NET                             2406    EXIST::FUNCTION:RSA
-d2i_RSA_NET_2                           2407    EXIST::FUNCTION:RSA
+d2i_RSA_NET_2                           2407    NOEXIST::FUNCTION:
 d2i_RSA_NET                             2408    EXIST::FUNCTION:RSA
 DSO_bind_func                           2409    EXIST::FUNCTION:
 CRYPTO_get_new_dynlockid                2410    EXIST::FUNCTION:
@@ -1833,21 +1841,21 @@ RAND_poll                               2423	EXIST::FUNCTION:
 c2i_ASN1_INTEGER                        2424    EXIST::FUNCTION:
 i2c_ASN1_INTEGER                        2425    EXIST::FUNCTION:
 BIO_dump_indent                         2426    EXIST::FUNCTION:
-ASN1_parse_dump                         2427    EXIST::FUNCTION:
+ASN1_parse_dump                         2427    EXIST::FUNCTION:BIO
 c2i_ASN1_OBJECT                         2428    EXIST::FUNCTION:
 X509_NAME_print_ex_fp                   2429    EXIST::FUNCTION:FP_API
 ASN1_STRING_print_ex_fp                 2430    EXIST::FUNCTION:FP_API
-X509_NAME_print_ex                      2431    EXIST::FUNCTION:
-ASN1_STRING_print_ex                    2432    EXIST::FUNCTION:
+X509_NAME_print_ex                      2431    EXIST::FUNCTION:BIO
+ASN1_STRING_print_ex                    2432    EXIST::FUNCTION:BIO
 MD4                                     2433    EXIST::FUNCTION:MD4
 MD4_Transform                           2434    EXIST::FUNCTION:MD4
 MD4_Final                               2435    EXIST::FUNCTION:MD4
 MD4_Update                              2436    EXIST::FUNCTION:MD4
 MD4_Init                                2437    EXIST::FUNCTION:MD4
 EVP_md4                                 2438    EXIST::FUNCTION:MD4
-i2d_PUBKEY_bio                          2439    EXIST::FUNCTION:
+i2d_PUBKEY_bio                          2439    EXIST::FUNCTION:BIO
 i2d_PUBKEY_fp                           2440    EXIST::FUNCTION:FP_API
-d2i_PUBKEY_bio                          2441    EXIST::FUNCTION:
+d2i_PUBKEY_bio                          2441    EXIST::FUNCTION:BIO
 ASN1_STRING_to_UTF8                     2442    EXIST::FUNCTION:
 BIO_vprintf                             2443    EXIST::FUNCTION:
 BIO_vsnprintf                           2444    EXIST::FUNCTION:
@@ -1862,10 +1870,10 @@ X509_STORE_CTX_trusted_stack            2452	EXIST::FUNCTION:
 X509_time_adj                           2453    EXIST::FUNCTION:
 X509_check_issued                       2454    EXIST::FUNCTION:
 ASN1_UTCTIME_cmp_time_t                 2455    EXIST::FUNCTION:
-des_set_weak_key_flag                   2456    EXIST::VARIABLE:DES
-des_check_key                           2457    EXIST::VARIABLE:DES
-des_rw_mode                             2458    EXIST::VARIABLE:DES
-RSA_PKCS1_RSAref                        2459    EXIST:RSAREF:FUNCTION:RSA
+DES_set_weak_key_flag                   2456    NOEXIST::FUNCTION:
+DES_check_key                           2457    NOEXIST::FUNCTION:
+DES_rw_mode                             2458    NOEXIST::FUNCTION:
+RSA_PKCS1_RSAref                        2459    NOEXIST::FUNCTION:
 X509_keyid_set1                         2460    EXIST::FUNCTION:
 BIO_next                                2461    EXIST::FUNCTION:
 DSO_METHOD_vms                          2462    EXIST::FUNCTION:
@@ -1877,14 +1885,14 @@ ERR_load_ENGINE_strings                 2467	EXIST::FUNCTION:
 ENGINE_set_DSA                          2468    EXIST::FUNCTION:
 ENGINE_get_finish_function              2469    EXIST::FUNCTION:
 ENGINE_get_default_RSA                  2470    EXIST::FUNCTION:
-ENGINE_get_BN_mod_exp                   2471    EXIST::FUNCTION:
-DSA_get_default_openssl_method          2472    EXIST::FUNCTION:DSA
+ENGINE_get_BN_mod_exp                   2471    NOEXIST::FUNCTION:
+DSA_get_default_openssl_method          2472    NOEXIST::FUNCTION:
 ENGINE_set_DH                           2473    EXIST::FUNCTION:
-ENGINE_set_default_BN_mod_exp_crt       2474    EXIST:!VMS:FUNCTION:
-ENGINE_set_def_BN_mod_exp_crt           2474    EXIST:VMS:FUNCTION:
+ENGINE_set_def_BN_mod_exp_crt           2474    NOEXIST::FUNCTION:
+ENGINE_set_default_BN_mod_exp_crt       2474    NOEXIST::FUNCTION:
 ENGINE_init                             2475    EXIST::FUNCTION:
-DH_get_default_openssl_method           2476    EXIST::FUNCTION:DH
-RSA_set_default_openssl_method          2477    EXIST::FUNCTION:RSA
+DH_get_default_openssl_method           2476    NOEXIST::FUNCTION:
+RSA_set_default_openssl_method          2477    NOEXIST::FUNCTION:
 ENGINE_finish                           2478    EXIST::FUNCTION:
 ENGINE_load_public_key                  2479    EXIST::FUNCTION:
 ENGINE_get_DH                           2480    EXIST::FUNCTION:
@@ -1902,32 +1910,867 @@ ENGINE_get_RAND                         2491	EXIST::FUNCTION:
 ENGINE_get_first                        2492    EXIST::FUNCTION:
 ENGINE_by_id                            2493    EXIST::FUNCTION:
 ENGINE_set_finish_function              2494    EXIST::FUNCTION:
-ENGINE_get_default_BN_mod_exp_crt       2495    EXIST:!VMS:FUNCTION:
-ENGINE_get_def_BN_mod_exp_crt           2495    EXIST:VMS:FUNCTION:
-RSA_get_default_openssl_method          2496    EXIST::FUNCTION:RSA
+ENGINE_get_def_BN_mod_exp_crt           2495    NOEXIST::FUNCTION:
+ENGINE_get_default_BN_mod_exp_crt       2495    NOEXIST::FUNCTION:
+RSA_get_default_openssl_method          2496    NOEXIST::FUNCTION:
 ENGINE_set_RSA                          2497    EXIST::FUNCTION:
 ENGINE_load_private_key                 2498    EXIST::FUNCTION:
 ENGINE_set_default_RAND                 2499    EXIST::FUNCTION:
-ENGINE_set_BN_mod_exp                   2500    EXIST::FUNCTION:
+ENGINE_set_BN_mod_exp                   2500    NOEXIST::FUNCTION:
 ENGINE_remove                           2501    EXIST::FUNCTION:
 ENGINE_free                             2502    EXIST::FUNCTION:
-ENGINE_get_BN_mod_exp_crt               2503    EXIST::FUNCTION:
+ENGINE_get_BN_mod_exp_crt               2503    NOEXIST::FUNCTION:
 ENGINE_get_next                         2504    EXIST::FUNCTION:
 ENGINE_set_name                         2505    EXIST::FUNCTION:
 ENGINE_get_default_DSA                  2506    EXIST::FUNCTION:
-ENGINE_set_default_BN_mod_exp           2507    EXIST::FUNCTION:
+ENGINE_set_default_BN_mod_exp           2507    NOEXIST::FUNCTION:
 ENGINE_set_default_RSA                  2508    EXIST::FUNCTION:
 ENGINE_get_default_RAND                 2509    EXIST::FUNCTION:
-ENGINE_get_default_BN_mod_exp           2510    EXIST::FUNCTION:
+ENGINE_get_default_BN_mod_exp           2510    NOEXIST::FUNCTION:
 ENGINE_set_RAND                         2511    EXIST::FUNCTION:
 ENGINE_set_id                           2512    EXIST::FUNCTION:
-ENGINE_set_BN_mod_exp_crt               2513    EXIST::FUNCTION:
+ENGINE_set_BN_mod_exp_crt               2513    NOEXIST::FUNCTION:
 ENGINE_set_default_DH                   2514    EXIST::FUNCTION:
 ENGINE_new                              2515    EXIST::FUNCTION:
 ENGINE_get_id                           2516    EXIST::FUNCTION:
-DSA_set_default_openssl_method          2517    EXIST::FUNCTION:DSA
+DSA_set_default_openssl_method          2517    NOEXIST::FUNCTION:
 ENGINE_add                              2518    EXIST::FUNCTION:
-DH_set_default_openssl_method           2519    EXIST::FUNCTION:DH
+DH_set_default_openssl_method           2519    NOEXIST::FUNCTION:
 ENGINE_get_DSA                          2520    EXIST::FUNCTION:
 ENGINE_get_ctrl_function                2521    EXIST::FUNCTION:
 ENGINE_set_ctrl_function                2522    EXIST::FUNCTION:
+BN_pseudo_rand_range                    2523    EXIST::FUNCTION:
+X509_STORE_CTX_set_verify_cb            2524    EXIST::FUNCTION:
+ERR_load_COMP_strings                   2525    EXIST::FUNCTION:
+PKCS12_item_decrypt_d2i                 2526    EXIST::FUNCTION:
+ASN1_UTF8STRING_it                      2527    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_UTF8STRING_it                      2527    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_unregister_ciphers               2528    EXIST::FUNCTION:
+ENGINE_get_ciphers                      2529    EXIST::FUNCTION:
+d2i_OCSP_BASICRESP                      2530    EXIST::FUNCTION:
+KRB5_CHECKSUM_it                        2531    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_CHECKSUM_it                        2531    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_POINT_add                            2532    EXIST::FUNCTION:EC
+ASN1_item_ex_i2d                        2533    EXIST::FUNCTION:
+OCSP_CERTID_it                          2534    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_CERTID_it                          2534    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_OCSP_RESPBYTES                      2535    EXIST::FUNCTION:
+X509V3_add1_i2d                         2536    EXIST::FUNCTION:
+PKCS7_ENVELOPE_it                       2537    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ENVELOPE_it                       2537    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_add_input_boolean                    2538    EXIST::FUNCTION:
+ENGINE_unregister_RSA                   2539    EXIST::FUNCTION:
+X509V3_EXT_nconf                        2540    EXIST::FUNCTION:
+ASN1_GENERALSTRING_free                 2541    EXIST::FUNCTION:
+d2i_OCSP_CERTSTATUS                     2542    EXIST::FUNCTION:
+X509_REVOKED_set_serialNumber           2543    EXIST::FUNCTION:
+X509_print_ex                           2544    EXIST::FUNCTION:BIO
+OCSP_ONEREQ_get1_ext_d2i                2545    EXIST::FUNCTION:
+ENGINE_register_all_RAND                2546    EXIST::FUNCTION:
+ENGINE_load_dynamic                     2547    EXIST::FUNCTION:
+PBKDF2PARAM_it                          2548    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PBKDF2PARAM_it                          2548    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EXTENDED_KEY_USAGE_new                  2549    EXIST::FUNCTION:
+EC_GROUP_clear_free                     2550    EXIST::FUNCTION:EC
+OCSP_sendreq_bio                        2551    EXIST::FUNCTION:
+ASN1_item_digest                        2552    EXIST::FUNCTION:EVP
+OCSP_BASICRESP_delete_ext               2553    EXIST::FUNCTION:
+OCSP_SIGNATURE_it                       2554    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_SIGNATURE_it                       2554    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_CRL_it                             2555    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CRL_it                             2555    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_BASICRESP_add_ext                  2556    EXIST::FUNCTION:
+KRB5_ENCKEY_it                          2557    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_ENCKEY_it                          2557    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_method_set_closer                    2558    EXIST::FUNCTION:
+X509_STORE_set_purpose                  2559    EXIST::FUNCTION:
+i2d_ASN1_GENERALSTRING                  2560    EXIST::FUNCTION:
+OCSP_response_status                    2561    EXIST::FUNCTION:
+i2d_OCSP_SERVICELOC                     2562    EXIST::FUNCTION:
+ENGINE_get_digest_engine                2563    EXIST::FUNCTION:
+EC_GROUP_set_curve_GFp                  2564    EXIST::FUNCTION:EC
+OCSP_REQUEST_get_ext_by_OBJ             2565    EXIST::FUNCTION:
+_ossl_old_des_random_key                2566    EXIST::FUNCTION:DES
+ASN1_T61STRING_it                       2567    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_T61STRING_it                       2567    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_GROUP_method_of                      2568    EXIST::FUNCTION:EC
+i2d_KRB5_APREQ                          2569    EXIST::FUNCTION:
+_ossl_old_des_encrypt                   2570    EXIST::FUNCTION:DES
+ASN1_PRINTABLE_new                      2571    EXIST::FUNCTION:
+HMAC_Init_ex                            2572    EXIST::FUNCTION:HMAC
+d2i_KRB5_AUTHENT                        2573    EXIST::FUNCTION:
+OCSP_archive_cutoff_new                 2574    EXIST::FUNCTION:
+EC_POINT_set_Jprojective_coordinates_GFp 2575   EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_Jproj_coords_GFp           2575    EXIST:VMS:FUNCTION:EC
+_ossl_old_des_is_weak_key               2576    EXIST::FUNCTION:DES
+OCSP_BASICRESP_get_ext_by_OBJ           2577    EXIST::FUNCTION:
+EC_POINT_oct2point                      2578    EXIST::FUNCTION:EC
+OCSP_SINGLERESP_get_ext_count           2579    EXIST::FUNCTION:
+UI_ctrl                                 2580    EXIST::FUNCTION:
+_shadow_DES_rw_mode                     2581    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES
+_shadow_DES_rw_mode                     2581    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES
+asn1_do_adb                             2582    EXIST::FUNCTION:
+ASN1_template_i2d                       2583    EXIST::FUNCTION:
+ENGINE_register_DH                      2584    EXIST::FUNCTION:
+UI_construct_prompt                     2585    EXIST::FUNCTION:
+X509_STORE_set_trust                    2586    EXIST::FUNCTION:
+UI_dup_input_string                     2587    EXIST::FUNCTION:
+d2i_KRB5_APREQ                          2588    EXIST::FUNCTION:
+EVP_MD_CTX_copy_ex                      2589    EXIST::FUNCTION:
+OCSP_request_is_signed                  2590    EXIST::FUNCTION:
+i2d_OCSP_REQINFO                        2591    EXIST::FUNCTION:
+KRB5_ENCKEY_free                        2592    EXIST::FUNCTION:
+OCSP_resp_get0                          2593    EXIST::FUNCTION:
+GENERAL_NAME_it                         2594    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+GENERAL_NAME_it                         2594    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_GENERALIZEDTIME_it                 2595    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_GENERALIZEDTIME_it                 2595    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_STORE_set_flags                    2596    EXIST::FUNCTION:
+EC_POINT_set_compressed_coordinates_GFp 2597    EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_compr_coords_GFp           2597    EXIST:VMS:FUNCTION:EC
+OCSP_response_status_str                2598    EXIST::FUNCTION:
+d2i_OCSP_REVOKEDINFO                    2599    EXIST::FUNCTION:
+OCSP_basic_add1_cert                    2600    EXIST::FUNCTION:
+ERR_get_implementation                  2601    EXIST::FUNCTION:
+EVP_CipherFinal_ex                      2602    EXIST::FUNCTION:
+OCSP_CERTSTATUS_new                     2603    EXIST::FUNCTION:
+CRYPTO_cleanup_all_ex_data              2604    EXIST::FUNCTION:
+OCSP_resp_find                          2605    EXIST::FUNCTION:
+BN_nnmod                                2606    EXIST::FUNCTION:
+X509_CRL_sort                           2607    EXIST::FUNCTION:
+X509_REVOKED_set_revocationDate         2608    EXIST::FUNCTION:
+ENGINE_register_RAND                    2609    EXIST::FUNCTION:
+OCSP_SERVICELOC_new                     2610    EXIST::FUNCTION:
+EC_POINT_set_affine_coordinates_GFp     2611    EXIST:!VMS:FUNCTION:EC
+EC_POINT_set_affine_coords_GFp          2611    EXIST:VMS:FUNCTION:EC
+_ossl_old_des_options                   2612    EXIST::FUNCTION:DES
+SXNET_it                                2613    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+SXNET_it                                2613    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_dup_input_boolean                    2614    EXIST::FUNCTION:
+PKCS12_add_CSPName_asc                  2615    EXIST::FUNCTION:
+EC_POINT_is_at_infinity                 2616    EXIST::FUNCTION:EC
+ENGINE_load_openbsd_dev_crypto          2617    EXIST::FUNCTION:
+DSO_convert_filename                    2618    EXIST::FUNCTION:
+POLICYQUALINFO_it                       2619    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICYQUALINFO_it                       2619    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_register_ciphers                 2620    EXIST::FUNCTION:
+BN_mod_lshift_quick                     2621    EXIST::FUNCTION:
+DSO_set_filename                        2622    EXIST::FUNCTION:
+ASN1_item_free                          2623    EXIST::FUNCTION:
+KRB5_TKTBODY_free                       2624    EXIST::FUNCTION:
+AUTHORITY_KEYID_it                      2625    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+AUTHORITY_KEYID_it                      2625    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+KRB5_APREQBODY_new                      2626    EXIST::FUNCTION:
+X509V3_EXT_REQ_add_nconf                2627    EXIST::FUNCTION:
+ENGINE_ctrl_cmd_string                  2628    EXIST::FUNCTION:
+i2d_OCSP_RESPDATA                       2629    EXIST::FUNCTION:
+EVP_MD_CTX_init                         2630    EXIST::FUNCTION:
+EXTENDED_KEY_USAGE_free                 2631    EXIST::FUNCTION:
+PKCS7_ATTR_SIGN_it                      2632    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ATTR_SIGN_it                      2632    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_add_error_string                     2633    EXIST::FUNCTION:
+KRB5_CHECKSUM_free                      2634    EXIST::FUNCTION:
+OCSP_REQUEST_get_ext                    2635    EXIST::FUNCTION:
+ENGINE_load_ubsec                       2636    EXIST::FUNCTION:
+ENGINE_register_all_digests             2637    EXIST::FUNCTION:
+PKEY_USAGE_PERIOD_it                    2638    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKEY_USAGE_PERIOD_it                    2638    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PKCS12_unpack_authsafes                 2639    EXIST::FUNCTION:
+ASN1_item_unpack                        2640    EXIST::FUNCTION:
+NETSCAPE_SPKAC_it                       2641    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NETSCAPE_SPKAC_it                       2641    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_REVOKED_it                         2642    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_REVOKED_it                         2642    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_STRING_encode                      2643    EXIST::FUNCTION:
+EVP_aes_128_ecb                         2644    EXIST::FUNCTION:AES
+KRB5_AUTHENT_free                       2645    EXIST::FUNCTION:
+OCSP_BASICRESP_get_ext_by_critical      2646    EXIST:!VMS:FUNCTION:
+OCSP_BASICRESP_get_ext_by_crit          2646    EXIST:VMS:FUNCTION:
+OCSP_cert_status_str                    2647    EXIST::FUNCTION:
+d2i_OCSP_REQUEST                        2648    EXIST::FUNCTION:
+UI_dup_info_string                      2649    EXIST::FUNCTION:
+_ossl_old_des_xwhite_in2out             2650    EXIST::FUNCTION:DES
+PKCS12_it                               2651    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_it                               2651    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_SINGLERESP_get_ext_by_critical     2652    EXIST:!VMS:FUNCTION:
+OCSP_SINGLERESP_get_ext_by_crit         2652    EXIST:VMS:FUNCTION:
+OCSP_CERTSTATUS_free                    2653    EXIST::FUNCTION:
+_ossl_old_des_crypt                     2654    EXIST::FUNCTION:DES
+ASN1_item_i2d                           2655    EXIST::FUNCTION:
+EVP_DecryptFinal_ex                     2656    EXIST::FUNCTION:
+ENGINE_load_openssl                     2657    EXIST::FUNCTION:
+ENGINE_get_cmd_defns                    2658    EXIST::FUNCTION:
+ENGINE_set_load_privkey_function        2659    EXIST:!VMS:FUNCTION:
+ENGINE_set_load_privkey_fn              2659    EXIST:VMS:FUNCTION:
+EVP_EncryptFinal_ex                     2660    EXIST::FUNCTION:
+ENGINE_set_default_digests              2661    EXIST::FUNCTION:
+X509_get0_pubkey_bitstr                 2662    EXIST::FUNCTION:
+asn1_ex_i2c                             2663    EXIST::FUNCTION:
+ENGINE_register_RSA                     2664    EXIST::FUNCTION:
+ENGINE_unregister_DSA                   2665    EXIST::FUNCTION:
+_ossl_old_des_key_sched                 2666    EXIST::FUNCTION:DES
+X509_EXTENSION_it                       2667    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_EXTENSION_it                       2667    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_KRB5_AUTHENT                        2668    EXIST::FUNCTION:
+SXNETID_it                              2669    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+SXNETID_it                              2669    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_OCSP_SINGLERESP                     2670    EXIST::FUNCTION:
+EDIPARTYNAME_new                        2671    EXIST::FUNCTION:
+PKCS12_certbag2x509                     2672    EXIST::FUNCTION:
+_ossl_old_des_ofb64_encrypt             2673    EXIST::FUNCTION:DES
+d2i_EXTENDED_KEY_USAGE                  2674    EXIST::FUNCTION:
+ERR_print_errors_cb                     2675    EXIST::FUNCTION:
+ENGINE_set_ciphers                      2676    EXIST::FUNCTION:
+d2i_KRB5_APREQBODY                      2677    EXIST::FUNCTION:
+UI_method_get_flusher                   2678    EXIST::FUNCTION:
+X509_PUBKEY_it                          2679    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_PUBKEY_it                          2679    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+_ossl_old_des_enc_read                  2680    EXIST::FUNCTION:DES
+PKCS7_ENCRYPT_it                        2681    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ENCRYPT_it                        2681    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_OCSP_RESPONSE                       2682    EXIST::FUNCTION:
+EC_GROUP_get_cofactor                   2683    EXIST::FUNCTION:EC
+PKCS12_unpack_p7data                    2684    EXIST::FUNCTION:
+d2i_KRB5_AUTHDATA                       2685    EXIST::FUNCTION:
+OCSP_copy_nonce                         2686    EXIST::FUNCTION:
+KRB5_AUTHDATA_new                       2687    EXIST::FUNCTION:
+OCSP_RESPDATA_new                       2688    EXIST::FUNCTION:
+EC_GFp_mont_method                      2689    EXIST::FUNCTION:EC
+OCSP_REVOKEDINFO_free                   2690    EXIST::FUNCTION:
+UI_get_ex_data                          2691    EXIST::FUNCTION:
+KRB5_APREQBODY_free                     2692    EXIST::FUNCTION:
+EC_GROUP_get0_generator                 2693    EXIST::FUNCTION:EC
+UI_get_default_method                   2694    EXIST::FUNCTION:
+X509V3_set_nconf                        2695    EXIST::FUNCTION:
+PKCS12_item_i2d_encrypt                 2696    EXIST::FUNCTION:
+X509_add1_ext_i2d                       2697    EXIST::FUNCTION:
+PKCS7_SIGNER_INFO_it                    2698    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_SIGNER_INFO_it                    2698    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+KRB5_PRINCNAME_new                      2699    EXIST::FUNCTION:
+PKCS12_SAFEBAG_it                       2700    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_SAFEBAG_it                       2700    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_GROUP_get_order                      2701    EXIST::FUNCTION:EC
+d2i_OCSP_RESPID                         2702    EXIST::FUNCTION:
+OCSP_request_verify                     2703    EXIST::FUNCTION:
+NCONF_get_number_e                      2704    EXIST::FUNCTION:
+_ossl_old_des_decrypt3                  2705    EXIST::FUNCTION:DES
+X509_signature_print                    2706    EXIST::FUNCTION:EVP
+OCSP_SINGLERESP_free                    2707    EXIST::FUNCTION:
+ENGINE_load_builtin_engines             2708    EXIST::FUNCTION:
+i2d_OCSP_ONEREQ                         2709    EXIST::FUNCTION:
+OCSP_REQUEST_add_ext                    2710    EXIST::FUNCTION:
+OCSP_RESPBYTES_new                      2711    EXIST::FUNCTION:
+EVP_MD_CTX_create                       2712    EXIST::FUNCTION:
+OCSP_resp_find_status                   2713    EXIST::FUNCTION:
+X509_ALGOR_it                           2714    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_ALGOR_it                           2714    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_TIME_it                            2715    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_TIME_it                            2715    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_request_set1_name                  2716    EXIST::FUNCTION:
+OCSP_ONEREQ_get_ext_count               2717    EXIST::FUNCTION:
+UI_get0_result                          2718    EXIST::FUNCTION:
+PKCS12_AUTHSAFES_it                     2719    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_AUTHSAFES_it                     2719    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_aes_256_ecb                         2720    EXIST::FUNCTION:AES
+PKCS12_pack_authsafes                   2721    EXIST::FUNCTION:
+ASN1_IA5STRING_it                       2722    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_IA5STRING_it                       2722    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_get_input_flags                      2723    EXIST::FUNCTION:
+EC_GROUP_set_generator                  2724    EXIST::FUNCTION:EC
+_ossl_old_des_string_to_2keys           2725    EXIST::FUNCTION:DES
+OCSP_CERTID_free                        2726    EXIST::FUNCTION:
+X509_CERT_AUX_it                        2727    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CERT_AUX_it                        2727    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+CERTIFICATEPOLICIES_it                  2728    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+CERTIFICATEPOLICIES_it                  2728    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+_ossl_old_des_ede3_cbc_encrypt          2729    EXIST::FUNCTION:DES
+RAND_set_rand_engine                    2730    EXIST::FUNCTION:
+DSO_get_loaded_filename                 2731    EXIST::FUNCTION:
+X509_ATTRIBUTE_it                       2732    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_ATTRIBUTE_it                       2732    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_ONEREQ_get_ext_by_NID              2733    EXIST::FUNCTION:
+PKCS12_decrypt_skey                     2734    EXIST::FUNCTION:
+KRB5_AUTHENT_it                         2735    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_AUTHENT_it                         2735    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_dup_error_string                     2736    EXIST::FUNCTION:
+RSAPublicKey_it                         2737    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
+RSAPublicKey_it                         2737    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
+i2d_OCSP_REQUEST                        2738    EXIST::FUNCTION:
+PKCS12_x509crl2certbag                  2739    EXIST::FUNCTION:
+OCSP_SERVICELOC_it                      2740    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_SERVICELOC_it                      2740    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_item_sign                          2741    EXIST::FUNCTION:EVP
+X509_CRL_set_issuer_name                2742    EXIST::FUNCTION:
+OBJ_NAME_do_all_sorted                  2743    EXIST::FUNCTION:
+i2d_OCSP_BASICRESP                      2744    EXIST::FUNCTION:
+i2d_OCSP_RESPBYTES                      2745    EXIST::FUNCTION:
+PKCS12_unpack_p7encdata                 2746    EXIST::FUNCTION:
+HMAC_CTX_init                           2747    EXIST::FUNCTION:HMAC
+ENGINE_get_digest                       2748    EXIST::FUNCTION:
+OCSP_RESPONSE_print                     2749    EXIST::FUNCTION:
+KRB5_TKTBODY_it                         2750    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_TKTBODY_it                         2750    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ACCESS_DESCRIPTION_it                   2751    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ACCESS_DESCRIPTION_it                   2751    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PKCS7_ISSUER_AND_SERIAL_it              2752    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ISSUER_AND_SERIAL_it              2752    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PBE2PARAM_it                            2753    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PBE2PARAM_it                            2753    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PKCS12_certbag2x509crl                  2754    EXIST::FUNCTION:
+PKCS7_SIGNED_it                         2755    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_SIGNED_it                         2755    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_get_cipher                       2756    EXIST::FUNCTION:
+i2d_OCSP_CRLID                          2757    EXIST::FUNCTION:
+OCSP_SINGLERESP_new                     2758    EXIST::FUNCTION:
+ENGINE_cmd_is_executable                2759    EXIST::FUNCTION:
+RSA_up_ref                              2760    EXIST::FUNCTION:RSA
+ASN1_GENERALSTRING_it                   2761    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_GENERALSTRING_it                   2761    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_register_DSA                     2762    EXIST::FUNCTION:
+X509V3_EXT_add_nconf_sk                 2763    EXIST::FUNCTION:
+ENGINE_set_load_pubkey_function         2764    EXIST::FUNCTION:
+PKCS8_decrypt                           2765    EXIST::FUNCTION:
+PEM_bytes_read_bio                      2766    EXIST::FUNCTION:BIO
+DIRECTORYSTRING_it                      2767    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+DIRECTORYSTRING_it                      2767    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_OCSP_CRLID                          2768    EXIST::FUNCTION:
+EC_POINT_is_on_curve                    2769    EXIST::FUNCTION:EC
+CRYPTO_set_locked_mem_ex_functions      2770    EXIST:!VMS:FUNCTION:
+CRYPTO_set_locked_mem_ex_funcs          2770    EXIST:VMS:FUNCTION:
+d2i_KRB5_CHECKSUM                       2771    EXIST::FUNCTION:
+ASN1_item_dup                           2772    EXIST::FUNCTION:
+X509_it                                 2773    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_it                                 2773    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+BN_mod_add                              2774    EXIST::FUNCTION:
+KRB5_AUTHDATA_free                      2775    EXIST::FUNCTION:
+_ossl_old_des_cbc_cksum                 2776    EXIST::FUNCTION:DES
+ASN1_item_verify                        2777    EXIST::FUNCTION:EVP
+CRYPTO_set_mem_ex_functions             2778    EXIST::FUNCTION:
+EC_POINT_get_Jprojective_coordinates_GFp 2779   EXIST:!VMS:FUNCTION:EC
+EC_POINT_get_Jproj_coords_GFp           2779    EXIST:VMS:FUNCTION:EC
+ZLONG_it                                2780    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ZLONG_it                                2780    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+CRYPTO_get_locked_mem_ex_functions      2781    EXIST:!VMS:FUNCTION:
+CRYPTO_get_locked_mem_ex_funcs          2781    EXIST:VMS:FUNCTION:
+ASN1_TIME_check                         2782    EXIST::FUNCTION:
+UI_get0_user_data                       2783    EXIST::FUNCTION:
+HMAC_CTX_cleanup                        2784    EXIST::FUNCTION:HMAC
+DSA_up_ref                              2785    EXIST::FUNCTION:DSA
+_ossl_old_des_ede3_cfb64_encrypt        2786    EXIST:!VMS:FUNCTION:DES
+_ossl_odes_ede3_cfb64_encrypt           2786    EXIST:VMS:FUNCTION:DES
+ASN1_BMPSTRING_it                       2787    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_BMPSTRING_it                       2787    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_tag2bit                            2788    EXIST::FUNCTION:
+UI_method_set_flusher                   2789    EXIST::FUNCTION:
+X509_ocspid_print                       2790    EXIST::FUNCTION:BIO
+KRB5_ENCDATA_it                         2791    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_ENCDATA_it                         2791    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_get_load_pubkey_function         2792    EXIST::FUNCTION:
+UI_add_user_data                        2793    EXIST::FUNCTION:
+OCSP_REQUEST_delete_ext                 2794    EXIST::FUNCTION:
+UI_get_method                           2795    EXIST::FUNCTION:
+OCSP_ONEREQ_free                        2796    EXIST::FUNCTION:
+ASN1_PRINTABLESTRING_it                 2797    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_PRINTABLESTRING_it                 2797    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_CRL_set_nextUpdate                 2798    EXIST::FUNCTION:
+OCSP_REQUEST_it                         2799    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_REQUEST_it                         2799    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_BASICRESP_it                       2800    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_BASICRESP_it                       2800    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+AES_ecb_encrypt                         2801    EXIST::FUNCTION:AES
+BN_mod_sqr                              2802    EXIST::FUNCTION:
+NETSCAPE_CERT_SEQUENCE_it               2803    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NETSCAPE_CERT_SEQUENCE_it               2803    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+GENERAL_NAMES_it                        2804    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+GENERAL_NAMES_it                        2804    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+AUTHORITY_INFO_ACCESS_it                2805    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+AUTHORITY_INFO_ACCESS_it                2805    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_FBOOLEAN_it                        2806    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_FBOOLEAN_it                        2806    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_set_ex_data                          2807    EXIST::FUNCTION:
+_ossl_old_des_string_to_key             2808    EXIST::FUNCTION:DES
+ENGINE_register_all_RSA                 2809    EXIST::FUNCTION:
+d2i_KRB5_PRINCNAME                      2810    EXIST::FUNCTION:
+OCSP_RESPBYTES_it                       2811    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_RESPBYTES_it                       2811    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_CINF_it                            2812    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CINF_it                            2812    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_unregister_digests               2813    EXIST::FUNCTION:
+d2i_EDIPARTYNAME                        2814    EXIST::FUNCTION:
+d2i_OCSP_SERVICELOC                     2815    EXIST::FUNCTION:
+ENGINE_get_digests                      2816    EXIST::FUNCTION:
+_ossl_old_des_set_odd_parity            2817    EXIST::FUNCTION:DES
+OCSP_RESPDATA_free                      2818    EXIST::FUNCTION:
+d2i_KRB5_TICKET                         2819    EXIST::FUNCTION:
+OTHERNAME_it                            2820    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OTHERNAME_it                            2820    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_MD_CTX_cleanup                      2821    EXIST::FUNCTION:
+d2i_ASN1_GENERALSTRING                  2822    EXIST::FUNCTION:
+X509_CRL_set_version                    2823    EXIST::FUNCTION:
+BN_mod_sub                              2824    EXIST::FUNCTION:
+OCSP_SINGLERESP_get_ext_by_NID          2825    EXIST::FUNCTION:
+ENGINE_get_ex_new_index                 2826    EXIST::FUNCTION:
+OCSP_REQUEST_free                       2827    EXIST::FUNCTION:
+OCSP_REQUEST_add1_ext_i2d               2828    EXIST::FUNCTION:
+X509_VAL_it                             2829    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_VAL_it                             2829    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_POINTs_make_affine                   2830    EXIST::FUNCTION:EC
+EC_POINT_mul                            2831    EXIST::FUNCTION:EC
+X509V3_EXT_add_nconf                    2832    EXIST::FUNCTION:
+X509_TRUST_set                          2833    EXIST::FUNCTION:
+X509_CRL_add1_ext_i2d                   2834    EXIST::FUNCTION:
+_ossl_old_des_fcrypt                    2835    EXIST::FUNCTION:DES
+DISPLAYTEXT_it                          2836    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+DISPLAYTEXT_it                          2836    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_CRL_set_lastUpdate                 2837    EXIST::FUNCTION:
+OCSP_BASICRESP_free                     2838    EXIST::FUNCTION:
+OCSP_BASICRESP_add1_ext_i2d             2839    EXIST::FUNCTION:
+d2i_KRB5_AUTHENTBODY                    2840    EXIST::FUNCTION:
+CRYPTO_set_ex_data_implementation       2841    EXIST:!VMS:FUNCTION:
+CRYPTO_set_ex_data_impl                 2841    EXIST:VMS:FUNCTION:
+KRB5_ENCDATA_new                        2842    EXIST::FUNCTION:
+DSO_up_ref                              2843    EXIST::FUNCTION:
+OCSP_crl_reason_str                     2844    EXIST::FUNCTION:
+UI_get0_result_string                   2845    EXIST::FUNCTION:
+ASN1_GENERALSTRING_new                  2846    EXIST::FUNCTION:
+X509_SIG_it                             2847    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_SIG_it                             2847    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ERR_set_implementation                  2848    EXIST::FUNCTION:
+ERR_load_EC_strings                     2849    EXIST::FUNCTION:EC
+UI_get0_action_string                   2850    EXIST::FUNCTION:
+OCSP_ONEREQ_get_ext                     2851    EXIST::FUNCTION:
+EC_POINT_method_of                      2852    EXIST::FUNCTION:EC
+i2d_KRB5_APREQBODY                      2853    EXIST::FUNCTION:
+_ossl_old_des_ecb3_encrypt              2854    EXIST::FUNCTION:DES
+CRYPTO_get_mem_ex_functions             2855    EXIST::FUNCTION:
+ENGINE_get_ex_data                      2856    EXIST::FUNCTION:
+UI_destroy_method                       2857    EXIST::FUNCTION:
+ASN1_item_i2d_bio                       2858    EXIST::FUNCTION:BIO
+OCSP_ONEREQ_get_ext_by_OBJ              2859    EXIST::FUNCTION:
+ASN1_primitive_new                      2860    EXIST::FUNCTION:
+ASN1_PRINTABLE_it                       2861    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_PRINTABLE_it                       2861    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_aes_192_ecb                         2862    EXIST::FUNCTION:AES
+OCSP_SIGNATURE_new                      2863    EXIST::FUNCTION:
+LONG_it                                 2864    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+LONG_it                                 2864    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_VISIBLESTRING_it                   2865    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_VISIBLESTRING_it                   2865    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_SINGLERESP_add1_ext_i2d            2866    EXIST::FUNCTION:
+d2i_OCSP_CERTID                         2867    EXIST::FUNCTION:
+ASN1_item_d2i_fp                        2868    EXIST::FUNCTION:FP_API
+CRL_DIST_POINTS_it                      2869    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+CRL_DIST_POINTS_it                      2869    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+GENERAL_NAME_print                      2870    EXIST::FUNCTION:
+OCSP_SINGLERESP_delete_ext              2871    EXIST::FUNCTION:
+PKCS12_SAFEBAGS_it                      2872    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_SAFEBAGS_it                      2872    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_OCSP_SIGNATURE                      2873    EXIST::FUNCTION:
+OCSP_request_add1_nonce                 2874    EXIST::FUNCTION:
+ENGINE_set_cmd_defns                    2875    EXIST::FUNCTION:
+OCSP_SERVICELOC_free                    2876    EXIST::FUNCTION:
+EC_GROUP_free                           2877    EXIST::FUNCTION:EC
+ASN1_BIT_STRING_it                      2878    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_BIT_STRING_it                      2878    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_REQ_it                             2879    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_REQ_it                             2879    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+_ossl_old_des_cbc_encrypt               2880    EXIST::FUNCTION:DES
+ERR_unload_strings                      2881    EXIST::FUNCTION:
+PKCS7_SIGN_ENVELOPE_it                  2882    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_SIGN_ENVELOPE_it                  2882    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EDIPARTYNAME_free                       2883    EXIST::FUNCTION:
+OCSP_REQINFO_free                       2884    EXIST::FUNCTION:
+EC_GROUP_new_curve_GFp                  2885    EXIST::FUNCTION:EC
+OCSP_REQUEST_get1_ext_d2i               2886    EXIST::FUNCTION:
+PKCS12_item_pack_safebag                2887    EXIST::FUNCTION:
+asn1_ex_c2i                             2888    EXIST::FUNCTION:
+ENGINE_register_digests                 2889    EXIST::FUNCTION:
+i2d_OCSP_REVOKEDINFO                    2890    EXIST::FUNCTION:
+asn1_enc_restore                        2891    EXIST::FUNCTION:
+UI_free                                 2892    EXIST::FUNCTION:
+UI_new_method                           2893    EXIST::FUNCTION:
+EVP_EncryptInit_ex                      2894    EXIST::FUNCTION:
+X509_pubkey_digest                      2895    EXIST::FUNCTION:EVP
+EC_POINT_invert                         2896    EXIST::FUNCTION:EC
+OCSP_basic_sign                         2897    EXIST::FUNCTION:
+i2d_OCSP_RESPID                         2898    EXIST::FUNCTION:
+OCSP_check_nonce                        2899    EXIST::FUNCTION:
+ENGINE_ctrl_cmd                         2900    EXIST::FUNCTION:
+d2i_KRB5_ENCKEY                         2901    EXIST::FUNCTION:
+OCSP_parse_url                          2902    EXIST::FUNCTION:
+OCSP_SINGLERESP_get_ext                 2903    EXIST::FUNCTION:
+OCSP_CRLID_free                         2904    EXIST::FUNCTION:
+OCSP_BASICRESP_get1_ext_d2i             2905    EXIST::FUNCTION:
+RSAPrivateKey_it                        2906    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
+RSAPrivateKey_it                        2906    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
+ENGINE_register_all_DH                  2907    EXIST::FUNCTION:
+i2d_EDIPARTYNAME                        2908    EXIST::FUNCTION:
+EC_POINT_get_affine_coordinates_GFp     2909    EXIST:!VMS:FUNCTION:EC
+EC_POINT_get_affine_coords_GFp          2909    EXIST:VMS:FUNCTION:EC
+OCSP_CRLID_new                          2910    EXIST::FUNCTION:
+ENGINE_get_flags                        2911    EXIST::FUNCTION:
+OCSP_ONEREQ_it                          2912    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_ONEREQ_it                          2912    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_process                              2913    EXIST::FUNCTION:
+ASN1_INTEGER_it                         2914    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_INTEGER_it                         2914    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_CipherInit_ex                       2915    EXIST::FUNCTION:
+UI_get_string_type                      2916    EXIST::FUNCTION:
+ENGINE_unregister_DH                    2917    EXIST::FUNCTION:
+ENGINE_register_all_DSA                 2918    EXIST::FUNCTION:
+OCSP_ONEREQ_get_ext_by_critical         2919    EXIST::FUNCTION:
+bn_dup_expand                           2920    EXIST::FUNCTION:
+OCSP_cert_id_new                        2921    EXIST::FUNCTION:
+BASIC_CONSTRAINTS_it                    2922    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+BASIC_CONSTRAINTS_it                    2922    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+BN_mod_add_quick                        2923    EXIST::FUNCTION:
+EC_POINT_new                            2924    EXIST::FUNCTION:EC
+EVP_MD_CTX_destroy                      2925    EXIST::FUNCTION:
+OCSP_RESPBYTES_free                     2926    EXIST::FUNCTION:
+EVP_aes_128_cbc                         2927    EXIST::FUNCTION:AES
+OCSP_SINGLERESP_get1_ext_d2i            2928    EXIST::FUNCTION:
+EC_POINT_free                           2929    EXIST::FUNCTION:EC
+DH_up_ref                               2930    EXIST::FUNCTION:DH
+X509_NAME_ENTRY_it                      2931    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_NAME_ENTRY_it                      2931    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_get_ex_new_index                     2932    EXIST::FUNCTION:
+BN_mod_sub_quick                        2933    EXIST::FUNCTION:
+OCSP_ONEREQ_add_ext                     2934    EXIST::FUNCTION:
+OCSP_request_sign                       2935    EXIST::FUNCTION:
+EVP_DigestFinal_ex                      2936    EXIST::FUNCTION:
+ENGINE_set_digests                      2937    EXIST::FUNCTION:
+OCSP_id_issuer_cmp                      2938    EXIST::FUNCTION:
+OBJ_NAME_do_all                         2939    EXIST::FUNCTION:
+EC_POINTs_mul                           2940    EXIST::FUNCTION:EC
+ENGINE_register_complete                2941    EXIST::FUNCTION:
+X509V3_EXT_nconf_nid                    2942    EXIST::FUNCTION:
+ASN1_SEQUENCE_it                        2943    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_SEQUENCE_it                        2943    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_set_default_method                   2944    EXIST::FUNCTION:
+RAND_query_egd_bytes                    2945    EXIST::FUNCTION:
+UI_method_get_writer                    2946    EXIST::FUNCTION:
+UI_OpenSSL                              2947    EXIST::FUNCTION:
+PEM_def_callback                        2948    EXIST::FUNCTION:
+ENGINE_cleanup                          2949    EXIST::FUNCTION:
+DIST_POINT_it                           2950    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+DIST_POINT_it                           2950    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_SINGLERESP_it                      2951    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_SINGLERESP_it                      2951    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_KRB5_TKTBODY                        2952    EXIST::FUNCTION:
+EC_POINT_cmp                            2953    EXIST::FUNCTION:EC
+OCSP_REVOKEDINFO_new                    2954    EXIST::FUNCTION:
+i2d_OCSP_CERTSTATUS                     2955    EXIST::FUNCTION:
+OCSP_basic_add1_nonce                   2956    EXIST::FUNCTION:
+ASN1_item_ex_d2i                        2957    EXIST::FUNCTION:
+BN_mod_lshift1_quick                    2958    EXIST::FUNCTION:
+UI_set_method                           2959    EXIST::FUNCTION:
+OCSP_id_get0_info                       2960    EXIST::FUNCTION:
+BN_mod_sqrt                             2961    EXIST::FUNCTION:
+EC_GROUP_copy                           2962    EXIST::FUNCTION:EC
+KRB5_ENCDATA_free                       2963    EXIST::FUNCTION:
+_ossl_old_des_cfb_encrypt               2964    EXIST::FUNCTION:DES
+OCSP_SINGLERESP_get_ext_by_OBJ          2965    EXIST::FUNCTION:
+OCSP_cert_to_id                         2966    EXIST::FUNCTION:
+OCSP_RESPID_new                         2967    EXIST::FUNCTION:
+OCSP_RESPDATA_it                        2968    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_RESPDATA_it                        2968    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+d2i_OCSP_RESPDATA                       2969    EXIST::FUNCTION:
+ENGINE_register_all_complete            2970    EXIST::FUNCTION:
+OCSP_check_validity                     2971    EXIST::FUNCTION:
+PKCS12_BAGS_it                          2972    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_BAGS_it                          2972    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_url_svcloc_new                     2973    EXIST::FUNCTION:
+ASN1_template_free                      2974    EXIST::FUNCTION:
+OCSP_SINGLERESP_add_ext                 2975    EXIST::FUNCTION:
+KRB5_AUTHENTBODY_it                     2976    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_AUTHENTBODY_it                     2976    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509_supported_extension                2977    EXIST::FUNCTION:
+i2d_KRB5_AUTHDATA                       2978    EXIST::FUNCTION:
+UI_method_get_opener                    2979    EXIST::FUNCTION:
+ENGINE_set_ex_data                      2980    EXIST::FUNCTION:
+OCSP_REQUEST_print                      2981    EXIST::FUNCTION:
+CBIGNUM_it                              2982    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+CBIGNUM_it                              2982    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+KRB5_TICKET_new                         2983    EXIST::FUNCTION:
+KRB5_APREQ_new                          2984    EXIST::FUNCTION:
+EC_GROUP_get_curve_GFp                  2985    EXIST::FUNCTION:EC
+KRB5_ENCKEY_new                         2986    EXIST::FUNCTION:
+ASN1_template_d2i                       2987    EXIST::FUNCTION:
+_ossl_old_des_quad_cksum                2988    EXIST::FUNCTION:DES
+OCSP_single_get0_status                 2989    EXIST::FUNCTION:
+BN_swap                                 2990    EXIST::FUNCTION:
+POLICYINFO_it                           2991    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+POLICYINFO_it                           2991    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_set_destroy_function             2992    EXIST::FUNCTION:
+asn1_enc_free                           2993    EXIST::FUNCTION:
+OCSP_RESPID_it                          2994    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_RESPID_it                          2994    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_GROUP_new                            2995    EXIST::FUNCTION:EC
+EVP_aes_256_cbc                         2996    EXIST::FUNCTION:AES
+i2d_KRB5_PRINCNAME                      2997    EXIST::FUNCTION:
+_ossl_old_des_encrypt2                  2998    EXIST::FUNCTION:DES
+_ossl_old_des_encrypt3                  2999    EXIST::FUNCTION:DES
+PKCS8_PRIV_KEY_INFO_it                  3000    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS8_PRIV_KEY_INFO_it                  3000    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_REQINFO_it                         3001    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_REQINFO_it                         3001    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PBEPARAM_it                             3002    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PBEPARAM_it                             3002    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+KRB5_AUTHENTBODY_new                    3003    EXIST::FUNCTION:
+X509_CRL_add0_revoked                   3004    EXIST::FUNCTION:
+EDIPARTYNAME_it                         3005    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+EDIPARTYNAME_it                         3005    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+NETSCAPE_SPKI_it                        3006    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NETSCAPE_SPKI_it                        3006    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_get0_test_string                     3007    EXIST::FUNCTION:
+ENGINE_get_cipher_engine                3008    EXIST::FUNCTION:
+ENGINE_register_all_ciphers             3009    EXIST::FUNCTION:
+EC_POINT_copy                           3010    EXIST::FUNCTION:EC
+BN_kronecker                            3011    EXIST::FUNCTION:
+_ossl_old_des_ede3_ofb64_encrypt        3012    EXIST:!VMS:FUNCTION:DES
+_ossl_odes_ede3_ofb64_encrypt           3012    EXIST:VMS:FUNCTION:DES
+UI_method_get_reader                    3013    EXIST::FUNCTION:
+OCSP_BASICRESP_get_ext_count            3014    EXIST::FUNCTION:
+ASN1_ENUMERATED_it                      3015    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_ENUMERATED_it                      3015    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_set_result                           3016    EXIST::FUNCTION:
+i2d_KRB5_TICKET                         3017    EXIST::FUNCTION:
+X509_print_ex_fp                        3018    EXIST::FUNCTION:FP_API
+EVP_CIPHER_CTX_set_padding              3019    EXIST::FUNCTION:
+d2i_OCSP_RESPONSE                       3020    EXIST::FUNCTION:
+ASN1_UTCTIME_it                         3021    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_UTCTIME_it                         3021    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+_ossl_old_des_enc_write                 3022    EXIST::FUNCTION:DES
+OCSP_RESPONSE_new                       3023    EXIST::FUNCTION:
+AES_set_encrypt_key                     3024    EXIST::FUNCTION:AES
+OCSP_resp_count                         3025    EXIST::FUNCTION:
+KRB5_CHECKSUM_new                       3026    EXIST::FUNCTION:
+ENGINE_load_cswift                      3027    EXIST::FUNCTION:
+OCSP_onereq_get0_id                     3028    EXIST::FUNCTION:
+ENGINE_set_default_ciphers              3029    EXIST::FUNCTION:
+NOTICEREF_it                            3030    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+NOTICEREF_it                            3030    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509V3_EXT_CRL_add_nconf                3031    EXIST::FUNCTION:
+OCSP_REVOKEDINFO_it                     3032    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_REVOKEDINFO_it                     3032    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+AES_encrypt                             3033    EXIST::FUNCTION:AES
+OCSP_REQUEST_new                        3034    EXIST::FUNCTION:
+ASN1_ANY_it                             3035    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_ANY_it                             3035    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+CRYPTO_ex_data_new_class                3036    EXIST::FUNCTION:
+_ossl_old_des_ncbc_encrypt              3037    EXIST::FUNCTION:DES
+i2d_KRB5_TKTBODY                        3038    EXIST::FUNCTION:
+EC_POINT_clear_free                     3039    EXIST::FUNCTION:EC
+AES_decrypt                             3040    EXIST::FUNCTION:AES
+asn1_enc_init                           3041    EXIST::FUNCTION:
+UI_get_result_maxsize                   3042    EXIST::FUNCTION:
+OCSP_CERTID_new                         3043    EXIST::FUNCTION:
+ENGINE_unregister_RAND                  3044    EXIST::FUNCTION:
+UI_method_get_closer                    3045    EXIST::FUNCTION:
+d2i_KRB5_ENCDATA                        3046    EXIST::FUNCTION:
+OCSP_request_onereq_count               3047    EXIST::FUNCTION:
+OCSP_basic_verify                       3048    EXIST::FUNCTION:
+KRB5_AUTHENTBODY_free                   3049    EXIST::FUNCTION:
+ASN1_item_d2i                           3050    EXIST::FUNCTION:
+ASN1_primitive_free                     3051    EXIST::FUNCTION:
+i2d_EXTENDED_KEY_USAGE                  3052    EXIST::FUNCTION:
+i2d_OCSP_SIGNATURE                      3053    EXIST::FUNCTION:
+asn1_enc_save                           3054    EXIST::FUNCTION:
+ENGINE_load_nuron                       3055    EXIST::FUNCTION:
+_ossl_old_des_pcbc_encrypt              3056    EXIST::FUNCTION:DES
+PKCS12_MAC_DATA_it                      3057    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS12_MAC_DATA_it                      3057    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_accept_responses_new               3058    EXIST::FUNCTION:
+asn1_do_lock                            3059    EXIST::FUNCTION:
+PKCS7_ATTR_VERIFY_it                    3060    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ATTR_VERIFY_it                    3060    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+KRB5_APREQBODY_it                       3061    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_APREQBODY_it                       3061    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_OCSP_SINGLERESP                     3062    EXIST::FUNCTION:
+ASN1_item_ex_new                        3063    EXIST::FUNCTION:
+UI_add_verify_string                    3064    EXIST::FUNCTION:
+_ossl_old_des_set_key                   3065    EXIST::FUNCTION:DES
+KRB5_PRINCNAME_it                       3066    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_PRINCNAME_it                       3066    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_DecryptInit_ex                      3067    EXIST::FUNCTION:
+i2d_OCSP_CERTID                         3068    EXIST::FUNCTION:
+ASN1_item_d2i_bio                       3069    EXIST::FUNCTION:BIO
+EC_POINT_dbl                            3070    EXIST::FUNCTION:EC
+asn1_get_choice_selector                3071    EXIST::FUNCTION:
+i2d_KRB5_CHECKSUM                       3072    EXIST::FUNCTION:
+ENGINE_set_table_flags                  3073    EXIST::FUNCTION:
+AES_options                             3074    EXIST::FUNCTION:AES
+ENGINE_load_chil                        3075    EXIST::FUNCTION:
+OCSP_id_cmp                             3076    EXIST::FUNCTION:
+OCSP_BASICRESP_new                      3077    EXIST::FUNCTION:
+OCSP_REQUEST_get_ext_by_NID             3078    EXIST::FUNCTION:
+KRB5_APREQ_it                           3079    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_APREQ_it                           3079    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_get_destroy_function             3080    EXIST::FUNCTION:
+CONF_set_nconf                          3081    EXIST::FUNCTION:
+ASN1_PRINTABLE_free                     3082    EXIST::FUNCTION:
+OCSP_BASICRESP_get_ext_by_NID           3083    EXIST::FUNCTION:
+DIST_POINT_NAME_it                      3084    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+DIST_POINT_NAME_it                      3084    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+X509V3_extensions_print                 3085    EXIST::FUNCTION:
+_ossl_old_des_cfb64_encrypt             3086    EXIST::FUNCTION:DES
+X509_REVOKED_add1_ext_i2d               3087    EXIST::FUNCTION:
+_ossl_old_des_ofb_encrypt               3088    EXIST::FUNCTION:DES
+KRB5_TKTBODY_new                        3089    EXIST::FUNCTION:
+ASN1_OCTET_STRING_it                    3090    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_OCTET_STRING_it                    3090    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ERR_load_UI_strings                     3091    EXIST::FUNCTION:
+i2d_KRB5_ENCKEY                         3092    EXIST::FUNCTION:
+ASN1_template_new                       3093    EXIST::FUNCTION:
+OCSP_SIGNATURE_free                     3094    EXIST::FUNCTION:
+ASN1_item_i2d_fp                        3095    EXIST::FUNCTION:FP_API
+KRB5_PRINCNAME_free                     3096    EXIST::FUNCTION:
+PKCS7_RECIP_INFO_it                     3097    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_RECIP_INFO_it                     3097    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EXTENDED_KEY_USAGE_it                   3098    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+EXTENDED_KEY_USAGE_it                   3098    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EC_GFp_simple_method                    3099    EXIST::FUNCTION:EC
+EC_GROUP_precompute_mult                3100    EXIST::FUNCTION:EC
+OCSP_request_onereq_get0                3101    EXIST::FUNCTION:
+UI_method_set_writer                    3102    EXIST::FUNCTION:
+KRB5_AUTHENT_new                        3103    EXIST::FUNCTION:
+X509_CRL_INFO_it                        3104    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_CRL_INFO_it                        3104    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+DSO_set_name_converter                  3105    EXIST::FUNCTION:
+AES_set_decrypt_key                     3106    EXIST::FUNCTION:AES
+PKCS7_DIGEST_it                         3107    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_DIGEST_it                         3107    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PKCS12_x5092certbag                     3108    EXIST::FUNCTION:
+EVP_DigestInit_ex                       3109    EXIST::FUNCTION:
+i2a_ACCESS_DESCRIPTION                  3110    EXIST::FUNCTION:
+OCSP_RESPONSE_it                        3111    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_RESPONSE_it                        3111    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+PKCS7_ENC_CONTENT_it                    3112    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_ENC_CONTENT_it                    3112    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_request_add0_id                    3113    EXIST::FUNCTION:
+EC_POINT_make_affine                    3114    EXIST::FUNCTION:EC
+DSO_get_filename                        3115    EXIST::FUNCTION:
+OCSP_CERTSTATUS_it                      3116    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_CERTSTATUS_it                      3116    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_request_add1_cert                  3117    EXIST::FUNCTION:
+UI_get0_output_string                   3118    EXIST::FUNCTION:
+UI_dup_verify_string                    3119    EXIST::FUNCTION:
+BN_mod_lshift                           3120    EXIST::FUNCTION:
+KRB5_AUTHDATA_it                        3121    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_AUTHDATA_it                        3121    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+asn1_set_choice_selector                3122    EXIST::FUNCTION:
+OCSP_basic_add1_status                  3123    EXIST::FUNCTION:
+OCSP_RESPID_free                        3124    EXIST::FUNCTION:
+asn1_get_field_ptr                      3125    EXIST::FUNCTION:
+UI_add_input_string                     3126    EXIST::FUNCTION:
+OCSP_CRLID_it                           3127    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+OCSP_CRLID_it                           3127    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+i2d_KRB5_AUTHENTBODY                    3128    EXIST::FUNCTION:
+OCSP_REQUEST_get_ext_count              3129    EXIST::FUNCTION:
+ENGINE_load_atalla                      3130    EXIST::FUNCTION:
+X509_NAME_it                            3131    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_NAME_it                            3131    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+USERNOTICE_it                           3132    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+USERNOTICE_it                           3132    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_REQINFO_new                        3133    EXIST::FUNCTION:
+OCSP_BASICRESP_get_ext                  3134    EXIST::FUNCTION:
+CRYPTO_get_ex_data_implementation       3135    EXIST:!VMS:FUNCTION:
+CRYPTO_get_ex_data_impl                 3135    EXIST:VMS:FUNCTION:
+ASN1_item_pack                          3136    EXIST::FUNCTION:
+i2d_KRB5_ENCDATA                        3137    EXIST::FUNCTION:
+X509_PURPOSE_set                        3138    EXIST::FUNCTION:
+X509_REQ_INFO_it                        3139    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+X509_REQ_INFO_it                        3139    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+UI_method_set_opener                    3140    EXIST::FUNCTION:
+ASN1_item_ex_free                       3141    EXIST::FUNCTION:
+ASN1_BOOLEAN_it                         3142    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_BOOLEAN_it                         3142    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ENGINE_get_table_flags                  3143    EXIST::FUNCTION:
+UI_create_method                        3144    EXIST::FUNCTION:
+OCSP_ONEREQ_add1_ext_i2d                3145    EXIST::FUNCTION:
+_shadow_DES_check_key                   3146    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DES
+_shadow_DES_check_key                   3146    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DES
+d2i_OCSP_REQINFO                        3147    EXIST::FUNCTION:
+UI_add_info_string                      3148    EXIST::FUNCTION:
+UI_get_result_minsize                   3149    EXIST::FUNCTION:
+ASN1_NULL_it                            3150    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_NULL_it                            3150    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+BN_mod_lshift1                          3151    EXIST::FUNCTION:
+d2i_OCSP_ONEREQ                         3152    EXIST::FUNCTION:
+OCSP_ONEREQ_new                         3153    EXIST::FUNCTION:
+KRB5_TICKET_it                          3154    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+KRB5_TICKET_it                          3154    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+EVP_aes_192_cbc                         3155    EXIST::FUNCTION:AES
+KRB5_TICKET_free                        3156    EXIST::FUNCTION:
+UI_new                                  3157    EXIST::FUNCTION:
+OCSP_response_create                    3158    EXIST::FUNCTION:
+_ossl_old_des_xcbc_encrypt              3159    EXIST::FUNCTION:DES
+PKCS7_it                                3160    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+PKCS7_it                                3160    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_REQUEST_get_ext_by_critical        3161    EXIST:!VMS:FUNCTION:
+OCSP_REQUEST_get_ext_by_crit            3161    EXIST:VMS:FUNCTION:
+ENGINE_set_flags                        3162    EXIST::FUNCTION:
+_ossl_old_des_ecb_encrypt               3163    EXIST::FUNCTION:DES
+OCSP_response_get1_basic                3164    EXIST::FUNCTION:
+EVP_Digest                              3165    EXIST::FUNCTION:
+OCSP_ONEREQ_delete_ext                  3166    EXIST::FUNCTION:
+ASN1_TBOOLEAN_it                        3167    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_TBOOLEAN_it                        3167    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+ASN1_item_new                           3168    EXIST::FUNCTION:
+ASN1_TIME_to_generalizedtime            3169    EXIST::FUNCTION:
+BIGNUM_it                               3170    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+BIGNUM_it                               3170    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+AES_cbc_encrypt                         3171    EXIST::FUNCTION:AES
+ENGINE_get_load_privkey_function        3172    EXIST:!VMS:FUNCTION:
+ENGINE_get_load_privkey_fn              3172    EXIST:VMS:FUNCTION:
+OCSP_RESPONSE_free                      3173    EXIST::FUNCTION:
+UI_method_set_reader                    3174    EXIST::FUNCTION:
+i2d_ASN1_T61STRING                      3175    EXIST::FUNCTION:
+EC_POINT_set_to_infinity                3176    EXIST::FUNCTION:EC
+ERR_load_OCSP_strings                   3177    EXIST::FUNCTION:
+EC_POINT_point2oct                      3178    EXIST::FUNCTION:EC
+KRB5_APREQ_free                         3179    EXIST::FUNCTION:
+ASN1_OBJECT_it                          3180    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
+ASN1_OBJECT_it                          3180    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
+OCSP_crlID_new                          3181    EXIST:!VMS,!WIN16:FUNCTION:
+OCSP_crlID2_new                         3181    EXIST:VMS,WIN16:FUNCTION:
+CONF_modules_load_file                  3182    EXIST::FUNCTION:
+CONF_imodule_set_usr_data               3183    EXIST::FUNCTION:
+ENGINE_set_default_string               3184    EXIST::FUNCTION:
+CONF_module_get_usr_data                3185    EXIST::FUNCTION:
+ASN1_add_oid_module                     3186    EXIST::FUNCTION:
+CONF_modules_finish                     3187    EXIST::FUNCTION:
+OPENSSL_config                          3188    EXIST::FUNCTION:
+CONF_modules_unload                     3189    EXIST::FUNCTION:
+CONF_imodule_get_value                  3190    EXIST::FUNCTION:
+CONF_module_set_usr_data                3191    EXIST::FUNCTION:
+CONF_parse_list                         3192    EXIST::FUNCTION:
+CONF_module_add                         3193    EXIST::FUNCTION:
+CONF_get1_default_config_file           3194    EXIST::FUNCTION:
+CONF_imodule_get_flags                  3195    EXIST::FUNCTION:
+CONF_imodule_get_module                 3196    EXIST::FUNCTION:
+CONF_modules_load                       3197    EXIST::FUNCTION:
+CONF_imodule_get_name                   3198    EXIST::FUNCTION:
+ERR_peek_top_error                      3199    NOEXIST::FUNCTION:
+CONF_imodule_get_usr_data               3200    EXIST::FUNCTION:
+CONF_imodule_set_flags                  3201    EXIST::FUNCTION:
+ENGINE_add_conf_module                  3202    EXIST::FUNCTION:
+ERR_peek_last_error_line                3203    EXIST::FUNCTION:
+ERR_peek_last_error_line_data           3204    EXIST::FUNCTION:
+ERR_peek_last_error                     3205    EXIST::FUNCTION:
+DES_read_2passwords                     3206    EXIST::FUNCTION:DES
+DES_read_password                       3207    EXIST::FUNCTION:DES
+UI_UTIL_read_pw                         3208    EXIST::FUNCTION:
+UI_UTIL_read_pw_string                  3209    EXIST::FUNCTION:
+ENGINE_load_aep                         3210    EXIST::FUNCTION:
+ENGINE_load_sureware                    3211    EXIST::FUNCTION:
+OPENSSL_add_all_algorithms_noconf       3212    EXIST:!VMS:FUNCTION:
+OPENSSL_add_all_algo_noconf             3212    EXIST:VMS:FUNCTION:
+OPENSSL_add_all_algorithms_conf         3213    EXIST:!VMS:FUNCTION:
+OPENSSL_add_all_algo_conf               3213    EXIST:VMS:FUNCTION:
+OPENSSL_load_builtin_modules            3214    EXIST::FUNCTION:
+AES_ofb128_encrypt                      3215    EXIST::FUNCTION:AES
+AES_ctr128_encrypt                      3216    EXIST::FUNCTION:AES
+AES_cfb128_encrypt                      3217    EXIST::FUNCTION:AES
+ENGINE_load_4758cca                     3218    EXIST::FUNCTION:
+_ossl_096_des_random_seed               3219    EXIST::FUNCTION:DES
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 46755fa287..8b6b2e668a 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -37,6 +37,7 @@ $infile="MINFO";
         "linux-elf","Linux elf",
         "ultrix-mips","DEC mips ultrix",
         "FreeBSD","FreeBSD distribution",
+        "OS2-EMX", "EMX GCC OS/2",
         "default","cc under unix",
         );
 
@@ -54,12 +55,14 @@ foreach (@ARGV)
 and [options] can be one of
         no-md2 no-md4 no-md5 no-sha no-mdc2     - Skip this digest
         no-ripemd
-        no-rc2 no-rc4 no-idea no-des no-bf no-cast - Skip this symetric cipher
-        no-rc5
+        no-rc2 no-rc4 no-rc5 no-idea no-des     - Skip this symetric cipher
+        no-bf no-cast no-aes
         no-rsa no-dsa no-dh                     - Skip this public key cipher
         no-ssl2 no-ssl3                         - Skip this version of SSL
         just-ssl                                - remove all non-ssl keys/digest
         no-asm                                  - No x86 asm
+        no-krb5                                 - No KRB5
+        no-ec                                   - No EC
         nasm                                    - Use NASM for x86 asm
         gaswin                                  - Use GNU as with Mingw32
         no-socks                                - No socket code
@@ -68,7 +71,6 @@ and [options] can be one of
         debug                                   - Debug build
         profile                                 - Profiling build
         gcc                                     - Use Gcc (unix)
-        rsaref                                  - Build to require RSAref
 
 Values that can be set
 TMP=tmpdir OUT=outdir SRC=srcdir BIN=binpath INC=header-outdir CC=C-compiler
@@ -81,7 +83,7 @@ EOF
                 }
         $platform=$_;
         }
-foreach (split / /, $OPTIONS)
+foreach (grep(!/^$/, split(/ /, $OPTIONS)))
         {
         print STDERR "unknown option - $_\n" if !&read_options;
         }
@@ -91,7 +93,7 @@ $no_mdc2=1 if ($no_des);
 $no_ssl3=1 if ($no_md5 || $no_sha);
 $no_ssl3=1 if ($no_rsa && $no_dh);
 
-$no_ssl2=1 if ($no_md5 || $no_rsa);
+$no_ssl2=1 if ($no_md5);
 $no_ssl2=1 if ($no_rsa);
 
 $out_def="out";
@@ -101,7 +103,6 @@ $tmp_def="tmp";
 $mkdir="mkdir";
 
 ($ssl,$crypto)=("ssl","crypto");
-$RSAglue="RSAglue";
 $ranlib="echo ranlib";
 
 $cc=(defined($VARS{'CC'}))?$VARS{'CC'}:'cc';
@@ -183,6 +184,11 @@ elsif ($platform eq "ultrix-mips")
         require "ultrix.pl";
         $unix=1;
         }
+elsif ($platform eq "OS2-EMX")
+        {
+        $wc=1;
+        require 'OS2-EMX.pl';
+        }
 else
         {
         require "unix.pl";
@@ -197,28 +203,31 @@ $inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
 
 $bin_dir=$bin_dir.$o unless ((substr($bin_dir,-1,1) eq $o) || ($bin_dir eq ''));
 
-$cflags.=" -DNO_IDEA" if $no_idea;
-$cflags.=" -DNO_RC2"  if $no_rc2;
-$cflags.=" -DNO_RC4"  if $no_rc4;
-$cflags.=" -DNO_RC5"  if $no_rc5;
-$cflags.=" -DNO_MD2"  if $no_md2;
-$cflags.=" -DNO_MD4"  if $no_md4;
-$cflags.=" -DNO_MD5"  if $no_md5;
-$cflags.=" -DNO_SHA"  if $no_sha;
-$cflags.=" -DNO_SHA1" if $no_sha1;
-$cflags.=" -DNO_RIPEMD" if $no_rmd160;
-$cflags.=" -DNO_MDC2" if $no_mdc2;
-$cflags.=" -DNO_BF"  if $no_bf;
-$cflags.=" -DNO_CAST" if $no_cast;
-$cflags.=" -DNO_DES"  if $no_des;
-$cflags.=" -DNO_RSA"  if $no_rsa;
-$cflags.=" -DNO_DSA"  if $no_dsa;
-$cflags.=" -DNO_DH"   if $no_dh;
-$cflags.=" -DNO_SOCK" if $no_sock;
-$cflags.=" -DNO_SSL2" if $no_ssl2;
-$cflags.=" -DNO_SSL3" if $no_ssl3;
-$cflags.=" -DNO_ERR"  if $no_err;
-$cflags.=" -DRSAref"  if $rsaref ne "";
+$cflags.=" -DOPENSSL_NO_IDEA" if $no_idea;
+$cflags.=" -DOPENSSL_NO_AES"  if $no_aes;
+$cflags.=" -DOPENSSL_NO_RC2"  if $no_rc2;
+$cflags.=" -DOPENSSL_NO_RC4"  if $no_rc4;
+$cflags.=" -DOPENSSL_NO_RC5"  if $no_rc5;
+$cflags.=" -DOPENSSL_NO_MD2"  if $no_md2;
+$cflags.=" -DOPENSSL_NO_MD4"  if $no_md4;
+$cflags.=" -DOPENSSL_NO_MD5"  if $no_md5;
+$cflags.=" -DOPENSSL_NO_SHA"  if $no_sha;
+$cflags.=" -DOPENSSL_NO_SHA1" if $no_sha1;
+$cflags.=" -DOPENSSL_NO_RIPEMD" if $no_rmd160;
+$cflags.=" -DOPENSSL_NO_MDC2" if $no_mdc2;
+$cflags.=" -DOPENSSL_NO_BF"  if $no_bf;
+$cflags.=" -DOPENSSL_NO_CAST" if $no_cast;
+$cflags.=" -DOPENSSL_NO_DES"  if $no_des;
+$cflags.=" -DOPENSSL_NO_RSA"  if $no_rsa;
+$cflags.=" -DOPENSSL_NO_DSA"  if $no_dsa;
+$cflags.=" -DOPENSSL_NO_DH"   if $no_dh;
+$cflags.=" -DOPENSSL_NO_SOCK" if $no_sock;
+$cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
+$cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
+$cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
+$cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
+$cflags.=" -DOPENSSL_NO_EC"   if $no_ec;
+#$cflags.=" -DRSAref"  if $rsaref ne "";
 
 ## if ($unix)
 ##      { $cflags="$c_flags" if ($c_flags ne ""); }
@@ -227,6 +236,9 @@ $cflags.=" -DRSAref"  if $rsaref ne "";
 
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 
+%shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
+                  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
+
 if ($msdos)
         {
         $banner ="\t\@echo Make sure you have run 'perl Configure $platform' in the\n";
@@ -319,7 +331,6 @@ ASM=$bin_dir$asm
 E_EXE=openssl
 SSL=$ssl
 CRYPTO=$crypto
-RSAGLUE=$RSAglue
 
 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
@@ -338,14 +349,12 @@ INCL_D=\$(TMP_D)
 
 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
-O_RSAGLUE= \$(LIB_D)$o$plib\$(RSAGLUE)$libp
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
 
 L_LIBS= \$(L_SSL) \$(L_CRYPTO)
-#L_LIBS= \$(O_SSL) \$(O_RSAGLUE) -lrsaref \$(O_CRYPTO)
 
 ######################################################
 # Don't touch anything below this point
@@ -355,7 +364,7 @@ INC=-I\$(INC_D) -I\$(INCL_D)
 APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
 LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
 SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
-LIBS_DEP=\$(O_CRYPTO) \$(O_RSAGLUE) \$(O_SSL)
+LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
 
 #############################################
 EOF
@@ -527,20 +536,12 @@ foreach (values %lib_nam)
         $lib_obj=$lib_obj{$_};
         local($slib)=$shlib;
 
-        $slib=0 if ($_ eq "RSAGLUE");
-
         if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
                 {
                 $rules.="\$(O_SSL):\n\n"; 
                 next;
                 }
 
-        if (($_ eq "RSAGLUE") && $no_rsa)
-                {
-                $rules.="\$(O_RSAGLUE):\n\n"; 
-                next;
-                }
-
         if (($bn_asm_obj ne "") && ($_ eq "CRYPTO"))
                 {
                 $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
@@ -593,7 +594,7 @@ foreach (values %lib_nam)
                 $rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);
                 }
         $defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
-        $lib=($slib)?" \$(SHLIB_CFLAGS)":" \$(LIB_CFLAGS)";
+        $lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";
         $rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
         }
 
@@ -606,8 +607,6 @@ foreach (split(/\s+/,$test))
         }
 
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(RSAGLUEOBJ)","\$(O_RSAGLUE)",$RSAglue,0,"")
-        unless $no_rsa;
 $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
 
 $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
@@ -634,6 +633,7 @@ sub var_add
         local(@a,$_,$ret);
 
         return("") if $no_idea && $dir =~ /\/idea/;
+        return("") if $no_aes  && $dir =~ /\/aes/;
         return("") if $no_rc2  && $dir =~ /\/rc2/;
         return("") if $no_rc4  && $dir =~ /\/rc4/;
         return("") if $no_rc5  && $dir =~ /\/rc5/;
@@ -659,7 +659,8 @@ sub var_add
 
         @a=grep(!/^e_.*_3d$/,@a) if $no_des;
         @a=grep(!/^e_.*_d$/,@a) if $no_des;
-        @a=grep(!/^e_.*_i$/,@a) if $no_idea;
+        @a=grep(!/^e_.*_ae$/,@a) if $no_idea;
+        @a=grep(!/^e_.*_i$/,@a) if $no_aes;
         @a=grep(!/^e_.*_r2$/,@a) if $no_rc2;
         @a=grep(!/^e_.*_r5$/,@a) if $no_rc5;
         @a=grep(!/^e_.*_bf$/,@a) if $no_bf;
@@ -858,6 +859,7 @@ sub read_options
         elsif (/^no-rc4$/)      { $no_rc4=1; }
         elsif (/^no-rc5$/)      { $no_rc5=1; }
         elsif (/^no-idea$/)     { $no_idea=1; }
+        elsif (/^no-aes$/)      { $no_aes=1; }
         elsif (/^no-des$/)      { $no_des=1; }
         elsif (/^no-bf$/)       { $no_bf=1; }
         elsif (/^no-cast$/)     { $no_cast=1; }
@@ -873,6 +875,7 @@ sub read_options
         elsif (/^no-dsa$/)      { $no_dsa=1; }
         elsif (/^no-dh$/)       { $no_dh=1; }
         elsif (/^no-hmac$/)     { $no_hmac=1; }
+        elsif (/^no-aes$/)      { $no_aes=1; }
         elsif (/^no-asm$/)      { $no_asm=1; }
         elsif (/^nasm$/)        { $nasm=1; }
         elsif (/^gaswin$/)      { $gaswin=1; }
@@ -880,12 +883,15 @@ sub read_options
         elsif (/^no-ssl3$/)     { $no_ssl3=1; }
         elsif (/^no-err$/)      { $no_err=1; }
         elsif (/^no-sock$/)     { $no_sock=1; }
+        elsif (/^no-krb5$/)     { $no_krb5=1; }
+        elsif (/^no-ec$/)       { $no_ec=1; }
 
         elsif (/^just-ssl$/)    { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
                                   $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
-                                  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; }
+                                  $no_ssl2=$no_err=$no_rmd160=$no_rc5=1;
+                                  $no_aes=1; }
 
-        elsif (/^rsaref$/)      { $rsaref=1; }
+        elsif (/^rsaref$/)      { }
         elsif (/^gcc$/)         { $gcc=1; }
         elsif (/^debug$/)       { $debug=1; }
         elsif (/^profile$/)     { $profile=1; }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index ba453358cf..071036a6d2 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -37,34 +37,38 @@
 # - "platforms" is empty if it exists on all platforms, otherwise it contains
 #   comma-separated list of the platform, just as they are if the symbol exists
 #   for those platforms, or prepended with a "!" if not.  This helps resolve
-#   symbol name replacements for platforms where the names are too long for the
+#   symbol name variants for platforms where the names are too long for the
 #   compiler or linker, or if the systems is case insensitive and there is a
-#   clash.  This script assumes those redefinitions are place in the file
-#   crypto/symhacks.h.
-#   The semantics for the platforms list is a bit complicated.  The rule of
-#   thumb is that the list is exclusive, but it seems to mean different things.
-#   So, if the list is all negatives (like "!VMS,!WIN16"), the symbol exists
-#   on all platforms except those listed.  If the list is all positives (like
-#   "VMS,WIN16"), the symbol exists only on those platforms and nowhere else.
-#   The combination of positives and negatives will act as if the positives
-#   weren't there.
+#   clash, or the symbol is implemented differently (see
+#   EXPORT_VAR_AS_FUNCTION).  This script assumes renaming of symbols is found
+#   in the file crypto/symhacks.h.
+#   The semantics for the platforms is that every item is checked against the
+#   enviroment.  For the negative items ("!FOO"), if any of them is false
+#   (i.e. "FOO" is true) in the enviroment, the corresponding symbol can't be
+#   used.  For the positive itms, if all of them are false in the environment,
+#   the corresponding symbol can't be used.  Any combination of positive and
+#   negative items are possible, and of course leave room for some redundancy.
 # - "kind" is "FUNCTION" or "VARIABLE".  The meaning of that is obvious.
 # - "algorithms" is a comma-separated list of algorithm names.  This helps
 #   exclude symbols that are part of an algorithm that some user wants to
 #   exclude.
 #
 
+my $debug=0;
+
 my $crypto_num= "util/libeay.num";
 my $ssl_num=    "util/ssleay.num";
 
 my $do_update = 0;
-my $do_rewrite = 0;
+my $do_rewrite = 1;
 my $do_crypto = 0;
 my $do_ssl = 0;
 my $do_ctest = 0;
 my $do_ctestall = 0;
-my $rsaref = 0;
+my $do_checkexist = 0;
 
+my $VMSVAX=0;
+my $VMSAlpha=0;
 my $VMS=0;
 my $W32=0;
 my $W16=0;
@@ -72,11 +76,20 @@ my $NT=0;
 # Set this to make typesafe STACK definitions appear in DEF
 my $safe_stack_def = 0;
 
-my @known_platforms = ( "__FreeBSD__", "VMS", "WIN16", "WIN32",
-                        "WINNT", "PERL5", "NeXT" );
+my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
+                        "EXPORT_VAR_AS_FUNCTION" );
+my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
-                         "CAST", "MD2", "MD4", "MD5", "SHA", "RIPEMD",
-                         "MDC2", "RSA", "DSA", "DH", "HMAC", "FP_API" );
+                         "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
+                         "RIPEMD",
+                         "MDC2", "RSA", "DSA", "DH", "EC", "HMAC", "AES",
+                         # Envelope "algorithms"
+                         "EVP", "X509", "ASN1_TYPEDEFS",
+                         # Helper "algorithms"
+                         "BIO", "COMP", "BUFFER", "LHASH", "STACK", "ERR",
+                         "LOCKING",
+                         # External "algorithms"
+                         "FP_API", "STDIO", "SOCK", "KRB5" );
 
 my $options="";
 open(IN,"<Makefile.ssl") || die "unable to open Makefile.ssl!\n";
@@ -91,19 +104,28 @@ close(IN);
 my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf;
 my $no_cast;
 my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
-my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0;
+my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
+my $no_ec;
 my $no_fp_api;
 
 foreach (@ARGV, split(/ /, $options))
         {
+        $debug=1 if $_ eq "debug";
         $W32=1 if $_ eq "32";
         $W16=1 if $_ eq "16";
         if($_ eq "NT") {
                 $W32 = 1;
                 $NT = 1;
         }
+        if ($_ eq "VMS-VAX") {
+                $VMS=1;
+                $VMSVAX=1;
+        }
+        if ($_ eq "VMS-Alpha") {
+                $VMS=1;
+                $VMSAlpha=1;
+        }
         $VMS=1 if $_ eq "VMS";
-        $rsaref=1 if $_ eq "rsaref";
 
         $do_ssl=1 if $_ eq "ssleay";
         $do_ssl=1 if $_ eq "ssl";
@@ -113,6 +135,7 @@ foreach (@ARGV, split(/ /, $options))
         $do_rewrite=1 if $_ eq "rewrite";
         $do_ctest=1 if $_ eq "ctest";
         $do_ctestall=1 if $_ eq "ctestall";
+        $do_checkexist=1 if $_ eq "exist";
         #$safe_stack_def=1 if $_ eq "-DDEBUG_SAFESTACK";
 
         if    (/^no-rc2$/)      { $no_rc2=1; }
@@ -131,7 +154,19 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-rsa$/)      { $no_rsa=1; }
         elsif (/^no-dsa$/)      { $no_dsa=1; }
         elsif (/^no-dh$/)       { $no_dh=1; }
+        elsif (/^no-ec$/)       { $no_ec=1; }
         elsif (/^no-hmac$/)     { $no_hmac=1; }
+        elsif (/^no-aes$/)      { $no_aes=1; }
+        elsif (/^no-evp$/)      { $no_evp=1; }
+        elsif (/^no-lhash$/)    { $no_lhash=1; }
+        elsif (/^no-stack$/)    { $no_stack=1; }
+        elsif (/^no-err$/)      { $no_err=1; }
+        elsif (/^no-buffer$/)   { $no_buffer=1; }
+        elsif (/^no-bio$/)      { $no_bio=1; }
+        #elsif (/^no-locking$/) { $no_locking=1; }
+        elsif (/^no-comp$/)     { $no_comp=1; }
+        elsif (/^no-dso$/)      { $no_dso=1; }
+        elsif (/^no-krb5$/)     { $no_krb5=1; }
         }
 
 
@@ -147,7 +182,7 @@ if ($W16) {
 
 if (!$do_ssl && !$do_crypto)
         {
-        print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT ] [rsaref]\n";
+        print STDERR "usage: $0 ( ssl | crypto ) [ 16 | 32 | NT ]\n";
         exit(1);
         }
 
@@ -157,51 +192,58 @@ $max_ssl = $max_num;
 $max_crypto = $max_num;
 
 my $ssl="ssl/ssl.h";
+$ssl.=" ssl/kssl.h";
 
 my $crypto ="crypto/crypto.h";
-$crypto.=" crypto/des/des.h" unless $no_des;
-$crypto.=" crypto/idea/idea.h" unless $no_idea;
-$crypto.=" crypto/rc4/rc4.h" unless $no_rc4;
-$crypto.=" crypto/rc5/rc5.h" unless $no_rc5;
-$crypto.=" crypto/rc2/rc2.h" unless $no_rc2;
-$crypto.=" crypto/bf/blowfish.h" unless $no_bf;
-$crypto.=" crypto/cast/cast.h" unless $no_cast;
-$crypto.=" crypto/md2/md2.h" unless $no_md2;
-$crypto.=" crypto/md4/md4.h" unless $no_md4;
-$crypto.=" crypto/md5/md5.h" unless $no_md5;
-$crypto.=" crypto/mdc2/mdc2.h" unless $no_mdc2;
-$crypto.=" crypto/sha/sha.h" unless $no_sha;
-$crypto.=" crypto/ripemd/ripemd.h" unless $no_ripemd;
+$crypto.=" crypto/des/des.h crypto/des/des_old.h" ; # unless $no_des;
+$crypto.=" crypto/idea/idea.h" ; # unless $no_idea;
+$crypto.=" crypto/rc4/rc4.h" ; # unless $no_rc4;
+$crypto.=" crypto/rc5/rc5.h" ; # unless $no_rc5;
+$crypto.=" crypto/rc2/rc2.h" ; # unless $no_rc2;
+$crypto.=" crypto/bf/blowfish.h" ; # unless $no_bf;
+$crypto.=" crypto/cast/cast.h" ; # unless $no_cast;
+$crypto.=" crypto/md2/md2.h" ; # unless $no_md2;
+$crypto.=" crypto/md4/md4.h" ; # unless $no_md4;
+$crypto.=" crypto/md5/md5.h" ; # unless $no_md5;
+$crypto.=" crypto/mdc2/mdc2.h" ; # unless $no_mdc2;
+$crypto.=" crypto/sha/sha.h" ; # unless $no_sha;
+$crypto.=" crypto/ripemd/ripemd.h" ; # unless $no_ripemd;
+$crypto.=" crypto/aes/aes.h" ; # unless $no_aes;
 
 $crypto.=" crypto/bn/bn.h";
-$crypto.=" crypto/rsa/rsa.h" unless $no_rsa;
-$crypto.=" crypto/dsa/dsa.h" unless $no_dsa;
-$crypto.=" crypto/dh/dh.h" unless $no_dh;
-$crypto.=" crypto/hmac/hmac.h" unless $no_hmac;
+$crypto.=" crypto/rsa/rsa.h" ; # unless $no_rsa;
+$crypto.=" crypto/dsa/dsa.h" ; # unless $no_dsa;
+$crypto.=" crypto/dh/dh.h" ; # unless $no_dh;
+$crypto.=" crypto/ec/ec.h" ; # unless $no_ec;
+$crypto.=" crypto/hmac/hmac.h" ; # unless $no_hmac;
 
 $crypto.=" crypto/engine/engine.h";
-$crypto.=" crypto/stack/stack.h";
-$crypto.=" crypto/buffer/buffer.h";
-$crypto.=" crypto/bio/bio.h";
-$crypto.=" crypto/dso/dso.h";
-$crypto.=" crypto/lhash/lhash.h";
+$crypto.=" crypto/stack/stack.h" ; # unless $no_stack;
+$crypto.=" crypto/buffer/buffer.h" ; # unless $no_buffer;
+$crypto.=" crypto/bio/bio.h" ; # unless $no_bio;
+$crypto.=" crypto/dso/dso.h" ; # unless $no_dso;
+$crypto.=" crypto/lhash/lhash.h" ; # unless $no_lhash;
 $crypto.=" crypto/conf/conf.h";
 $crypto.=" crypto/txt_db/txt_db.h";
 
-$crypto.=" crypto/evp/evp.h";
+$crypto.=" crypto/evp/evp.h" ; # unless $no_evp;
 $crypto.=" crypto/objects/objects.h";
 $crypto.=" crypto/pem/pem.h";
 #$crypto.=" crypto/meth/meth.h";
 $crypto.=" crypto/asn1/asn1.h";
+$crypto.=" crypto/asn1/asn1t.h";
 $crypto.=" crypto/asn1/asn1_mac.h";
-$crypto.=" crypto/err/err.h";
+$crypto.=" crypto/err/err.h" ; # unless $no_err;
 $crypto.=" crypto/pkcs7/pkcs7.h";
 $crypto.=" crypto/pkcs12/pkcs12.h";
 $crypto.=" crypto/x509/x509.h";
 $crypto.=" crypto/x509/x509_vfy.h";
 $crypto.=" crypto/x509v3/x509v3.h";
 $crypto.=" crypto/rand/rand.h";
-$crypto.=" crypto/comp/comp.h";
+$crypto.=" crypto/comp/comp.h" ; # unless $no_comp;
+$crypto.=" crypto/ocsp/ocsp.h";
+$crypto.=" crypto/ui/ui.h crypto/ui/ui_compat.h";
+$crypto.=" crypto/krb5/krb5_asn.h";
 $crypto.=" crypto/tmdiff.h";
 
 my $symhacks="crypto/symhacks.h";
@@ -217,7 +259,6 @@ if ($do_ssl == 1) {
         if ($do_rewrite == 1) {
                 open(OUT, ">$ssl_num");
                 &rewrite_numbers(*OUT,"SSLEAY",*ssl_list,@ssl_symbols);
-                close OUT;
         } else {
                 open(OUT, ">>$ssl_num");
         }
@@ -238,6 +279,11 @@ if($do_crypto == 1) {
         close OUT;
 } 
 
+} elsif ($do_checkexist) {
+        &check_existing(*ssl_list, @ssl_symbols)
+                if $do_ssl == 1;
+        &check_existing(*crypto_list, @crypto_symbols)
+                if $do_crypto == 1;
 } elsif ($do_ctest || $do_ctestall) {
 
         print <<"EOF";
@@ -277,16 +323,21 @@ sub do_defs
         my %platform;           # For anything undefined, we assume ""
         my %kind;               # For anything undefined, we assume "FUNCTION"
         my %algorithm;          # For anything undefined, we assume ""
-        my %rename;
+        my %variant;
+        my %variant_cnt;        # To be able to allocate "name{n}" if "name"
+                                # is the same name as the original.
         my $cpp;
+        my %unknown_algorithms = ();
 
         foreach $file (split(/\s+/,$symhacksfile." ".$files))
                 {
+                print STDERR "DEBUG: starting on $file:\n" if $debug;
                 open(IN,"<$file") || die "unable to open $file:$!\n";
                 my $line = "", my $def= "";
                 my %tag = (
                         (map { $_ => 0 } @known_platforms),
-                        (map { "NO_".$_ => 0 } @known_algorithms),
+                        (map { "OPENSSL_SYS_".$_ => 0 } @known_ossl_platforms),
+                        (map { "OPENSSL_NO_".$_ => 0 } @known_algorithms),
                         NOPROTO         => 0,
                         PERL5           => 0,
                         _WINDLL         => 0,
@@ -294,14 +345,70 @@ sub do_defs
                         TRUE            => 1,
                 );
                 my $symhacking = $file eq $symhacksfile;
+                my @current_platforms = ();
+                my @current_algorithms = ();
+
+                # params: symbol, alias, platforms, kind
+                # The reason to put this subroutine in a variable is that
+                # it will otherwise create it's own, unshared, version of
+                # %tag and %variant...
+                my $make_variant = sub
+                {
+                        my ($s, $a, $p, $k) = @_;
+                        my ($a1, $a2);
+
+                        print STDERR "DEBUG: make_variant: Entered with ",$s,", ",$a,", ",(defined($p)?$p:""),", ",(defined($k)?$k:""),"\n" if $debug;
+                        if (defined($p))
+                        {
+                                $a1 = join(",",$p,
+                                           grep(!/^$/,
+                                                map { $tag{$_} == 1 ? $_ : "" }
+                                                @known_platforms));
+                        }
+                        else
+                        {
+                                $a1 = join(",",
+                                           grep(!/^$/,
+                                                map { $tag{$_} == 1 ? $_ : "" }
+                                                @known_platforms));
+                        }
+                        $a2 = join(",",
+                                   grep(!/^$/,
+                                        map { $tag{"OPENSSL_SYS_".$_} == 1 ? $_ : "" }
+                                        @known_ossl_platforms));
+                        print STDERR "DEBUG: make_variant: a1 = $a1; a2 = $a2\n" if $debug;
+                        if ($a1 eq "") { $a1 = $a2; }
+                        elsif ($a1 ne "" && $a2 ne "") { $a1 .= ",".$a2; }
+                        if ($a eq $s)
+                        {
+                                if (!defined($variant_cnt{$s}))
+                                {
+                                        $variant_cnt{$s} = 0;
+                                }
+                                $variant_cnt{$s}++;
+                                $a .= "{$variant_cnt{$s}}";
+                        }
+                        my $toadd = $a.":".$a1.(defined($k)?":".$k:"");
+                        my $togrep = $s.'(\{[0-9]+\})?:'.$a1.(defined($k)?":".$k:"");
+                        if (!grep(/^$togrep$/,
+                                  split(/;/, defined($variant{$s})?$variant{$s}:""))) {
+                                if (defined($variant{$s})) { $variant{$s} .= ";"; }
+                                $variant{$s} .= $toadd;
+                        }
+                        print STDERR "DEBUG: make_variant: Exit with variant of ",$s," = ",$variant{$s},"\n" if $debug;
+                };
+
+                print STDERR "DEBUG: parsing ----------\n" if $debug;
                 while(<IN>) {
-                        last if (/BEGIN ERROR CODES/);
+                        last if (/\/\* Error codes for the \w+ functions\. \*\//);
                         if ($line ne '') {
                                 $_ = $line . $_;
                                 $line = '';
                         }
 
                         if (/\\$/) {
+                                chomp; # remove eol
+                                chop; # remove ending backslash
                                 $line = $_;
                                 next;
                         }
@@ -314,134 +421,344 @@ sub do_defs
 
                         s/\/\*.*?\*\///gs;                   # ignore comments
                         s/{[^{}]*}//gs;                      # ignore {} blocks
-                        if (/^\#\s*ifndef (.*)/) {
+                        print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
+                        if (/^\#\s*ifndef\s+(.*)/) {
+                                push(@tag,"-");
                                 push(@tag,$1);
                                 $tag{$1}=-1;
-                        } elsif (/^\#\s*if !defined\(([^\)]+)\)/) {
-                                push(@tag,$1);
-                                $tag{$1}=-1;
-                        } elsif (/^\#\s*ifdef (.*)/) {
-                                push(@tag,$1);
-                                $tag{$1}=1;
-                        } elsif (/^\#\s*if defined\(([^\)]+)\)/) {
+                                print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug;
+                        } elsif (/^\#\s*if\s+!defined\(([^\)]+)\)/) {
+                                push(@tag,"-");
+                                if (/^\#\s*if\s+(!defined\(([^\)]+)\)(\s+\&\&\s+!defined\(([^\)]+)\))*)$/) {
+                                        my $tmp_1 = $1;
+                                        my $tmp_;
+                                        foreach $tmp_ (split '\&\&',$tmp_1) {
+                                                $tmp_ =~ /!defined\(([^\)]+)\)/;
+                                                print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug;
+                                                push(@tag,$1);
+                                                $tag{$1}=-1;
+                                        }
+                                } else {
+                                        print STDERR "Warning: $file: complicated expression: $_" if $debug; # because it is O...
+                                        print STDERR "DEBUG: $file: found tag $1 = -1\n" if $debug;
+                                        push(@tag,$1);
+                                        $tag{$1}=-1;
+                                }
+                        } elsif (/^\#\s*ifdef\s+(.*)/) {
+                                push(@tag,"-");
                                 push(@tag,$1);
                                 $tag{$1}=1;
+                                print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug;
+                        } elsif (/^\#\s*if\s+defined\(([^\)]+)\)/) {
+                                push(@tag,"-");
+                                if (/^\#\s*if\s+(defined\(([^\)]+)\)(\s+\|\|\s+defined\(([^\)]+)\))*)$/) {
+                                        my $tmp_1 = $1;
+                                        my $tmp_;
+                                        foreach $tmp_ (split '\|\|',$tmp_1) {
+                                                $tmp_ =~ /defined\(([^\)]+)\)/;
+                                                print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug;
+                                                push(@tag,$1);
+                                                $tag{$1}=1;
+                                        }
+                                } else {
+                                        print STDERR "Warning: $file: complicated expression: $_\n" if $debug; # because it is O...
+                                        print STDERR "DEBUG: $file: found tag $1 = 1\n" if $debug;
+                                        push(@tag,$1);
+                                        $tag{$1}=1;
+                                }
                         } elsif (/^\#\s*error\s+(\w+) is disabled\./) {
-                                if ($tag[$#tag] eq "NO_".$1) {
-                                        $tag{$tag[$#tag]}=2;
+                                my $tag_i = $#tag;
+                                while($tag[$tag_i] ne "-") {
+                                        if ($tag[$tag_i] eq "OPENSSL_NO_".$1) {
+                                                $tag{$tag[$tag_i]}=2;
+                                                print STDERR "DEBUG: $file: chaged tag $1 = 2\n" if $debug;
+                                        }
+                                        $tag_i--;
                                 }
                         } elsif (/^\#\s*endif/) {
-                                if ($tag{$tag[$#tag]}==2) {
-                                        $tag{$tag[$#tag]}=-1;
-                                } else {
-                                        $tag{$tag[$#tag]}=0;
+                                my $tag_i = $#tag;
+                                while($tag[$tag_i] ne "-") {
+                                        my $t=$tag[$tag_i];
+                                        print STDERR "DEBUG: \$t=\"$t\"\n" if $debug;
+                                        if ($tag{$t}==2) {
+                                                $tag{$t}=-1;
+                                        } else {
+                                                $tag{$t}=0;
+                                        }
+                                        print STDERR "DEBUG: $file: changed tag ",$t," = ",$tag{$t},"\n" if $debug;
+                                        pop(@tag);
+                                        if ($t =~ /^OPENSSL_NO_([A-Z0-9_]+)$/) {
+                                                $t=$1;
+                                        } else {
+                                                $t="";
+                                        }
+                                        if ($t ne ""
+                                            && !grep(/^$t$/, @known_algorithms)) {
+                                                $unknown_algorithms{$t} = 1;
+                                                #print STDERR "DEBUG: Added as unknown algorithm: $t\n" if $debug;
+                                        }
+                                        $tag_i--;
                                 }
                                 pop(@tag);
                         } elsif (/^\#\s*else/) {
-                                my $t=$tag[$#tag];
-                                $tag{$t}= -$tag{$t};
+                                my $tag_i = $#tag;
+                                while($tag[$tag_i] ne "-") {
+                                        my $t=$tag[$tag_i];
+                                        $tag{$t}= -$tag{$t};
+                                        print STDERR "DEBUG: $file: changed tag ",$t," = ",$tag{$t},"\n" if $debug;
+                                        $tag_i--;
+                                }
                         } elsif (/^\#\s*if\s+1/) {
+                                push(@tag,"-");
                                 # Dummy tag
                                 push(@tag,"TRUE");
                                 $tag{"TRUE"}=1;
+                                print STDERR "DEBUG: $file: found 1\n" if $debug;
                         } elsif (/^\#\s*if\s+0/) {
+                                push(@tag,"-");
                                 # Dummy tag
                                 push(@tag,"TRUE");
                                 $tag{"TRUE"}=-1;
+                                print STDERR "DEBUG: $file: found 0\n" if $debug;
                         } elsif (/^\#\s*define\s+(\w+)\s+(\w+)/
-                                 && $symhacking) {
-                                my $s = $1;
-                                my $a =
-                                    $2.":".join(",", grep(!/^$/,
-                                                          map { $tag{$_} == 1 ?
-                                                                    $_ : "" }
-                                                          @known_platforms));
-                                $rename{$s} = $a;
+                                 && $symhacking && $tag{'TRUE'} != -1) {
+                                # This is for aliasing.  When we find an alias,
+                                # we have to invert
+                                &$make_variant($1,$2);
+                                print STDERR "DEBUG: $file: defined $1 = $2\n" if $debug;
                         }
                         if (/^\#/) {
-                                my @p = grep(!/^$/,
-                                             map { $tag{$_} == 1 ? $_ :
-                                                       $tag{$_} == -1 ? "!".$_  : "" }
-                                             @known_platforms);
-                                my @a = grep(!/^$/,
-                                             map { $tag{"NO_".$_} == -1 ? $_ : "" }
-                                             @known_algorithms);
-                                $def .= "#INFO:".join(',',@p).":".join(',',@a).";";
+                                @current_platforms =
+                                    grep(!/^$/,
+                                         map { $tag{$_} == 1 ? $_ :
+                                                   $tag{$_} == -1 ? "!".$_  : "" }
+                                         @known_platforms);
+                                push @current_platforms
+                                    , grep(!/^$/,
+                                           map { $tag{"OPENSSL_SYS_".$_} == 1 ? $_ :
+                                                     $tag{"OPENSSL_SYS_".$_} == -1 ? "!".$_  : "" }
+                                           @known_ossl_platforms);
+                                @current_algorithms =
+                                    grep(!/^$/,
+                                         map { $tag{"OPENSSL_NO_".$_} == -1 ? $_ : "" }
+                                         @known_algorithms);
+                                $def .=
+                                    "#INFO:"
+                                        .join(',',@current_platforms).":"
+                                            .join(',',@current_algorithms).";";
                                 next;
                         }
-                        if (/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
-                                next;
-                        } elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) {
-                                next;
-                        } elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
-                                next;
-                        } elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
-                                 /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) {
-                                # Things not in Win16
-                                $syms{"PEM_read_${1}"} = 1;
-                                $platform{"PEM_read_${1}"} = "!WIN16";
-                                $syms{"PEM_write_${1}"} = 1;
-                                $platform{"PEM_write_${1}"} = "!WIN16";
-                                # Things that are everywhere
-                                $syms{"PEM_read_bio_${1}"} = 1;
-                                $syms{"PEM_write_bio_${1}"} = 1;
-                                if ($1 eq "RSAPrivateKey" ||
-                                    $1 eq "RSAPublicKey" ||
-                                    $1 eq "RSA_PUBKEY") {
-                                        $algorithm{"PEM_read_${1}"} = "RSA";
-                                        $algorithm{"PEM_write_${1}"} = "RSA";
-                                        $algorithm{"PEM_read_bio_${1}"} = "RSA";
-                                        $algorithm{"PEM_write_bio_${1}"} = "RSA";
-                                }
-                                elsif ($1 eq "DSAPrivateKey" ||
-                                       $1 eq "DSAparams" ||
-                                       $1 eq "RSA_PUBKEY") {
-                                        $algorithm{"PEM_read_${1}"} = "DSA";
-                                        $algorithm{"PEM_write_${1}"} = "DSA";
-                                        $algorithm{"PEM_read_bio_${1}"} = "DSA";
-                                        $algorithm{"PEM_write_bio_${1}"} = "DSA";
-                                }
-                                elsif ($1 eq "DHparams") {
-                                        $algorithm{"PEM_read_${1}"} = "DH";
-                                        $algorithm{"PEM_write_${1}"} = "DH";
-                                        $algorithm{"PEM_read_bio_${1}"} = "DH";
-                                        $algorithm{"PEM_write_bio_${1}"} = "DH";
-                                }
-                        } elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
-                                     /^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
-                                # Things not in Win16
-                                $syms{"PEM_write_${1}"} = 1;
-                                $platform{"PEM_write_${1}"} .= ",!WIN16";
-                                # Things that are everywhere
-                                $syms{"PEM_write_bio_${1}"} = 1;
-                                if ($1 eq "RSAPrivateKey" ||
-                                    $1 eq "RSAPublicKey" ||
-                                    $1 eq "RSA_PUBKEY") {
-                                        $algorithm{"PEM_write_${1}"} = "RSA";
-                                        $algorithm{"PEM_write_bio_${1}"} = "RSA";
-                                }
-                                elsif ($1 eq "DSAPrivateKey" ||
-                                       $1 eq "DSAparams" ||
-                                       $1 eq "RSA_PUBKEY") {
-                                        $algorithm{"PEM_write_${1}"} = "DSA";
-                                        $algorithm{"PEM_write_bio_${1}"} = "DSA";
-                                }
-                                elsif ($1 eq "DHparams") {
-                                        $algorithm{"PEM_write_${1}"} = "DH";
-                                        $algorithm{"PEM_write_bio_${1}"} = "DH";
-                                }
-                        } elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
-                                     /^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
-                                # Things not in Win16
-                                $syms{"PEM_read_${1}"} = 1;
-                                $platform{"PEM_read_${1}"} .= ",!WIN16";
-                                # Things that are everywhere
-                                $syms{"PEM_read_bio_${1}"} = 1;
-                        } elsif (
-                                ($tag{'TRUE'} != -1)
-                                && ($tag{'CONST_STRICT'} != 1)
-                                 )
-                                {
+                        if ($tag{'TRUE'} != -1) {
+                                if (/^\s*DECLARE_STACK_OF\s*\(\s*(\w*)\s*\)/) {
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_ENCODE_FUNCTIONS\s*\(\s*(\w*)\s*,\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+                                        $def .= "int d2i_$3(void);";
+                                        $def .= "int i2d_$3(void);";
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $2_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$2_it","$2_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_FUNCTIONS_fname\s*\(\s*(\w*)\s*,\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+                                        $def .= "int d2i_$3(void);";
+                                        $def .= "int i2d_$3(void);";
+                                        $def .= "int $3_free(void);";
+                                        $def .= "int $3_new(void);";
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $2_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$2_it","$2_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_FUNCTIONS\s*\(\s*(\w*)\s*\)/ ||
+                                         /^\s*DECLARE_ASN1_FUNCTIONS_const\s*\(\s*(\w*)\s*\)/) {
+                                        $def .= "int d2i_$1(void);";
+                                        $def .= "int i2d_$1(void);";
+                                        $def .= "int $1_free(void);";
+                                        $def .= "int $1_new(void);";
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $1_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$1_it","$1_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_ENCODE_FUNCTIONS_const\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+                                        $def .= "int d2i_$2(void);";
+                                        $def .= "int i2d_$2(void);";
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $2_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$2_it","$2_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_FUNCTIONS_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+                                        $def .= "int d2i_$2(void);";
+                                        $def .= "int i2d_$2(void);";
+                                        $def .= "int $2_free(void);";
+                                        $def .= "int $2_new(void);";
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $2_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$2_it","$2_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_ITEM\s*\(\s*(\w*)\s*\)/) {
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int $1_it;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("$1_it","$1_it",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                        next;
+                                } elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
+                                        next;
+                                } elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) {
+                                        next;
+                                } elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
+                                         /^DECLARE_PEM_rw_cb\s*\(\s*(\w*)\s*,/ ) {
+                                        # Things not in Win16
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!WIN16",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "int PEM_read_$1(void);";
+                                        $def .= "int PEM_write_$1(void);";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Things that are everywhere
+                                        $def .= "int PEM_read_bio_$1(void);";
+                                        $def .= "int PEM_write_bio_$1(void);";
+                                        next;
+                                } elsif (/^DECLARE_PEM_write\s*\(\s*(\w*)\s*,/ ||
+                                         /^DECLARE_PEM_write_cb\s*\(\s*(\w*)\s*,/ ) {
+                                        # Things not in Win16
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!WIN16",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "int PEM_write_$1(void);";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Things that are everywhere
+                                        $def .= "int PEM_write_bio_$1(void);";
+                                        next;
+                                } elsif (/^DECLARE_PEM_read\s*\(\s*(\w*)\s*,/ ||
+                                         /^DECLARE_PEM_read_cb\s*\(\s*(\w*)\s*,/ ) {
+                                        # Things not in Win16
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!WIN16",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "int PEM_read_$1(void);";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Things that are everywhere
+                                        $def .= "int PEM_read_bio_$1(void);";
+                                        next;
+                                } elsif (/^OPENSSL_DECLARE_GLOBAL\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
+                                        # Variant for platforms that do not
+                                        # have to access globale variables
+                                        # in shared libraries through functions
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',"!EXPORT_VAR_AS_FUNCTION",@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        $def .= "OPENSSL_EXTERN int _shadow_$2;";
+                                        $def .=
+                                            "#INFO:"
+                                                .join(',',@current_platforms).":"
+                                                    .join(',',@current_algorithms).";";
+                                        # Variant for platforms that have to
+                                        # access globale variables in shared
+                                        # libraries through functions
+                                        &$make_variant("_shadow_$2","_shadow_$2",
+                                                      "EXPORT_VAR_AS_FUNCTION",
+                                                      "FUNCTION");
+                                } elsif ($tag{'CONST_STRICT'} != 1) {
                                         if (/\{|\/\*|\([^\)]*$/) {
                                                 $line = $_;
                                         } else {
@@ -449,11 +766,13 @@ sub do_defs
                                         }
                                 }
                         }
+                }
                 close(IN);
 
                 my $algs;
                 my $plays;
 
+                print STDERR "DEBUG: postprocessing ----------\n" if $debug;
                 foreach (split /;/, $def) {
                         my $s; my $k = "FUNCTION"; my $p; my $a;
                         s/^[\n\s]*//g;
@@ -462,26 +781,32 @@ sub do_defs
                         next if(/typedef\W/);
                         next if(/\#define/);
 
+                        print STDERR "DEBUG: \$_ = \"$_\"\n" if $debug;
                         if (/^\#INFO:([^:]*):(.*)$/) {
                                 $plats = $1;
                                 $algs = $2;
+                                print STDERR "DEBUG: found info on platforms ($plats) and algorithms ($algs)\n" if $debug;
                                 next;
-                        } elsif (/^\s*OPENSSL_EXTERN\s.*?(\w+)(\[[0-9]*\])*\s*$/) {
+                        } elsif (/^\s*OPENSSL_EXTERN\s.*?(\w+(\{[0-9]+\})?)(\[[0-9]*\])*\s*$/) {
                                 $s = $1;
                                 $k = "VARIABLE";
-                        } elsif (/\(\*(\w*)\([^\)]+/) {
+                                print STDERR "DEBUG: found external variable $s\n" if $debug;
+                        } elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
                                 $s = $1;
+                                print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
                         } elsif (/\w+\W+(\w+)\W*\(\s*\)$/s) {
                                 # K&R C
+                                print STDERR "DEBUG: found K&R C function $s\n" if $debug;
                                 next;
-                        } elsif (/\w+\W+\w+\W*\(.*\)$/s) {
+                        } elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)$/s) {
                                 while (not /\(\)$/s) {
                                         s/[^\(\)]*\)$/\)/s;
                                         s/\([^\(\)]*\)\)$/\)/s;
                                 }
                                 s/\(void\)//;
-                                /(\w+)\W*\(\)/s;
+                                /(\w+(\{[0-9]+\})?)\W*\(\)/s;
                                 $s = $1;
+                                print STDERR "DEBUG: found function $s\n" if $debug;
                         } elsif (/\(/ and not (/=/)) {
                                 print STDERR "File $file: cannot parse: $_;\n";
                                 next;
@@ -512,67 +837,61 @@ sub do_defs
                         $a .= ",RSA" if($s =~ /RSAPrivateKey/);
                         $a .= ",RSA" if($s =~ /SSLv23?_((client|server)_)?method/);
 
-                        $platform{$s} .= ','.$p;
+                        $platform{$s} =
+                            &reduce_platforms((defined($platform{$s})?$platform{$s}.',':"").$p);
                         $algorithm{$s} .= ','.$a;
 
-                        if (defined($rename{$s})) {
-                                (my $r, my $p) = split(/:/,$rename{$s});
-                                my @ip = map { /^!(.*)$/ ? $1 : "!".$_ } split /,/, $p;
-                                $syms{$r} = 1;
-                                $kind{$r} = $kind{$s}."(".$s.")";
-                                $algorithm{$r} = $algorithm{$s};
-                                $platform{$r} = $platform{$s}.",".$p;
-                                $platform{$s} .= ','.join(',', @ip).','.join(',', @ip);
+                        if (defined($variant{$s})) {
+                                foreach $v (split /;/,$variant{$s}) {
+                                        (my $r, my $p, my $k) = split(/:/,$v);
+                                        my $ip = join ',',map({ /^!(.*)$/ ? $1 : "!".$_ } split /,/, $p);
+                                        $syms{$r} = 1;
+                                        if (!defined($k)) { $k = $kind{$s}; }
+                                        $kind{$r} = $k."(".$s.")";
+                                        $algorithm{$r} = $algorithm{$s};
+                                        $platform{$r} = &reduce_platforms($platform{$s}.",".$p.",".$p);
+                                        $platform{$s} = &reduce_platforms($platform{$s}.','.$ip.','.$ip);
+                                        print STDERR "DEBUG: \$variant{\"$s\"} = ",$v,"; \$r = $r; \$p = ",$platform{$r},"; \$a = ",$algorithm{$r},"; \$kind = ",$kind{$r},"\n" if $debug;
+                                }
                         }
+                        print STDERR "DEBUG: \$s = $s; \$p = ",$platform{$s},"; \$a = ",$algorithm{$s},"; \$kind = ",$kind{$s},"\n" if $debug;
                 }
         }
 
         # Prune the returned symbols
 
-        $platform{"crypt"} .= ",!PERL5,!__FreeBSD__,!NeXT";
-
-        delete $syms{"SSL_add_dir_cert_subjects_to_stack"};
         delete $syms{"bn_dump1"};
-
-        $platform{"BIO_s_file_internal"} .= ",WIN16";
-        $platform{"BIO_new_file_internal"} .= ",WIN16";
-        $platform{"BIO_new_fp_internal"} .= ",WIN16";
-
-        $platform{"BIO_s_file"} .= ",!WIN16";
-        $platform{"BIO_new_file"} .= ",!WIN16";
-        $platform{"BIO_new_fp"} .= ",!WIN16";
-
         $platform{"BIO_s_log"} .= ",!WIN32,!WIN16,!macintosh";
 
-        if(exists $syms{"ERR_load_CRYPTO_strings"}) {
-                $platform{"ERR_load_CRYPTO_strings"} .= ",!VMS,!WIN16";
-                $syms{"ERR_load_CRYPTOlib_strings"} = 1;
-                $platform{"ERR_load_CRYPTOlib_strings"} .= ",VMS,WIN16";
-        }
+        $platform{"PEM_read_NS_CERT_SEQ"} = "VMS";
+        $platform{"PEM_write_NS_CERT_SEQ"} = "VMS";
+        $platform{"PEM_read_P8_PRIV_KEY_INFO"} = "VMS";
+        $platform{"PEM_write_P8_PRIV_KEY_INFO"} = "VMS";
 
         # Info we know about
 
-        $platform{"RSA_PKCS1_RSAref"} = "RSAREF";
-        $algorithm{"RSA_PKCS1_RSAref"} = "RSA";
-
         push @ret, map { $_."\\".&info_string($_,"EXIST",
                                               $platform{$_},
                                               $kind{$_},
                                               $algorithm{$_}) } keys %syms;
 
+        if (keys %unknown_algorithms) {
+                print STDERR "WARNING: mkdef.pl doesn't know the following algorithms:\n";
+                print STDERR "\t",join("\n\t",keys %unknown_algorithms),"\n";
+        }
         return(@ret);
 }
 
-sub info_string {
-        (my $symbol, my $exist, my $platforms, my $kind, my $algorithms) = @_;
-
-        my %a = defined($algorithms) ?
-            map { $_ => 1 } split /,/, $algorithms : ();
+# Param: string of comma-separated platform-specs.
+sub reduce_platforms
+{
+        my ($platforms) = @_;
         my $pl = defined($platforms) ? $platforms : "";
         my %p = map { $_ => 0 } split /,/, $pl;
-        my $k = defined($kind) ? $kind : "FUNCTION";
         my $ret;
 
+        print STDERR "DEBUG: Entered reduce_platforms with \"$platforms\"\n"
+            if $debug;
         # We do this, because if there's code like the following, it really
         # means the function exists in all cases and should therefore be
         # everywhere.  By increasing and decreasing, we may attain 0:
@@ -594,12 +913,28 @@ sub info_string {
         }
 
         delete $p{""};
+
+        $ret = join(',',sort(map { $p{$_} < 0 ? "!".$_ : $_ } keys %p));
+        print STDERR "DEBUG: Exiting reduce_platforms with \"$ret\"\n"
+            if $debug;
+        return $ret;
+}
+
+sub info_string {
+        (my $symbol, my $exist, my $platforms, my $kind, my $algorithms) = @_;
+
+        my %a = defined($algorithms) ?
+            map { $_ => 1 } split /,/, $algorithms : ();
+        my $k = defined($kind) ? $kind : "FUNCTION";
+        my $ret;
+        my $p = &reduce_platforms($platforms);
+
         delete $a{""};
 
         $ret = $exist;
-        $ret .= ":".join(',',map { $p{$_} < 0 ? "!".$_ : $_ } keys %p);
+        $ret .= ":".$p;
         $ret .= ":".$k;
-        $ret .= ":".join(',',keys %a);
+        $ret .= ":".join(',',sort keys %a);
         return $ret;
 }
 
@@ -607,19 +942,30 @@ sub maybe_add_info {
         (my $name, *nums, my @symbols) = @_;
         my $sym;
         my $new_info = 0;
+        my %syms=();
 
         print STDERR "Updating $name info\n";
         foreach $sym (@symbols) {
                 (my $s, my $i) = split /\\/, $sym;
-                $i =~ s/^(.*?:.*?:\w+)(\(\w+\))?/$1/;
                 if (defined($nums{$s})) {
+                        $i =~ s/^(.*?:.*?:\w+)(\(\w+\))?/$1/;
                         (my $n, my $dummy) = split /\\/, $nums{$s};
                         if (!defined($dummy) || $i ne $dummy) {
                                 $nums{$s} = $n."\\".$i;
                                 $new_info++;
-                                #print STDERR "DEBUG: maybe_add_info for $s: \"$dummy\" => \"$i\"\n";
+                                print STDERR "DEBUG: maybe_add_info for $s: \"$dummy\" => \"$i\"\n" if $debug;
                         }
                 }
+                $syms{$s} = 1;
+        }
+
+        my @s=sort { &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n") } keys %nums;
+        foreach $sym (@s) {
+                (my $n, my $i) = split /\\/, $nums{$sym};
+                if (!defined($syms{$sym}) && $i !~ /^NOEXIST:/) {
+                        $new_info++;
+                        print STDERR "DEBUG: maybe_add_info for $sym: -> undefined\n" if $debug;
+                }
         }
         if ($new_info) {
                 print STDERR "$new_info old symbols got an info update\n";
@@ -631,35 +977,121 @@ sub maybe_add_info {
         }
 }
 
+# Param: string of comma-separated keywords, each possibly prefixed with a "!"
+sub is_valid
+{
+        my ($keywords_txt,$platforms) = @_;
+        my (@keywords) = split /,/,$keywords_txt;
+        my ($falsesum, $truesum) = (0, !grep(/^[^!]/,@keywords));
+
+        # Param: one keyword
+        sub recognise
+        {
+                my ($keyword,$platforms) = @_;
+
+                if ($platforms) {
+                        # platforms
+                        if ($keyword eq "VMS" && $VMS) { return 1; }
+                        if ($keyword eq "WIN32" && $W32) { return 1; }
+                        if ($keyword eq "WIN16" && $W16) { return 1; }
+                        if ($keyword eq "WINNT" && $NT) { return 1; }
+                        # Special platforms:
+                        # EXPORT_VAR_AS_FUNCTION means that global variables
+                        # will be represented as functions.  This currently
+                        # only happens on VMS-VAX.
+                        if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
+                                return 1;
+                        }
+                        return 0;
+                } else {
+                        # algorithms
+                        if ($keyword eq "RC2" && $no_rc2) { return 0; }
+                        if ($keyword eq "RC4" && $no_rc4) { return 0; }
+                        if ($keyword eq "RC5" && $no_rc5) { return 0; }
+                        if ($keyword eq "IDEA" && $no_idea) { return 0; }
+                        if ($keyword eq "DES" && $no_des) { return 0; }
+                        if ($keyword eq "BF" && $no_bf) { return 0; }
+                        if ($keyword eq "CAST" && $no_cast) { return 0; }
+                        if ($keyword eq "MD2" && $no_md2) { return 0; }
+                        if ($keyword eq "MD4" && $no_md4) { return 0; }
+                        if ($keyword eq "MD5" && $no_md5) { return 0; }
+                        if ($keyword eq "SHA" && $no_sha) { return 0; }
+                        if ($keyword eq "RIPEMD" && $no_ripemd) { return 0; }
+                        if ($keyword eq "MDC2" && $no_mdc2) { return 0; }
+                        if ($keyword eq "RSA" && $no_rsa) { return 0; }
+                        if ($keyword eq "DSA" && $no_dsa) { return 0; }
+                        if ($keyword eq "DH" && $no_dh) { return 0; }
+                        if ($keyword eq "EC" && $no_ec) { return 0; }
+                        if ($keyword eq "HMAC" && $no_hmac) { return 0; }
+                        if ($keyword eq "AES" && $no_aes) { return 0; }
+                        if ($keyword eq "EVP" && $no_evp) { return 0; }
+                        if ($keyword eq "LHASH" && $no_lhash) { return 0; }
+                        if ($keyword eq "STACK" && $no_stack) { return 0; }
+                        if ($keyword eq "ERR" && $no_err) { return 0; }
+                        if ($keyword eq "BUFFER" && $no_buffer) { return 0; }
+                        if ($keyword eq "BIO" && $no_bio) { return 0; }
+                        if ($keyword eq "COMP" && $no_comp) { return 0; }
+                        if ($keyword eq "DSO" && $no_dso) { return 0; }
+                        if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+                        if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
+
+                        # Nothing recognise as true
+                        return 1;
+                }
+        }
+
+        foreach $k (@keywords) {
+                if ($k =~ /^!(.*)$/) {
+                        $falsesum += &recognise($1,$platforms);
+                } else {
+                        $truesum += &recognise($k,$platforms);
+                }
+        }
+        print STDERR "DEBUG: [",$#keywords,",",$#keywords < 0,"] is_valid($keywords_txt) => (\!$falsesum) && $truesum = ",(!$falsesum) && $truesum,"\n" if $debug;
+        return (!$falsesum) && $truesum;
+}
+
 sub print_test_file
 {
-        (*OUT,my $name,*nums,my @symbols)=@_;
+        (*OUT,my $name,*nums,my $testall,my @symbols)=@_;
         my $n = 1; my @e; my @r;
         my $sym; my $prev = ""; my $prefSSLeay;
 
-        (@e)=grep(/^SSLeay\\.*?:.*?:FUNCTION/,@symbols);
-        (@r)=grep(/^\w+\\.*?:.*?:FUNCTION/ && !/^SSLeay\\.*?:.*?:FUNCTION/,@symbols);
+        (@e)=grep(/^SSLeay(\{[0-9]+\})?\\.*?:.*?:.*/,@symbols);
+        (@r)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:.*/ && !/^SSLeay(\{[0-9]+\})?\\.*?:.*?:.*/,@symbols);
         @symbols=((sort @e),(sort @r));
 
         foreach $sym (@symbols) {
                 (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/;
-                if ($s ne $prev) {
-                        if (!defined($nums{$sym})) {
-                                printf STDERR "Warning: $sym does not have a number assigned\n"
-                                                if(!$do_update);
+                my $v = 0;
+                $v = 1 if $i=~ /^.*?:.*?:VARIABLE/;
+                my $p = ($i =~ /^[^:]*:([^:]*):/,$1);
+                my $a = ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1);
+                if (!defined($nums{$s})) {
+                        print STDERR "Warning: $s does not have a number assigned\n"
+                            if(!$do_update);
+                } elsif (is_valid($p,1) && is_valid($a,0)) {
+                        my $s2 = ($s =~ /^(.*?)(\{[0-9]+\})?$/, $1);
+                        if ($prev eq $s2) {
+                                print OUT "\t/* The following has already appeared previously */\n";
+                                print STDERR "Warning: Symbol '",$s2,"' redefined. old=",($nums{$prev} =~ /^(.*?)\\/,$1),", new=",($nums{$s2} =~ /^(.*?)\\/,$1),"\n";
+                        }
+                        $prev = $s2;    # To warn about duplicates...
+
+                        ($nn,$ni)=($nums{$s2} =~ /^(.*?)\\(.*)$/);
+                        if ($v) {
+                                print OUT "\textern int $s2; /* type unknown */ /* $nn $ni */\n";
                         } else {
-                                $n=$nums{$s};
-                                print OUT "\t$s();\n";
+                                print OUT "\textern int $s2(); /* type unknown */ /* $nn $ni */\n";
                         }
                 }
-                $prev = $s;     # To avoid duplicates...
         }
 }
 
 sub print_def_file
 {
         (*OUT,my $name,*nums,my @symbols)=@_;
-        my $n = 1; my @e; my @r;
+        my $n = 1; my @e; my @r; my @v; my $prev="";
 
         if ($W32)
                 { $name.="32"; }
@@ -692,80 +1124,35 @@ EOF
 
         print "EXPORTS\n";
 
-        (@e)=grep(/^SSLeay\\.*?:.*?:FUNCTION/,@symbols);
-        (@r)=grep(/^\w+\\.*?:.*?:FUNCTION/ && !/^SSLeay\\.*?:.*?:FUNCTION/,@symbols);
-        @symbols=((sort @e),(sort @r));
+        (@e)=grep(/^SSLeay(\{[0-9]+\})?\\.*?:.*?:FUNCTION/,@symbols);
+        (@r)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:FUNCTION/ && !/^SSLeay(\{[0-9]+\})?\\.*?:.*?:FUNCTION/,@symbols);
+        (@v)=grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:VARIABLE/,@symbols);
+        @symbols=((sort @e),(sort @r), (sort @v));
 
 
         foreach $sym (@symbols) {
                 (my $s, my $i) = $sym =~ /^(.*?)\\(.*)$/;
+                my $v = 0;
+                $v = 1 if $i =~ /^.*?:.*?:VARIABLE/;
                 if (!defined($nums{$s})) {
                         printf STDERR "Warning: $s does not have a number assigned\n"
-                                        if(!$do_update);
+                            if(!$do_update);
                 } else {
-                        (my $n, my $i) = split /\\/, $nums{$s};
+                        (my $n, my $dummy) = split /\\/, $nums{$s};
                         my %pf = ();
-                        my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1));
-                        my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1));
-                        # @p_purged must contain hardware platforms only
-                        my @p_purged = ();
-                        foreach $ptmp (@p) {
-                                next if $ptmp =~ /^!?RSAREF$/;
-                                push @p_purged, $ptmp;
-                        }
-                        my $negatives = !!grep(/^!/,@p);
-                        # It is very important to check NT before W32
-                        if ((($NT && (!@p_purged
-                                      || (!$negatives && grep(/^WINNT$/,@p))
-                                      || ($negatives && !grep(/^!WINNT$/,@p))))
-                             || ($W32 && (!@p_purged
-                                          || (!$negatives && grep(/^WIN32$/,@p))
-                                          || ($negatives && !grep(/^!WIN32$/,@p))))
-                             || ($W16 && (!@p_purged
-                                          || (!$negatives && grep(/^WIN16$/,@p))
-                                          || ($negatives && !grep(/^!WIN16$/,@p)))))
-                            && (!@p
-                                || (!$negatives
-                                    && ($rsaref || !grep(/^RSAREF$/,@p)))
-                                || ($negatives
-                                    && (!$rsaref || !grep(/^!RSAREF$/,@p))))
-                            && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a)))
-                            && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a)))
-                            && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a)))
-                            && (!@a || (!$no_idea || !grep(/^IDEA$/,@a)))
-                            && (!@a || (!$no_des || !grep(/^DES$/,@a)))
-                            && (!@a || (!$no_bf || !grep(/^BF$/,@a)))
-                            && (!@a || (!$no_cast || !grep(/^CAST$/,@a)))
-                            && (!@a || (!$no_md2 || !grep(/^MD2$/,@a)))
-                            && (!@a || (!$no_md4 || !grep(/^MD4$/,@a)))
-                            && (!@a || (!$no_md5 || !grep(/^MD5$/,@a)))
-                            && (!@a || (!$no_sha || !grep(/^SHA$/,@a)))
-                            && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a)))
-                            && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a)))
-                            && (!@a || (!$no_rsa || !grep(/^RSA$/,@a)))
-                            && (!@a || (!$no_dsa || !grep(/^DSA$/,@a)))
-                            && (!@a || (!$no_dh || !grep(/^DH$/,@a)))
-                            && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a)))
-                            && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a)))
-                            ) {
-                                printf OUT "    %s%-40s@%d\n",($W32)?"":"_",$s,$n;
-#                       } else {
-#                               print STDERR "DEBUG: \"$sym\" (@p):",
-#                               " rsaref:", !!(!@p
-#                                              || (!$negatives
-#                                                  && ($rsaref || !grep(/^RSAREF$/,@p)))
-#                                              || ($negatives
-#                                                  && (!$rsaref || !grep(/^!RSAREF$/,@p))))?1:0,
-#                               " 16:", !!($W16 && (!@p_purged
-#                                                   || (!$negatives && grep(/^WIN16$/,@p))
-#                                                   || ($negatives && !grep(/^!WIN16$/,@p)))),
-#                               " 32:", !!($W32 && (!@p_purged
-#                                                   || (!$negatives && grep(/^WIN32$/,@p))
-#                                                   || ($negatives && !grep(/^!WIN32$/,@p)))),
-#                               " NT:", !!($NT && (!@p_purged
-#                                                  || (!$negatives && grep(/^WINNT$/,@p))
-#                                                  || ($negatives && !grep(/^!WINNT$/,@p)))),
-#                               "\n";
+                        my $p = ($i =~ /^[^:]*:([^:]*):/,$1);
+                        my $a = ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1);
+                        if (is_valid($p,1) && is_valid($a,0)) {
+                                my $s2 = ($s =~ /^(.*?)(\{[0-9]+\})?$/, $1);
+                                if ($prev eq $s2) {
+                                        print STDERR "Warning: Symbol '",$s2,"' redefined. old=",($nums{$prev} =~ /^(.*?)\\/,$1),", new=",($nums{$s2} =~ /^(.*?)\\/,$1),"\n";
+                                }
+                                $prev = $s2;    # To warn about duplicates...
+                                if($v) {
+                                        printf OUT "    %s%-39s @%-8d DATA\n",($W32)?"":"_",$s2,$n;
+                                } else {
+                                        printf OUT "    %s%-39s @%d\n",($W32)?"":"_",$s2,$n;
+                                }
                         }
                 }
         }
@@ -780,6 +1167,7 @@ sub load_numbers
         $max_num = 0;
         $num_noinfo = 0;
         $prev = "";
+        $prev_cnt = 0;
 
         open(IN,"<$name") || die "unable to open $name:$!\n";
         while (<IN>) {
@@ -788,14 +1176,22 @@ sub load_numbers
                 next if /^\s*$/;
                 @a=split;
                 if (defined $ret{$a[0]}) {
-                        print STDERR "Warning: Symbol '",$a[0],"' redefined. old=",$ret{$a[0]},", new=",$a[1],"\n";
+                        # This is actually perfectly OK
+                        #print STDERR "Warning: Symbol '",$a[0],"' redefined. old=",$ret{$a[0]},", new=",$a[1],"\n";
                 }
                 if ($max_num > $a[1]) {
                         print STDERR "Warning: Number decreased from ",$max_num," to ",$a[1],"\n";
                 }
-                if ($max_num == $a[1]) {
+                elsif ($max_num == $a[1]) {
                         # This is actually perfectly OK
                         #print STDERR "Warning: Symbol ",$a[0]," has same number as previous ",$prev,": ",$a[1],"\n";
+                        if ($a[0] eq $prev) {
+                                $prev_cnt++;
+                                $a[0] .= "{$prev_cnt}";
+                        }
+                }
+                else {
+                        $prev_cnt = 0;
                 }
                 if ($#a < 2) {
                         # Existence will be proven later, in do_defs
@@ -837,7 +1233,7 @@ sub rewrite_numbers
 
         print STDERR "Rewriting $name\n";
 
-        my @r = grep(/^\w+\\.*?:.*?:\w+\(\w+\)/,@symbols);
+        my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
         my $r; my %r; my %rsyms;
         foreach $r (@r) {
                 (my $s, my $i) = split /\\/, $r;
@@ -847,16 +1243,31 @@ sub rewrite_numbers
                 $rsyms{$s} = 1;
         }
 
-        my @s=sort { &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n") } keys %nums;
+        my %syms = ();
+        foreach $_ (@symbols) {
+                (my $n, my $i) = split /\\/;
+                $syms{$n} = 1;
+        }
+
+        my @s=sort {
+            &parse_number($nums{$a},"n") <=> &parse_number($nums{$b},"n")
+            || $a cmp $b
+        } keys %nums;
         foreach $sym (@s) {
                 (my $n, my $i) = split /\\/, $nums{$sym};
                 next if defined($i) && $i =~ /^.*?:.*?:\w+\(\w+\)/;
                 next if defined($rsyms{$sym});
-                $i="NOEXIST::FUNCTION:" if !defined($i) || $i eq "";
-                printf OUT "%s%-40s%d\t%s\n","",$sym,$n,$i;
+                print STDERR "DEBUG: rewrite_numbers for sym = ",$sym,": i = ",$i,", n = ",$n,", rsym{sym} = ",$rsyms{$sym},"syms{sym} = ",$syms{$sym},"\n" if $debug;
+                $i="NOEXIST::FUNCTION:"
+                        if !defined($i) || $i eq "" || !defined($syms{$sym});
+                my $s2 = $sym;
+                $s2 =~ s/\{[0-9]+\}$//;
+                printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i;
                 if (exists $r{$sym}) {
                         (my $s, $i) = split /\\/,$r{$sym};
-                        printf OUT "%s%-40s%d\t%s\n","",$s,$n,$i;
+                        my $s2 = $s;
+                        $s2 =~ s/\{[0-9]+\}$//;
+                        printf OUT "%s%-39s %d\t%s\n","",$s2,$n,$i;
                 }
         }
 }
@@ -868,7 +1279,7 @@ sub update_numbers
 
         print STDERR "Updating $name numbers\n";
 
-        my @r = grep(/^\w+\\.*?:.*?:\w+\(\w+\)/,@symbols);
+        my @r = grep(/^\w+(\{[0-9]+\})?\\.*?:.*?:\w+\(\w+\)/,@symbols);
         my $r; my %r; my %rsyms;
         foreach $r (@r) {
                 (my $s, my $i) = split /\\/, $r;
@@ -886,10 +1297,13 @@ sub update_numbers
                     if $i eq "";
                 if (!exists $nums{$s}) {
                         $new_syms++;
-                        printf OUT "%s%-40s%d\t%s\n","",$s, ++$start_num,$i;
+                        my $s2 = $s;
+                        $s2 =~ s/\{[0-9]+\}$//;
+                        printf OUT "%s%-39s %d\t%s\n","",$s2, ++$start_num,$i;
                         if (exists $r{$s}) {
                                 ($s, $i) = split /\\/,$r{$s};
-                                printf OUT "%s%-40s%d\t%s\n","",$s, $start_num,$i;
+                                $s =~ s/\{[0-9]+\}$//;
+                                printf OUT "%s%-39s %d\t%s\n","",$s, $start_num,$i;
                         }
                 }
         }
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 7d98b5234d..6c2237d142 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -7,7 +7,7 @@ my $static = 1;
 my $recurse = 0;
 my $reindex = 0;
 my $dowrite = 0;
-
+my $staticloader = "";
 
 while (@ARGV) {
         my $arg = $ARGV[0];
@@ -29,6 +29,9 @@ while (@ARGV) {
         } elsif($arg eq "-nostatic") {
                 $static = 0;
                 shift @ARGV;
+        } elsif($arg eq "-staticloader") {
+                $staticloader = "static ";
+                shift @ARGV;
         } elsif($arg eq "-write") {
                 $dowrite = 1;
                 shift @ARGV;
@@ -38,7 +41,7 @@ while (@ARGV) {
 }
 
 if($recurse) {
-        @source = (<crypto/*.c>, <crypto/*/*.c>, <rsaref/*.c>, <ssl/*.c>);
+        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>);
 } else {
         @source = @ARGV;
 }
@@ -53,6 +56,7 @@ while(<IN>)
 {
         if(/^L\s+(\S+)\s+(\S+)\s+(\S+)/) {
                 $hinc{$1} = $2;
+                $libinc{$2} = $1;
                 $cskip{$3} = $1;
                 if($3 ne "NONE") {
                         $csrc{$1} = $3;
@@ -74,42 +78,44 @@ close IN;
 # Scan each header file in turn and make a list of error codes
 # and function names
 
-while (($lib, $hdr) = each %hinc)
+while (($hdr, $lib) = each %libinc)
 {
         next if($hdr eq "NONE");
         print STDERR "Scanning header file $hdr\n" if $debug; 
-        open(IN, "<$hdr") || die "Can't open Header file $hdr\n";
-        my $line = "", $def= "", $linenr = 0;
-        while(<IN>) {
-            $linenr++;
-            print STDERR "line: $linenr\r" if $debug;
-
-            last if(/BEGIN\s+ERROR\s+CODES/);
-            if ($line ne '') {
-                $_ = $line . $_;
-                $line = '';
-            }
+        my $line = "", $def= "", $linenr = 0, $gotfile = 0;
+        if (open(IN, "<$hdr")) {
+            $gotfile = 1;
+            while(<IN>) {
+                $linenr++;
+                print STDERR "line: $linenr\r" if $debug;
+
+                last if(/BEGIN\s+ERROR\s+CODES/);
+                if ($line ne '') {
+                    $_ = $line . $_;
+                    $line = '';
+                }
 
-            if (/\\$/) {
-                $line = $_;
-                next;
-            }
+                if (/\\$/) {
+                    $line = $_;
+                    next;
+                }
 
-            $cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
-            if ($cpp) {
-                $cpp = 0 if /^#.*endif/;
-                next;
-            }
+                $cpp = 1 if /^#.*ifdef.*cplusplus/;  # skip "C" declaration
+                if ($cpp) {
+                    $cpp = 0 if /^#.*endif/;
+                    next;
+                }
 
-            next if (/^#/);                      # skip preprocessor directives
+                next if (/^\#/);                      # skip preprocessor directives
 
-            s/\/\*.*?\*\///gs;                   # ignore comments
-            s/{[^{}]*}//gs;                      # ignore {} blocks
+                s/\/\*.*?\*\///gs;                   # ignore comments
+                s/{[^{}]*}//gs;                      # ignore {} blocks
 
-            if (/{|\/\*/) { # Add a } so editor works...
-                $line = $_;
-            } else {
-                $def .= $_;
+                if (/\{|\/\*/) { # Add a } so editor works...
+                    $line = $_;
+                } else {
+                    $def .= $_;
+                }
             }
         }
 
@@ -151,10 +157,12 @@ while (($lib, $hdr) = each %hinc)
         # Scan function and reason codes and store them: keep a note of the
         # maximum code used.
 
-        while(<IN>) {
-                if(/^#define\s+(\S+)\s+(\S+)/) {
+        if ($gotfile) {
+            while(<IN>) {
+                if(/^\#define\s+(\S+)\s+(\S+)/) {
                         $name = $1;
                         $code = $2;
+                        next if $name =~ /^${lib}err/;
                         unless($name =~ /^${lib}_([RF])_(\w+)$/) {
                                 print STDERR "Invalid error code $name\n";
                                 next;
@@ -172,6 +180,7 @@ while (($lib, $hdr) = each %hinc)
                                 $fcodes{$name} = $code;
                         }
                 }
+            }
         }
         close IN;
 }
@@ -188,9 +197,11 @@ while (($lib, $hdr) = each %hinc)
 # so all those unreferenced can be printed out.
 
 
+print STDERR "Files loaded: " if $debug;
 foreach $file (@source) {
         # Don't parse the error source file.
         next if exists $cskip{$file};
+        print STDERR $file if $debug;
         open(IN, "<$file") || die "Can't open source file $file\n";
         while(<IN>) {
                 if(/(([A-Z0-9]+)_F_([A-Z0-9_]+))/) {
@@ -214,6 +225,7 @@ foreach $file (@source) {
         }
         close IN;
 }
+print STDERR "\n" if $debug;
 
 # Now process each library in turn.
 
@@ -240,15 +252,74 @@ foreach $lib (keys %csrc)
 
         # Rewrite the header file
 
-        open(IN, "<$hfile") || die "Can't Open Header File $hfile\n";
-
-        # Copy across the old file
-        while(<IN>) {
+        if (open(IN, "<$hfile")) {
+            # Copy across the old file
+            while(<IN>) {
                 push @out, $_;
                 last if (/BEGIN ERROR CODES/);
+            }
+            close IN;
+        } else {
+            push @out,
+"/* ====================================================================\n",
+" * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.\n",
+" *\n",
+" * Redistribution and use in source and binary forms, with or without\n",
+" * modification, are permitted provided that the following conditions\n",
+" * are met:\n",
+" *\n",
+" * 1. Redistributions of source code must retain the above copyright\n",
+" *    notice, this list of conditions and the following disclaimer. \n",
+" *\n",
+" * 2. Redistributions in binary form must reproduce the above copyright\n",
+" *    notice, this list of conditions and the following disclaimer in\n",
+" *    the documentation and/or other materials provided with the\n",
+" *    distribution.\n",
+" *\n",
+" * 3. All advertising materials mentioning features or use of this\n",
+" *    software must display the following acknowledgment:\n",
+" *    \"This product includes software developed by the OpenSSL Project\n",
+" *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)\"\n",
+" *\n",
+" * 4. The names \"OpenSSL Toolkit\" and \"OpenSSL Project\" must not be used to\n",
+" *    endorse or promote products derived from this software without\n",
+" *    prior written permission. For written permission, please contact\n",
+" *    openssl-core\@openssl.org.\n",
+" *\n",
+" * 5. Products derived from this software may not be called \"OpenSSL\"\n",
+" *    nor may \"OpenSSL\" appear in their names without prior written\n",
+" *    permission of the OpenSSL Project.\n",
+" *\n",
+" * 6. Redistributions of any form whatsoever must retain the following\n",
+" *    acknowledgment:\n",
+" *    \"This product includes software developed by the OpenSSL Project\n",
+" *    for use in the OpenSSL Toolkit (http://www.openssl.org/)\"\n",
+" *\n",
+" * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY\n",
+" * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n",
+" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n",
+" * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR\n",
+" * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\n",
+" * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n",
+" * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;\n",
+" * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n",
+" * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,\n",
+" * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\n",
+" * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED\n",
+" * OF THE POSSIBILITY OF SUCH DAMAGE.\n",
+" * ====================================================================\n",
+" *\n",
+" * This product includes cryptographic software written by Eric Young\n",
+" * (eay\@cryptsoft.com).  This product includes software written by Tim\n",
+" * Hudson (tjh\@cryptsoft.com).\n",
+" *\n",
+" */\n",
+"\n",
+"#ifndef HEADER_${lib}_ERR_H\n",
+"#define HEADER_${lib}_ERR_H\n",
+"\n",
+"/* BEGIN ERROR CODES */\n";
         }
-        close IN;
-
         open (OUT, ">$hfile") || die "Can't Open File $hfile for writing\n";
 
         print OUT @out;
@@ -257,7 +328,22 @@ foreach $lib (keys %csrc)
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+EOF
+        if($static) {
+                print OUT <<"EOF";
+${staticloader}void ERR_load_${lib}_strings(void);
+
+EOF
+        } else {
+                print OUT <<"EOF";
+${staticloader}void ERR_load_${lib}_strings(void);
+${staticloader}void ERR_unload_${lib}_strings(void);
+${staticloader}void ERR_${lib}_error(int function, int reason, char *file, int line);
+#define ${lib}err(f,r) ERR_${lib}_error((f),(r),__FILE__,__LINE__)
 
+EOF
+        }
+        print OUT <<"EOF";
 /* Error codes for the $lib functions. */
 
 /* Function codes. */
@@ -288,7 +374,6 @@ EOF
 }
 #endif
 #endif
-
 EOF
         close OUT;
 
@@ -382,7 +467,7 @@ EOF
 #include $hincf
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA ${lib}_str_functs[]=
         {
 EOF
@@ -425,14 +510,14 @@ if($static) {
 
 #endif
 
-void ERR_load_${lib}_strings(void)
+${staticloader}void ERR_load_${lib}_strings(void)
         {
         static int init=1;
 
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_${lib},${lib}_str_functs);
                 ERR_load_strings(ERR_LIB_${lib},${lib}_str_reasons);
 #endif
@@ -456,19 +541,18 @@ static ERR_STRING_DATA ${lib}_lib_name[]=
 #endif
 
 
-int ${lib}_lib_error_code=0;
+static int ${lib}_lib_error_code=0;
+static int ${lib}_error_init=1;
 
-void ERR_load_${lib}_strings(void)
+${staticloader}void ERR_load_${lib}_strings(void)
         {
-        static int init=1;
-
         if (${lib}_lib_error_code == 0)
                 ${lib}_lib_error_code=ERR_get_next_error_library();
 
-        if (init)
+        if (${lib}_error_init)
                 {
-                init=0;
-#ifndef NO_ERR
+                ${lib}_error_init=0;
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(${lib}_lib_error_code,${lib}_str_functs);
                 ERR_load_strings(${lib}_lib_error_code,${lib}_str_reasons);
 #endif
@@ -480,7 +564,23 @@ void ERR_load_${lib}_strings(void)
                 }
         }
 
-void ERR_${lib}_error(int function, int reason, char *file, int line)
+${staticloader}void ERR_unload_${lib}_strings(void)
+        {
+        if (${lib}_error_init == 0)
+                {
+#ifndef OPENSSL_NO_ERR
+                ERR_unload_strings(${lib}_lib_error_code,${lib}_str_functs);
+                ERR_unload_strings(${lib}_lib_error_code,${lib}_str_reasons);
+#endif
+
+#ifdef ${lib}_LIB_NAME
+                ERR_unload_strings(0,${lib}_lib_name);
+#endif
+                ${lib}_error_init=1;
+                }
+        }
+
+${staticloader}void ERR_${lib}_error(int function, int reason, char *file, int line)
         {
         if (${lib}_lib_error_code == 0)
                 ${lib}_lib_error_code=ERR_get_next_error_library();
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 470feea76f..29e1404c69 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -23,11 +23,13 @@ my @dirs = (
 "crypto/idea",
 "crypto/bf",
 "crypto/cast",
+"crypto/aes",
 "crypto/bn",
 "crypto/rsa",
 "crypto/dsa",
 "crypto/dso",
 "crypto/dh",
+"crypto/ec",
 "crypto/buffer",
 "crypto/bio",
 "crypto/stack",
@@ -46,8 +48,10 @@ my @dirs = (
 "crypto/pkcs12",
 "crypto/comp",
 "crypto/engine",
+"crypto/ocsp",
+"crypto/ui",
+"crypto/krb5",
 "ssl",
-"rsaref",
 "apps",
 "test",
 "tools"
diff --git a/src/lib/libcrypto/util/mkstack.pl b/src/lib/libcrypto/util/mkstack.pl
index 3ee13fe7c9..085c50f790 100644
--- a/src/lib/libcrypto/util/mkstack.pl
+++ b/src/lib/libcrypto/util/mkstack.pl
@@ -21,7 +21,7 @@ while (@ARGV) {
 }
 
 
-@source = (<crypto/*.[ch]>, <crypto/*/*.[ch]>, <rsaref/*.[ch]>, <ssl/*.[ch]>);
+@source = (<crypto/*.[ch]>, <crypto/*/*.[ch]>, <ssl/*.[ch]>);
 foreach $file (@source) {
         next if -l $file;
 
diff --git a/src/lib/libcrypto/util/pl/BC-16.pl b/src/lib/libcrypto/util/pl/BC-16.pl
index 6c6df4fe0b..2033f524ca 100644
--- a/src/lib/libcrypto/util/pl/BC-16.pl
+++ b/src/lib/libcrypto/util/pl/BC-16.pl
@@ -21,14 +21,14 @@ $lflags="$base_lflags";
 if ($win16)
         {
         $shlib=1;
-        $cflags.=" -DWINDOWS -DWIN16";
+        $cflags.=" -DOPENSSL_SYSNAME_WIN16";
         $app_cflag="-W";
         $lib_cflag="-WD";
         $lflags.="/Twe";
         }
 else
         {
-        $cflags.=" -DMSDOS";
+        $cflags.=" -DOENSSL_SYSNAME_MSDOS";
         $lflags.=" /Tde";
         }
 
diff --git a/src/lib/libcrypto/util/pl/BC-32.pl b/src/lib/libcrypto/util/pl/BC-32.pl
index 20cb3a9c50..78d60616a6 100644
--- a/src/lib/libcrypto/util/pl/BC-32.pl
+++ b/src/lib/libcrypto/util/pl/BC-32.pl
@@ -4,7 +4,6 @@
 
 $ssl=   "ssleay32";
 $crypto="libeay32";
-$RSAref="RSAref32";
 
 $o='\\';
 $cp='copy';
@@ -19,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DWINDOWS -DWIN32 -DL_ENDIAN -DDSO_WIN32 ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
diff --git a/src/lib/libcrypto/util/pl/OS2-EMX.pl b/src/lib/libcrypto/util/pl/OS2-EMX.pl
new file mode 100644
index 0000000000..57180556ca
--- /dev/null
+++ b/src/lib/libcrypto/util/pl/OS2-EMX.pl
@@ -0,0 +1,96 @@
+#!/usr/local/bin/perl
+#
+# OS2-EMX.pl - for EMX GCC on OS/2
+#
+
+$o='\\';
+$cp='copy';
+$rm='rm -f';
+
+# C compiler stuff
+
+$cc='gcc';
+$cflags="-DL_ENDIAN -O3 -fomit-frame-pointer -m486 -Zmt -Wall ";
+
+if ($debug) { 
+        $cflags.="-g "; 
+}
+
+$obj='.o';
+$ofile='-o ';
+
+# EXE linking stuff
+$link='${CC}';
+$lflags='${CFLAGS} -Zbsd-signals';
+$efile='-o ';
+$exep='.exe';
+$ex_libs="-lsocket";
+
+# static library stuff
+$mklib='ar r';
+$mlflags='';
+$ranlib="ar s";
+$plib='lib';
+$libp=".a";
+$shlibp=".a";
+$lfile='';
+
+$asm='as';
+$afile='-o ';
+$bn_asm_obj="";
+$bn_asm_src="";
+$des_enc_obj="";
+$des_enc_src="";
+$bf_enc_obj="";
+$bf_enc_src="";
+
+if (!$no_asm)
+        {
+        $bn_asm_obj='crypto\bn\asm\bn-os2.o crypto\bn\asm\co-os2.o';
+        $bn_asm_src='crypto\bn\asm\bn-os2.asm crypto\bn\asm\co-os2.asm';
+        $des_enc_obj='crypto\des\asm\d-os2.o crypto\des\asm\y-os2.o';
+        $des_enc_src='crypto\des\asm\d-os2.asm crypto\des\asm\y-os2.asm';
+        $bf_enc_obj='crypto\bf\asm\b-os2.o';
+        $bf_enc_src='crypto\bf\asm\b-os2.asm';
+        $cast_enc_obj='crypto\cast\asm\c-os2.o';
+        $cast_enc_src='crypto\cast\asm\c-os2.asm';
+        $rc4_enc_obj='crypto\rc4\asm\r4-os2.o';
+        $rc4_enc_src='crypto\rc4\asm\r4-os2.asm';
+        $rc5_enc_obj='crypto\rc5\asm\r5-os2.o';
+        $rc5_enc_src='crypto\rc5\asm\r5-os2.asm';
+        $md5_asm_obj='crypto\md5\asm\m5-os2.o';
+        $md5_asm_src='crypto\md5\asm\m5-os2.asm';
+        $sha1_asm_obj='crypto\sha\asm\s1-os2.o';
+        $sha1_asm_src='crypto\sha\asm\s1-os2.asm';
+        $rmd160_asm_obj='crypto\ripemd\asm\rm-os2.o';
+        $rmd160_asm_src='crypto\ripemd\asm\rm-os2.asm';
+        }
+
+sub do_lib_rule
+        {
+        local($obj,$target,$name,$shlib)=@_;
+        local($ret,$_,$Name);
+
+        $target =~ s/\//$o/g if $o ne '/';
+        $target="$target";
+        ($Name=$name) =~ tr/a-z/A-Z/;
+
+        $ret.="$target: \$(${Name}OBJ)\n";
+        $ret.="\t\$(RM) $target\n";
+        $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
+        $ret.="\t\$(RANLIB) $target\n\n";
+        }
+
+sub do_link_rule
+        {
+        local($target,$files,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($target);
+        $ret.="$target: $files $dep_libs\n";
+        $ret.="\t\$(LINK) ${efile}$target \$(LFLAGS) $files $libs\n\n";
+        return($ret);
+        }
+
+1;
diff --git a/src/lib/libcrypto/util/pl/VC-16.pl b/src/lib/libcrypto/util/pl/VC-16.pl
index a5079d4ca7..7cda5e67a9 100644
--- a/src/lib/libcrypto/util/pl/VC-16.pl
+++ b/src/lib/libcrypto/util/pl/VC-16.pl
@@ -4,7 +4,6 @@
 
 $ssl=   "ssleay16";
 $crypto="libeay16";
-$RSAref="RSAref16";
 
 $o='\\';
 $cp='copy';
@@ -34,7 +33,7 @@ $lflags="$base_lflags /STACK:20000";
 
 if ($win16)
         {
-        $cflags.=" -DWINDOWS -DWIN16";
+        $cflags.=" -DOPENSSL_SYSNAME_WIN16";
         $app_cflag="/Gw /FPi87";
         $lib_cflag="/Gw";
         $lib_cflag.=" -D_WINDLL -D_DLL" if $shlib;
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 7c6674b971..50bfb34385 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -4,7 +4,6 @@
 
 $ssl=   "ssleay32";
 $crypto="libeay32";
-$RSAref="RSAref32";
 
 $o='\\';
 $cp='copy nul+';        # Timestamps get stuffed otherwise
@@ -12,7 +11,7 @@ $rm='del';
 
 # C compiler stuff
 $cc='cl';
-$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';
 
@@ -22,11 +21,11 @@ $inc_def="inc32";
 
 if ($debug)
         {
-        $cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DWIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
+        $cflags=" /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WIN32 -D_DEBUG -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32";
         $lflags.=" /debug";
         $mlflags.=' /debug';
         }
-$cflags .= " -DWINNT" if $NT == 1;
+$cflags .= " -DOPENSSL_SYSNAME_WINNT" if $NT == 1;
 
 $obj='.obj';
 $ofile="/Fo";
@@ -92,7 +91,7 @@ if ($shlib)
         {
         $mlflags.=" $lflags /dll";
 #       $cflags =~ s| /MD| /MT|;
-        $lib_cflag=" /GD -D_WINDLL -D_DLL";
+        $lib_cflag=" -D_WINDLL -D_DLL";
         $out_def="out32dll";
         $tmp_def="tmp32dll";
         }
diff --git a/src/lib/libcrypto/util/selftest.pl b/src/lib/libcrypto/util/selftest.pl
index eb50d52ff8..276b81183d 100644
--- a/src/lib/libcrypto/util/selftest.pl
+++ b/src/lib/libcrypto/util/selftest.pl
@@ -50,6 +50,7 @@ if (open(IN,"<Makefile.ssl")) {
 
 $cversion=`$cc -v 2>&1`;
 $cversion=`$cc -V 2>&1` if $cversion =~ "usage";
+$cversion=`$cc -V |head -1` if $cversion =~ "Error";
 $cversion=`$cc --version` if $cversion eq "";
 $cversion =~ s/Reading specs.*\n//;
 $cversion =~ s/usage.*\n//;
@@ -57,7 +58,7 @@ chomp $cversion;
 
 if (open(IN,"<CHANGES")) {
     while(<IN>) {
-        if (/\*\) (.{0,55})/) {
+        if (/\*\) (.{0,55})/ && !/applies to/) {
             $last=$1;
             last;
         }
@@ -131,19 +132,14 @@ if (system("make 2>&1 | tee make.log") > 255) {
 
 $_=$options;
 s/no-asm//;
+s/no-shared//;
+s/no-krb5//;
 if (/no-/)
 {
     print OUT "Test skipped.\n";
     goto err;
 }
 
-if (`echo 4+1 | bc` != 5)
-{
-    print OUT "Can't run bc! Test skipped.\n";
-    print OUT $not_our_fault;
-    goto err;
-}
-
 print "Running make test...\n";
 if (system("make test 2>&1 | tee maketest.log") > 255)
  {
diff --git a/src/lib/libcrypto/util/ssleay.num b/src/lib/libcrypto/util/ssleay.num
index 561bac2ec9..fdea47205d 100644
--- a/src/lib/libcrypto/util/ssleay.num
+++ b/src/lib/libcrypto/util/ssleay.num
@@ -18,16 +18,16 @@ SSL_CTX_set_ssl_version                 19	EXIST::FUNCTION:
 SSL_CTX_set_verify                      21      EXIST::FUNCTION:
 SSL_CTX_use_PrivateKey                  22      EXIST::FUNCTION:
 SSL_CTX_use_PrivateKey_ASN1             23      EXIST::FUNCTION:
-SSL_CTX_use_PrivateKey_file             24      EXIST::FUNCTION:
+SSL_CTX_use_PrivateKey_file             24      EXIST::FUNCTION:STDIO
 SSL_CTX_use_RSAPrivateKey               25      EXIST::FUNCTION:RSA
 SSL_CTX_use_RSAPrivateKey_ASN1          26      EXIST::FUNCTION:RSA
-SSL_CTX_use_RSAPrivateKey_file          27      EXIST::FUNCTION:RSA
+SSL_CTX_use_RSAPrivateKey_file          27      EXIST::FUNCTION:RSA,STDIO
 SSL_CTX_use_certificate                 28      EXIST::FUNCTION:
 SSL_CTX_use_certificate_ASN1            29      EXIST::FUNCTION:
-SSL_CTX_use_certificate_file            30      EXIST::FUNCTION:
+SSL_CTX_use_certificate_file            30      EXIST::FUNCTION:STDIO
 SSL_SESSION_free                        31      EXIST::FUNCTION:
 SSL_SESSION_new                         32      EXIST::FUNCTION:
-SSL_SESSION_print                       33      EXIST::FUNCTION:
+SSL_SESSION_print                       33      EXIST::FUNCTION:BIO
 SSL_SESSION_print_fp                    34      EXIST::FUNCTION:FP_API
 SSL_accept                              35      EXIST::FUNCTION:
 SSL_add_client_CA                       36      EXIST::FUNCTION:
@@ -52,15 +52,15 @@ SSL_get_error                           58	EXIST::FUNCTION:
 SSL_get_fd                              59      EXIST::FUNCTION:
 SSL_get_peer_cert_chain                 60      EXIST::FUNCTION:
 SSL_get_peer_certificate                61      EXIST::FUNCTION:
-SSL_get_rbio                            63      EXIST::FUNCTION:
+SSL_get_rbio                            63      EXIST::FUNCTION:BIO
 SSL_get_read_ahead                      64      EXIST::FUNCTION:
 SSL_get_shared_ciphers                  65      EXIST::FUNCTION:
 SSL_get_ssl_method                      66      EXIST::FUNCTION:
 SSL_get_verify_callback                 69      EXIST::FUNCTION:
 SSL_get_verify_mode                     70      EXIST::FUNCTION:
 SSL_get_version                         71      EXIST::FUNCTION:
-SSL_get_wbio                            72      EXIST::FUNCTION:
-SSL_load_client_CA_file                 73      EXIST::FUNCTION:
+SSL_get_wbio                            72      EXIST::FUNCTION:BIO
+SSL_load_client_CA_file                 73      EXIST::FUNCTION:STDIO
 SSL_load_error_strings                  74      EXIST::FUNCTION:
 SSL_new                                 75      EXIST::FUNCTION:
 SSL_peek                                76      EXIST::FUNCTION:
@@ -70,29 +70,29 @@ SSL_renegotiate                         79	EXIST::FUNCTION:
 SSL_rstate_string                       80      EXIST::FUNCTION:
 SSL_rstate_string_long                  81      EXIST::FUNCTION:
 SSL_set_accept_state                    82      EXIST::FUNCTION:
-SSL_set_bio                             83      EXIST::FUNCTION:
+SSL_set_bio                             83      EXIST::FUNCTION:BIO
 SSL_set_cipher_list                     84      EXIST::FUNCTION:
 SSL_set_client_CA_list                  85      EXIST::FUNCTION:
 SSL_set_connect_state                   86      EXIST::FUNCTION:
-SSL_set_fd                              87      EXIST::FUNCTION:
+SSL_set_fd                              87      EXIST::FUNCTION:SOCK
 SSL_set_read_ahead                      88      EXIST::FUNCTION:
-SSL_set_rfd                             89      EXIST::FUNCTION:
+SSL_set_rfd                             89      EXIST::FUNCTION:SOCK
 SSL_set_session                         90      EXIST::FUNCTION:
 SSL_set_ssl_method                      91      EXIST::FUNCTION:
 SSL_set_verify                          94      EXIST::FUNCTION:
-SSL_set_wfd                             95      EXIST::FUNCTION:
+SSL_set_wfd                             95      EXIST::FUNCTION:SOCK
 SSL_shutdown                            96      EXIST::FUNCTION:
 SSL_state_string                        97      EXIST::FUNCTION:
 SSL_state_string_long                   98      EXIST::FUNCTION:
 SSL_use_PrivateKey                      99      EXIST::FUNCTION:
 SSL_use_PrivateKey_ASN1                 100     EXIST::FUNCTION:
-SSL_use_PrivateKey_file                 101     EXIST::FUNCTION:
+SSL_use_PrivateKey_file                 101     EXIST::FUNCTION:STDIO
 SSL_use_RSAPrivateKey                   102     EXIST::FUNCTION:RSA
 SSL_use_RSAPrivateKey_ASN1              103     EXIST::FUNCTION:RSA
-SSL_use_RSAPrivateKey_file              104     EXIST::FUNCTION:RSA
+SSL_use_RSAPrivateKey_file              104     EXIST::FUNCTION:RSA,STDIO
 SSL_use_certificate                     105     EXIST::FUNCTION:
 SSL_use_certificate_ASN1                106     EXIST::FUNCTION:
-SSL_use_certificate_file                107     EXIST::FUNCTION:
+SSL_use_certificate_file                107     EXIST::FUNCTION:STDIO
 SSL_write                               108     EXIST::FUNCTION:
 SSLeay_add_ssl_algorithms               109     NOEXIST::FUNCTION:
 SSLv23_client_method                    110     EXIST::FUNCTION:RSA
@@ -106,17 +106,17 @@ SSLv3_method                            117	EXIST::FUNCTION:
 SSLv3_server_method                     118     EXIST::FUNCTION:
 d2i_SSL_SESSION                         119     EXIST::FUNCTION:
 i2d_SSL_SESSION                         120     EXIST::FUNCTION:
-BIO_f_ssl                               121     EXIST::FUNCTION:
-BIO_new_ssl                             122     EXIST::FUNCTION:
+BIO_f_ssl                               121     EXIST::FUNCTION:BIO
+BIO_new_ssl                             122     EXIST::FUNCTION:BIO
 BIO_proxy_ssl_copy_session_id           123     NOEXIST::FUNCTION:
-BIO_ssl_copy_session_id                 124     EXIST::FUNCTION:
+BIO_ssl_copy_session_id                 124     EXIST::FUNCTION:BIO
 SSL_do_handshake                        125     EXIST::FUNCTION:
 SSL_get_privatekey                      126     EXIST::FUNCTION:
 SSL_get_current_cipher                  127     EXIST::FUNCTION:
 SSL_CIPHER_get_bits                     128     EXIST::FUNCTION:
 SSL_CIPHER_get_version                  129     EXIST::FUNCTION:
 SSL_CIPHER_get_name                     130     EXIST::FUNCTION:
-BIO_ssl_shutdown                        131     EXIST::FUNCTION:
+BIO_ssl_shutdown                        131     EXIST::FUNCTION:BIO
 SSL_SESSION_cmp                         132     EXIST::FUNCTION:
 SSL_SESSION_hash                        133     EXIST::FUNCTION:
 SSL_SESSION_get_time                    134     EXIST::FUNCTION:
@@ -152,8 +152,8 @@ SSL_get_ex_new_index                    169	EXIST::FUNCTION:
 TLSv1_method                            170     EXIST::FUNCTION:
 TLSv1_server_method                     171     EXIST::FUNCTION:
 TLSv1_client_method                     172     EXIST::FUNCTION:
-BIO_new_buffer_ssl_connect              173     EXIST::FUNCTION:
-BIO_new_ssl_connect                     174     EXIST::FUNCTION:
+BIO_new_buffer_ssl_connect              173     EXIST::FUNCTION:BIO
+BIO_new_ssl_connect                     174     EXIST::FUNCTION:BIO
 SSL_get_ex_data_X509_STORE_CTX_idx      175     EXIST:!VMS:FUNCTION:
 SSL_get_ex_d_X509_STORE_CTX_idx         175     EXIST:VMS:FUNCTION:
 SSL_CTX_set_tmp_dh_callback             176     EXIST::FUNCTION:DH
@@ -164,16 +164,16 @@ SSL_CTX_get_cert_store                  180	EXIST::FUNCTION:
 SSL_CTX_set_cert_store                  181     EXIST::FUNCTION:
 SSL_want                                182     EXIST::FUNCTION:
 SSL_library_init                        183     EXIST::FUNCTION:
-SSL_COMP_add_compression_method         184     EXIST::FUNCTION:
-SSL_add_file_cert_subjects_to_stack     185     EXIST:!VMS:FUNCTION:
-SSL_add_file_cert_subjs_to_stk          185     EXIST:VMS:FUNCTION:
+SSL_COMP_add_compression_method         184     EXIST::FUNCTION:COMP
+SSL_add_file_cert_subjects_to_stack     185     EXIST:!VMS:FUNCTION:STDIO
+SSL_add_file_cert_subjs_to_stk          185     EXIST:VMS:FUNCTION:STDIO
 SSL_set_tmp_rsa_callback                186     EXIST::FUNCTION:RSA
 SSL_set_tmp_dh_callback                 187     EXIST::FUNCTION:DH
-SSL_add_dir_cert_subjects_to_stack      188     NOEXIST::FUNCTION:
-SSL_add_dir_cert_subjs_to_stk           188     EXIST:VMS:FUNCTION:
+SSL_add_dir_cert_subjects_to_stack      188     EXIST:!VMS,!WIN32:FUNCTION:STDIO
+SSL_add_dir_cert_subjs_to_stk           188     NOEXIST::FUNCTION:
 SSL_set_session_id_context              189     EXIST::FUNCTION:
-SSL_CTX_use_certificate_chain_file      222     EXIST:!VMS:FUNCTION:
-SSL_CTX_use_cert_chain_file             222     EXIST:VMS:FUNCTION:
+SSL_CTX_use_certificate_chain_file      222     EXIST:!VMS:FUNCTION:STDIO
+SSL_CTX_use_cert_chain_file             222     EXIST:VMS:FUNCTION:STDIO
 SSL_CTX_set_verify_depth                225     EXIST::FUNCTION:
 SSL_set_verify_depth                    226     EXIST::FUNCTION:
 SSL_CTX_get_verify_depth                228     EXIST::FUNCTION:
@@ -193,3 +193,25 @@ SSL_get1_session                        242	EXIST::FUNCTION:
 SSL_CTX_callback_ctrl                   243     EXIST::FUNCTION:
 SSL_callback_ctrl                       244     EXIST::FUNCTION:
 SSL_CTX_sessions                        245     EXIST::FUNCTION:
+SSL_get_rfd                             246     EXIST::FUNCTION:
+SSL_get_wfd                             247     EXIST::FUNCTION:
+kssl_cget_tkt                           248     EXIST::FUNCTION:KRB5
+SSL_has_matching_session_id             249     EXIST::FUNCTION:
+kssl_err_set                            250     EXIST::FUNCTION:KRB5
+kssl_ctx_show                           251     EXIST::FUNCTION:KRB5
+kssl_validate_times                     252     EXIST::FUNCTION:KRB5
+kssl_check_authent                      253     EXIST::FUNCTION:KRB5
+kssl_ctx_new                            254     EXIST::FUNCTION:KRB5
+kssl_build_principal_2                  255     EXIST::FUNCTION:KRB5
+kssl_skip_confound                      256     EXIST::FUNCTION:KRB5
+kssl_sget_tkt                           257     EXIST::FUNCTION:KRB5
+SSL_set_generate_session_id             258     EXIST::FUNCTION:
+kssl_ctx_setkey                         259     EXIST::FUNCTION:KRB5
+kssl_ctx_setprinc                       260     EXIST::FUNCTION:KRB5
+kssl_ctx_free                           261     EXIST::FUNCTION:KRB5
+kssl_krb5_free_data_contents            262     EXIST::FUNCTION:KRB5
+kssl_ctx_setstring                      263     EXIST::FUNCTION:KRB5
+SSL_CTX_set_generate_session_id         264     EXIST::FUNCTION:
+SSL_renegotiate_pending                 265     EXIST::FUNCTION:
+SSL_CTX_set_msg_callback                266     EXIST::FUNCTION:
+SSL_set_msg_callback                    267     EXIST::FUNCTION:
diff --git a/src/lib/libcrypto/x509/Makefile.ssl b/src/lib/libcrypto/x509/Makefile.ssl
index 79f09d4f71..62243ae812 100644
--- a/src/lib/libcrypto/x509/Makefile.ssl
+++ b/src/lib/libcrypto/x509/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    x509
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -24,13 +25,13 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
         x509_obj.c x509_req.c x509spki.c x509_vfy.c \
-        x509_set.c x509rset.c x509_err.c \
+        x509_set.c x509cset.c x509rset.c x509_err.c \
         x509name.c x509_v3.c x509_ext.c x509_att.c \
         x509type.c x509_lu.c x_all.c x509_txt.c \
         x509_trs.c by_file.c by_dir.c 
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
         x509_obj.o x509_req.o x509spki.o x509_vfy.o \
-        x509_set.o x509rset.o x509_err.o \
+        x509_set.o x509cset.o x509rset.o x509_err.o \
         x509name.o x509_v3.o x509_ext.o x509_att.o \
         x509type.o x509_lu.o x_all.o x509_txt.o \
         x509_trs.o by_file.o by_dir.o
@@ -49,8 +50,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -89,433 +89,322 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-by_dir.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-by_dir.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-by_dir.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-by_dir.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-by_dir.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_dir.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+by_dir.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+by_dir.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+by_dir.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 by_dir.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-by_dir.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_dir.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-by_dir.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-by_dir.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-by_dir.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-by_dir.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-by_dir.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+by_dir.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+by_dir.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+by_dir.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 by_dir.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 by_dir.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 by_dir.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-by_dir.o: ../cryptlib.h
-by_file.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-by_file.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-by_file.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-by_file.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+by_dir.o: ../cryptlib.h by_dir.c
+by_file.o: ../../e_os.h ../../include/openssl/asn1.h
+by_file.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+by_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 by_file.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-by_file.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-by_file.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-by_file.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-by_file.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-by_file.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+by_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+by_file.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 by_file.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 by_file.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-by_file.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
-by_file.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-by_file.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-by_file.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-by_file.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-by_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-by_file.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-by_file.o: ../cryptlib.h
-x509_att.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_att.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_att.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_att.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_att.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+by_file.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+by_file.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+by_file.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+by_file.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+by_file.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+by_file.o: ../../include/openssl/x509_vfy.h ../cryptlib.h by_file.c
+x509_att.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_att.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_att.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_att.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_att.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_att.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_att.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_att.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_att.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_att.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_att.o: ../../include/openssl/opensslconf.h
-x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_att.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_att.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_att.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_att.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_att.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_att.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_att.o: ../cryptlib.h
-x509_cmp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_cmp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_cmp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_cmp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_cmp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_att.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_att.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_att.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_att.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_att.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_att.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_att.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_att.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_att.c
+x509_cmp.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_cmp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_cmp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_cmp.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_cmp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_cmp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_cmp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_cmp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_cmp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_cmp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_cmp.o: ../../include/openssl/opensslconf.h
-x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_cmp.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_cmp.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_cmp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_cmp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_cmp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_cmp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_cmp.o: ../cryptlib.h
-x509_d2.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_d2.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_d2.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_cmp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_cmp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_cmp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_cmp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_cmp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_cmp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_cmp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_cmp.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_cmp.c
+x509_d2.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_d2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_d2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_d2.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_d2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_d2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_d2.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_d2.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_d2.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_d2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_d2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_d2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_d2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_d2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_d2.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_d2.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-x509_d2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-x509_d2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-x509_d2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_d2.o: ../cryptlib.h
-x509_def.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_def.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_def.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_d2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+x509_d2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+x509_d2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+x509_d2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+x509_d2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x509_d2.c
+x509_def.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_def.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_def.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_def.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_def.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_def.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_def.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_def.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_def.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_def.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_def.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_def.o: ../../include/openssl/opensslconf.h
-x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_def.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_def.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_def.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_def.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_def.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_def.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
+x509_def.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_def.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_def.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_def.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_def.o: ../cryptlib.h x509_def.c
 x509_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509_err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509_err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509_err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+x509_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x509_err.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+x509_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 x509_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_err.o: ../../include/openssl/x509_vfy.h
-x509_ext.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_ext.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_ext.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_ext.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_err.o: x509_err.c
+x509_ext.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_ext.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_ext.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_ext.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_ext.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_ext.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_ext.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_ext.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_ext.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_ext.o: ../../include/openssl/opensslconf.h
-x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_ext.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_ext.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_ext.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_ext.o: ../cryptlib.h
-x509_lu.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_lu.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x509_lu.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_lu.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_ext.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_ext.c
+x509_lu.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_lu.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_lu.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_lu.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_lu.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_lu.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_lu.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_lu.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_lu.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_lu.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_lu.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_lu.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_lu.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_lu.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_lu.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_lu.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x509_lu.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x509_lu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_lu.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_lu.o: ../cryptlib.h
-x509_obj.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_obj.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_lu.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_lu.c
+x509_obj.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_obj.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_obj.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_obj.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_obj.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_obj.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_obj.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_obj.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_obj.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_obj.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_obj.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_obj.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_obj.o: ../../include/openssl/opensslconf.h
-x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_obj.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_obj.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_obj.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_obj.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_obj.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_obj.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_r2x.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_r2x.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_r2x.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_obj.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_obj.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_obj.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_obj.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_obj.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_obj.o: ../cryptlib.h x509_obj.c
+x509_r2x.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_r2x.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_r2x.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_r2x.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_r2x.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_r2x.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_r2x.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_r2x.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_r2x.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_r2x.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_r2x.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_r2x.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_r2x.o: ../../include/openssl/opensslconf.h
-x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_r2x.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_r2x.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_r2x.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_r2x.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_r2x.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_r2x.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_req.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_req.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_req.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_r2x.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_r2x.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_r2x.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_r2x.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_r2x.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_r2x.o: ../cryptlib.h x509_r2x.c
+x509_req.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_req.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_req.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_req.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_req.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_req.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_req.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_req.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_req.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_req.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_req.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_req.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_req.o: ../../include/openssl/opensslconf.h
-x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/pem.h
-x509_req.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-x509_req.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_req.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_req.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_req.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_req.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_req.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_set.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_set.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_set.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_req.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_req.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+x509_req.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_req.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_req.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_req.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_req.o: ../cryptlib.h x509_req.c
+x509_set.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_set.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_set.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_set.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_set.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_set.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_set.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_set.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_set.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_set.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_set.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_set.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_set.o: ../../include/openssl/opensslconf.h
-x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_set.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_set.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_set.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_set.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_set.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_set.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_trs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_trs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_trs.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_trs.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_trs.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_set.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_set.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_set.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_set.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_set.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_set.o: ../cryptlib.h x509_set.c
+x509_trs.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_trs.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_trs.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_trs.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_trs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_trs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_trs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_trs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_trs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_trs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_trs.o: ../../include/openssl/opensslconf.h
-x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_trs.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_trs.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_trs.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_trs.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_trs.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_trs.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_trs.o: ../cryptlib.h
-x509_txt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_txt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_txt.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_trs.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_trs.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_trs.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_trs.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_trs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_trs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_trs.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_trs.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_trs.c
+x509_txt.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_txt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_txt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509_txt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509_txt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509_txt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_txt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_txt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_txt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509_txt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509_txt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509_txt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509_txt.o: ../../include/openssl/opensslconf.h
-x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_txt.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_txt.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_txt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_txt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_txt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_txt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509_v3.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_v3.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_v3.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_v3.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_v3.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_txt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_txt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_txt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_txt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_txt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_txt.o: ../cryptlib.h x509_txt.c
+x509_v3.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_v3.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_v3.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_v3.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_v3.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_v3.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_v3.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_v3.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_v3.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_v3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_v3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x509_v3.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x509_v3.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x509_v3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_v3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_v3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_v3.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x509_v3.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x509_v3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x509_v3.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h
-x509_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509_vfy.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509_vfy.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-x509_vfy.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-x509_vfy.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509_v3.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_v3.c
+x509_vfy.o: ../../e_os.h ../../include/openssl/asn1.h
+x509_vfy.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+x509_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x509_vfy.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x509_vfy.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509_vfy.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509_vfy.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509_vfy.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x509_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x509_vfy.o: ../../include/openssl/opensslconf.h
-x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509_vfy.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509_vfy.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509_vfy.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-x509_vfy.o: ../cryptlib.h
-x509name.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509name.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509name.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509name.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509_vfy.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x509_vfy.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x509_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509_vfy.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509_vfy.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_vfy.c
+x509cset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509cset.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509cset.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509cset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+x509cset.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509cset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509cset.o: ../../include/openssl/opensslconf.h
+x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509cset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509cset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509cset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509cset.o: ../cryptlib.h x509cset.c
+x509name.o: ../../e_os.h ../../include/openssl/asn1.h
+x509name.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509name.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509name.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509name.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509name.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509name.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509name.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509name.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509name.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509name.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509name.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509name.o: ../../include/openssl/opensslconf.h
-x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509name.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509name.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509name.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509name.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509name.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509name.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509rset.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509rset.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509rset.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509name.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509name.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509name.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509name.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509name.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509name.o: ../cryptlib.h x509name.c
+x509rset.o: ../../e_os.h ../../include/openssl/asn1.h
+x509rset.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509rset.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509rset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509rset.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509rset.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509rset.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509rset.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509rset.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509rset.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509rset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509rset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509rset.o: ../../include/openssl/opensslconf.h
-x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509rset.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509rset.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509rset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509rset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509rset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509rset.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509spki.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-x509spki.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-x509spki.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-x509spki.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-x509spki.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-x509spki.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+x509rset.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509rset.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509rset.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509rset.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509rset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509rset.o: ../cryptlib.h x509rset.c
+x509spki.o: ../../e_os.h ../../include/openssl/asn1.h
+x509spki.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509spki.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+x509spki.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 x509spki.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-x509spki.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-x509spki.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-x509spki.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-x509spki.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-x509spki.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509spki.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509spki.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509spki.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509spki.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509spki.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509spki.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x509type.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x509type.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x509type.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x509type.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+x509spki.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+x509spki.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+x509spki.o: ../../include/openssl/opensslconf.h
+x509spki.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509spki.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509spki.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509spki.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509spki.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509spki.o: ../cryptlib.h x509spki.c
+x509type.o: ../../e_os.h ../../include/openssl/asn1.h
+x509type.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+x509type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 x509type.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x509type.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-x509type.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x509type.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x509type.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x509type.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+x509type.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+x509type.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 x509type.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 x509type.o: ../../include/openssl/opensslconf.h
-x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-x509type.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-x509type.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-x509type.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-x509type.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x509type.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x509type.o: ../../include/openssl/x509_vfy.h ../cryptlib.h
-x_all.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-x_all.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-x_all.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-x_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-x_all.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-x_all.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+x509type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x509type.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+x509type.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+x509type.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+x509type.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+x509type.o: ../cryptlib.h x509type.c
+x_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+x_all.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+x_all.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+x_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 x_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-x_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-x_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-x_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-x_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-x_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-x_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+x_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+x_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+x_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+x_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 x_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 x_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 x_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-x_all.o: ../cryptlib.h
+x_all.o: ../cryptlib.h x_all.c
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 78e9240a8d..92e00d2d73 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -66,7 +66,7 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
         long argl, char **ret);
@@ -294,5 +294,5 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type)
 }
 
 
-#endif /* NO_STDIO */
+#endif /* OPENSSL_NO_STDIO */
 
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index 813c8adffd..c75aa0c717 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -60,47 +60,46 @@
 #define HEADER_X509_H
 
 #include <openssl/symhacks.h>
-#ifndef NO_BUFFER
+#ifndef OPENSSL_NO_BUFFER
 #include <openssl/buffer.h>
 #endif
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 #include <openssl/evp.h>
 #endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 #include <openssl/bio.h>
 #endif
 #include <openssl/stack.h>
 #include <openssl/asn1.h>
 #include <openssl/safestack.h>
 
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
 
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
 
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-
+#ifndef OPENSSL_NO_SHA
+#include <openssl/sha.h>
+#endif
 #include <openssl/evp.h>
-
+#include <openssl/e_os2.h>
+#include <openssl/ossl_typ.h>
 
 #ifdef  __cplusplus
 extern "C" {
 #endif
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 /* Under Win32 this is defined in wincrypt.h */
 #undef X509_NAME
 #endif
 
-  /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */
-#define DECLARE_PKCS12_STACK_OF(type) /* Nothing */
-#define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */
-
 #define X509_FILETYPE_PEM       1
 #define X509_FILETYPE_ASN1      2
 #define X509_FILETYPE_DEFAULT   3
@@ -123,11 +122,11 @@ typedef struct X509_objects_st
         int (*i2a)();
         } X509_OBJECTS;
 
-typedef struct X509_algor_st
+struct X509_algor_st
         {
         ASN1_OBJECT *algorithm;
         ASN1_TYPE *parameter;
-        } X509_ALGOR;
+        } /* X509_ALGOR */;
 
 DECLARE_STACK_OF(X509_ALGOR)
 DECLARE_ASN1_SET_OF(X509_ALGOR)
@@ -163,17 +162,17 @@ DECLARE_STACK_OF(X509_NAME_ENTRY)
 DECLARE_ASN1_SET_OF(X509_NAME_ENTRY)
 
 /* we always keep X509_NAMEs in 2 forms. */
-typedef struct X509_name_st
+struct X509_name_st
         {
         STACK_OF(X509_NAME_ENTRY) *entries;
         int modified;   /* true if 'bytes' needs to be built */
-#ifndef NO_BUFFER
+#ifndef OPENSSL_NO_BUFFER
         BUF_MEM *bytes;
 #else
         char *bytes;
 #endif
         unsigned long hash; /* Keep the hash around for lookups */
-        } X509_NAME;
+        } /* X509_NAME */;
 
 DECLARE_STACK_OF(X509_NAME)
 
@@ -182,11 +181,8 @@ DECLARE_STACK_OF(X509_NAME)
 typedef struct X509_extension_st
         {
         ASN1_OBJECT *object;
-        short critical;
-        short netscape_hack;
+        ASN1_BOOLEAN critical;
         ASN1_OCTET_STRING *value;
-        struct v3_ext_method *method;   /* V3 method to use */
-        void *ext_val;                  /* extension value */
         } X509_EXTENSION;
 
 DECLARE_STACK_OF(X509_EXTENSION)
@@ -196,27 +192,26 @@ DECLARE_ASN1_SET_OF(X509_EXTENSION)
 typedef struct x509_attributes_st
         {
         ASN1_OBJECT *object;
-        int set; /* 1 for a set, 0 for a single item (which is wrong) */
+        int single; /* 0 for a set, 1 for a single item (which is wrong) */
         union   {
                 char            *ptr;
-/* 1 */         STACK_OF(ASN1_TYPE) *set;
-/* 0 */         ASN1_TYPE       *single;
+/* 0 */         STACK_OF(ASN1_TYPE) *set;
+/* 1 */         ASN1_TYPE       *single;
                 } value;
         } X509_ATTRIBUTE;
 
 DECLARE_STACK_OF(X509_ATTRIBUTE)
 DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
+
 typedef struct X509_req_info_st
         {
-        unsigned char *asn1;
-        int length;
+        ASN1_ENCODING enc;
         ASN1_INTEGER *version;
         X509_NAME *subject;
         X509_PUBKEY *pubkey;
         /*  d=2 hl=2 l=  0 cons: cont: 00 */
         STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-        int req_kludge;
         } X509_REQ_INFO;
 
 typedef struct X509_req_st
@@ -256,7 +251,7 @@ typedef struct x509_cert_aux_st
         STACK_OF(X509_ALGOR) *other;            /* other unspecified info */
         } X509_CERT_AUX;
 
-typedef struct x509_st
+struct x509_st
         {
         X509_CINF *cert_info;
         X509_ALGOR *sig_alg;
@@ -273,11 +268,11 @@ typedef struct x509_st
         unsigned long ex_nscert;
         ASN1_OCTET_STRING *skid;
         struct AUTHORITY_KEYID_st *akid;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         unsigned char sha1_hash[SHA_DIGEST_LENGTH];
 #endif
         X509_CERT_AUX *aux;
-        } X509;
+        } /* X509 */;
 
 DECLARE_STACK_OF(X509)
 DECLARE_ASN1_SET_OF(X509)
@@ -304,10 +299,12 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_SSL_SERVER   3
 #define X509_TRUST_EMAIL        4
 #define X509_TRUST_OBJECT_SIGN  5
+#define X509_TRUST_OCSP_SIGN    6
+#define X509_TRUST_OCSP_REQUEST 7
 
 /* Keep these up to date! */
 #define X509_TRUST_MIN          1
-#define X509_TRUST_MAX          5
+#define X509_TRUST_MAX          7
 
 
 /* trust_flags values */
@@ -320,6 +317,21 @@ DECLARE_STACK_OF(X509_TRUST)
 #define X509_TRUST_REJECTED     2
 #define X509_TRUST_UNTRUSTED    3
 
+/* Flags for X509_print_ex() */
+
+#define X509_FLAG_COMPAT                0
+#define X509_FLAG_NO_HEADER             1L
+#define X509_FLAG_NO_VERSION            (1L << 1)
+#define X509_FLAG_NO_SERIAL             (1L << 2)
+#define X509_FLAG_NO_SIGNAME            (1L << 3)
+#define X509_FLAG_NO_ISSUER             (1L << 4)
+#define X509_FLAG_NO_VALIDITY           (1L << 5)
+#define X509_FLAG_NO_SUBJECT            (1L << 6)
+#define X509_FLAG_NO_PUBKEY             (1L << 7)
+#define X509_FLAG_NO_EXTENSIONS         (1L << 8)
+#define X509_FLAG_NO_SIGDUMP            (1L << 9)
+#define X509_FLAG_NO_AUX                (1L << 10)
+
 /* Flags specific to X509_NAME_print_ex() */    
 
 /* The field separator information */
@@ -351,6 +363,8 @@ DECLARE_STACK_OF(X509_TRUST)
 
 #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
 
+#define XN_FLAG_FN_ALIGN        (1 << 25)       /* Align field names to 20 characters */
+
 /* Complete set of RFC2253 flags */
 
 #define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
@@ -373,7 +387,8 @@ DECLARE_STACK_OF(X509_TRUST)
                         ASN1_STRFLGS_ESC_MSB | \
                         XN_FLAG_SEP_MULTILINE | \
                         XN_FLAG_SPC_EQ | \
-                        XN_FLAG_FN_LN)
+                        XN_FLAG_FN_LN | \
+                        XN_FLAG_FN_ALIGN)
 
 typedef struct X509_revoked_st
         {
@@ -397,14 +412,14 @@ typedef struct X509_crl_info_st
         STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
         } X509_CRL_INFO;
 
-typedef struct X509_crl_st
+struct X509_crl_st
         {
         /* actual signature */
         X509_CRL_INFO *crl;
         X509_ALGOR *sig_alg;
         ASN1_BIT_STRING *signature;
         int references;
-        } X509_CRL;
+        } /* X509_CRL */;
 
 DECLARE_STACK_OF(X509_CRL)
 DECLARE_ASN1_SET_OF(X509_CRL)
@@ -430,7 +445,7 @@ typedef struct private_key_st
         int references;
         } X509_PKEY;
 
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 typedef struct X509_info_st
         {
         X509 *x509;
@@ -686,7 +701,7 @@ extern "C" {
 const char *X509_verify_cert_error_string(long n);
 
 #ifndef SSLEAY_MACROS
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 int X509_verify(X509 *a, EVP_PKEY *r);
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
@@ -700,11 +715,15 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
 
 int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
 
+int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig);
+
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
 
+int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
+                unsigned char *md, unsigned int *len);
 int X509_digest(const X509 *data,const EVP_MD *type,
                 unsigned char *md, unsigned int *len);
 int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
@@ -715,14 +734,14 @@ int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
                 unsigned char *md, unsigned int *len);
 #endif
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 **x509);
 int i2d_X509_fp(FILE *fp,X509 *x509);
 X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
 int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
 int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
 int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
 RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
@@ -730,7 +749,7 @@ int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
 RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
 int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
 int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
@@ -748,14 +767,14 @@ int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 X509 *d2i_X509_bio(BIO *bp,X509 **x509);
 int i2d_X509_bio(BIO *bp,X509 *x509);
 X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
 int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
 int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
 int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
 RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
@@ -763,7 +782,7 @@ int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
 RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
 int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
 int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);
 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
@@ -789,7 +808,7 @@ X509_REQ *X509_REQ_dup(X509_REQ *req);
 X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 RSA *RSAPublicKey_dup(RSA *rsa);
 RSA *RSAPrivateKey_dup(RSA *rsa);
 #endif
@@ -810,25 +829,12 @@ const char *	X509_get_default_private_dir(void );
 
 X509_REQ *      X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
 X509 *          X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
-void ERR_load_X509_strings(void );
 
-X509_ALGOR *    X509_ALGOR_new(void );
-void            X509_ALGOR_free(X509_ALGOR *a);
-int             i2d_X509_ALGOR(X509_ALGOR *a,unsigned char **pp);
-X509_ALGOR *    d2i_X509_ALGOR(X509_ALGOR **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
+DECLARE_ASN1_FUNCTIONS(X509_VAL)
 
-X509_VAL *      X509_VAL_new(void );
-void            X509_VAL_free(X509_VAL *a);
-int             i2d_X509_VAL(X509_VAL *a,unsigned char **pp);
-X509_VAL *      d2i_X509_VAL(X509_VAL **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
 
-X509_PUBKEY *   X509_PUBKEY_new(void );
-void            X509_PUBKEY_free(X509_PUBKEY *a);
-int             i2d_X509_PUBKEY(X509_PUBKEY *a,unsigned char **pp);
-X509_PUBKEY *   d2i_X509_PUBKEY(X509_PUBKEY **a,unsigned char **pp,
-                        long length);
 int             X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
 EVP_PKEY *      X509_PUBKEY_get(X509_PUBKEY *key);
 int             X509_get_pubkey_parameters(EVP_PKEY *pkey,
@@ -836,69 +842,37 @@ int		X509_get_pubkey_parameters(EVP_PKEY *pkey,
 int             i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
 EVP_PKEY *      d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp,
                         long length);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
 int             i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
 RSA *           d2i_RSA_PUBKEY(RSA **a,unsigned char **pp,
                         long length);
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
 int             i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
 DSA *           d2i_DSA_PUBKEY(DSA **a,unsigned char **pp,
                         long length);
 #endif
 
-X509_SIG *      X509_SIG_new(void );
-void            X509_SIG_free(X509_SIG *a);
-int             i2d_X509_SIG(X509_SIG *a,unsigned char **pp);
-X509_SIG *      d2i_X509_SIG(X509_SIG **a,unsigned char **pp,long length);
-
-X509_REQ_INFO *X509_REQ_INFO_new(void);
-void            X509_REQ_INFO_free(X509_REQ_INFO *a);
-int             i2d_X509_REQ_INFO(X509_REQ_INFO *a,unsigned char **pp);
-X509_REQ_INFO *d2i_X509_REQ_INFO(X509_REQ_INFO **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_SIG)
+DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
+DECLARE_ASN1_FUNCTIONS(X509_REQ)
 
-X509_REQ *      X509_REQ_new(void);
-void            X509_REQ_free(X509_REQ *a);
-int             i2d_X509_REQ(X509_REQ *a,unsigned char **pp);
-X509_REQ *      d2i_X509_REQ(X509_REQ **a,unsigned char **pp,long length);
-
-X509_ATTRIBUTE *X509_ATTRIBUTE_new(void );
-void            X509_ATTRIBUTE_free(X509_ATTRIBUTE *a);
-int             i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a,unsigned char **pp);
-X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
 X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
 
+DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
 
-X509_EXTENSION *X509_EXTENSION_new(void );
-void            X509_EXTENSION_free(X509_EXTENSION *a);
-int             i2d_X509_EXTENSION(X509_EXTENSION *a,unsigned char **pp);
-X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
 
-X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);
-void            X509_NAME_ENTRY_free(X509_NAME_ENTRY *a);
-int             i2d_X509_NAME_ENTRY(X509_NAME_ENTRY *a,unsigned char **pp);
-X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(X509_NAME)
 
-X509_NAME *     X509_NAME_new(void);
-void            X509_NAME_free(X509_NAME *a);
-int             i2d_X509_NAME(X509_NAME *a,unsigned char **pp);
-X509_NAME *     d2i_X509_NAME(X509_NAME **a,unsigned char **pp,long length);
 int             X509_NAME_set(X509_NAME **xn, X509_NAME *name);
 
+DECLARE_ASN1_FUNCTIONS(X509_CINF)
 
-X509_CINF *     X509_CINF_new(void);
-void            X509_CINF_free(X509_CINF *a);
-int             i2d_X509_CINF(X509_CINF *a,unsigned char **pp);
-X509_CINF *     d2i_X509_CINF(X509_CINF **a,unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(X509)
+DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
 
-X509 *          X509_new(void);
-void            X509_free(X509 *a);
-int             i2d_X509(X509 *a,unsigned char **pp);
-X509 *          d2i_X509(X509 **a,unsigned char **pp,long length);
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int X509_set_ex_data(X509 *r, int idx, void *arg);
@@ -906,60 +880,32 @@ void *X509_get_ex_data(X509 *r, int idx);
 int             i2d_X509_AUX(X509 *a,unsigned char **pp);
 X509 *          d2i_X509_AUX(X509 **a,unsigned char **pp,long length);
 
-X509_CERT_AUX * X509_CERT_AUX_new(void);
-void            X509_CERT_AUX_free(X509_CERT_AUX *a);
-int             i2d_X509_CERT_AUX(X509_CERT_AUX *a,unsigned char **pp);
-X509_CERT_AUX * d2i_X509_CERT_AUX(X509_CERT_AUX **a,unsigned char **pp,
-                                                                long length);
 int X509_alias_set1(X509 *x, unsigned char *name, int len);
 int X509_keyid_set1(X509 *x, unsigned char *id, int len);
 unsigned char * X509_alias_get0(X509 *x, int *len);
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int);
+int X509_TRUST_set(int *t, int trust);
 int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj);
 int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj);
 void X509_trust_clear(X509 *x);
 void X509_reject_clear(X509 *x);
 
-X509_REVOKED *  X509_REVOKED_new(void);
-void            X509_REVOKED_free(X509_REVOKED *a);
-int             i2d_X509_REVOKED(X509_REVOKED *a,unsigned char **pp);
-X509_REVOKED *  d2i_X509_REVOKED(X509_REVOKED **a,unsigned char **pp,long length);
+DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
+DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
+DECLARE_ASN1_FUNCTIONS(X509_CRL)
 
-X509_CRL_INFO *X509_CRL_INFO_new(void);
-void            X509_CRL_INFO_free(X509_CRL_INFO *a);
-int             i2d_X509_CRL_INFO(X509_CRL_INFO *a,unsigned char **pp);
-X509_CRL_INFO *d2i_X509_CRL_INFO(X509_CRL_INFO **a,unsigned char **pp,
-                        long length);
-
-X509_CRL *      X509_CRL_new(void);
-void            X509_CRL_free(X509_CRL *a);
-int             i2d_X509_CRL(X509_CRL *a,unsigned char **pp);
-X509_CRL *      d2i_X509_CRL(X509_CRL **a,unsigned char **pp,long length);
+int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 
 X509_PKEY *     X509_PKEY_new(void );
 void            X509_PKEY_free(X509_PKEY *a);
 int             i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp);
 X509_PKEY *     d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length);
 
-NETSCAPE_SPKI * NETSCAPE_SPKI_new(void );
-void            NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
-int             i2d_NETSCAPE_SPKI(NETSCAPE_SPKI *a,unsigned char **pp);
-NETSCAPE_SPKI * d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a,unsigned char **pp,
-                        long length);
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
+DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
 
-NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void );
-void            NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a);
-int             i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a,unsigned char **pp);
-NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a,unsigned char **pp,
-                long length);
-
-
-int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **pp);
-NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void);
-NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, unsigned char **pp, long length);
-void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a);
-
-#ifndef NO_EVP
+#ifndef OPENSSL_NO_EVP
 X509_INFO *     X509_INFO_new(void);
 void            X509_INFO_free(X509_INFO *a);
 char *          X509_NAME_oneline(X509_NAME *a,char *buf,int size);
@@ -973,6 +919,16 @@ int ASN1_digest(int (*i2d)(),const EVP_MD *type,char *data,
 int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
         ASN1_BIT_STRING *signature,
         char *data,EVP_PKEY *pkey, const EVP_MD *type);
+
+int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
+        unsigned char *md,unsigned int *len);
+
+int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
+        ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
+
+int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
+        ASN1_BIT_STRING *signature,
+        void *data, EVP_PKEY *pkey, const EVP_MD *type);
 #endif
 
 int             X509_set_version(X509 *x,long version);
@@ -986,6 +942,7 @@ int 		X509_set_notBefore(X509 *x, ASN1_TIME *tm);
 int             X509_set_notAfter(X509 *x, ASN1_TIME *tm);
 int             X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 EVP_PKEY *      X509_get_pubkey(X509 *x);
+ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x);
 int             X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */);
 
 int             X509_REQ_set_version(X509_REQ *x,long version);
@@ -1008,14 +965,23 @@ X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
 X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
 int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-                        ASN1_OBJECT *obj, int type,
-                        unsigned char *bytes, int len);
+                        const ASN1_OBJECT *obj, int type,
+                        const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
                         int nid, int type,
-                        unsigned char *bytes, int len);
+                        const unsigned char *bytes, int len);
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-                        char *attrname, int type,
-                        unsigned char *bytes, int len);
+                        const char *attrname, int type,
+                        const unsigned char *bytes, int len);
+
+int X509_CRL_set_version(X509_CRL *x, long version);
+int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
+int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm);
+int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm);
+int X509_CRL_sort(X509_CRL *crl);
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
+int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
 
 int             X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
 
@@ -1033,17 +999,20 @@ int		X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
 unsigned long   X509_NAME_hash(X509_NAME *x);
 
 int             X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
+int             X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
 int             X509_print_fp(FILE *bp,X509 *x);
 int             X509_CRL_print_fp(FILE *bp,X509_CRL *x);
 int             X509_REQ_print_fp(FILE *bp,X509_REQ *req);
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags);
 #endif
 
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
 int             X509_NAME_print(BIO *bp, X509_NAME *name, int obase);
 int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags);
+int             X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
 int             X509_print(BIO *bp,X509 *x);
+int             X509_ocspid_print(BIO *bp,X509 *x);
 int             X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent);
 int             X509_CRL_print(BIO *bp,X509_CRL *x);
 int             X509_REQ_print(BIO *bp,X509_REQ *req);
@@ -1104,6 +1073,8 @@ X509_EXTENSION *X509_get_ext(X509 *x, int loc);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
 int             X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
 void    *       X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx);
+int             X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
 
 int             X509_CRL_get_ext_count(X509_CRL *x);
 int             X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos);
@@ -1113,6 +1084,8 @@ X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
 int             X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
 void    *       X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx);
+int             X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
 
 int             X509_REVOKED_get_ext_count(X509_REVOKED *x);
 int             X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos);
@@ -1122,6 +1095,8 @@ X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc);
 X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 int             X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
 void    *       X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx);
+int             X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
+                                                        unsigned long flags);
 
 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
                         int nid, int crit, ASN1_OCTET_STRING *data);
@@ -1145,22 +1120,22 @@ X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
                                          X509_ATTRIBUTE *attr);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-                        ASN1_OBJECT *obj, int type,
-                        unsigned char *bytes, int len);
+                        const ASN1_OBJECT *obj, int type,
+                        const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
                         int nid, int type,
-                        unsigned char *bytes, int len);
+                        const unsigned char *bytes, int len);
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-                        char *attrname, int type,
-                        unsigned char *bytes, int len);
+                        const char *attrname, int type,
+                        const unsigned char *bytes, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-             int atrtype, void *data, int len);
+             int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-             ASN1_OBJECT *obj, int atrtype, void *data, int len);
+             const ASN1_OBJECT *obj, int atrtype, const void *data, int len);
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-                char *atrname, int type, unsigned char *bytes, int len);
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj);
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len);
+                const char *atrname, int type, const unsigned char *bytes, int len);
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len);
 void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
                                         int atrtype, void *data);
 int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr);
@@ -1174,31 +1149,17 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
                                      ASN1_INTEGER *serial);
 X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
 
-int i2d_PBEPARAM(PBEPARAM *a, unsigned char **pp);
-PBEPARAM *PBEPARAM_new(void);
-PBEPARAM *d2i_PBEPARAM(PBEPARAM **a, unsigned char **pp, long length);
-void PBEPARAM_free(PBEPARAM *a);
+DECLARE_ASN1_FUNCTIONS(PBEPARAM)
+DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
+DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
+
 X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt, int saltlen);
 X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
                                          unsigned char *salt, int saltlen);
 
-int i2d_PBKDF2PARAM(PBKDF2PARAM *a, unsigned char **pp);
-PBKDF2PARAM *PBKDF2PARAM_new(void);
-PBKDF2PARAM *d2i_PBKDF2PARAM(PBKDF2PARAM **a, unsigned char **pp, long length);
-void PBKDF2PARAM_free(PBKDF2PARAM *a);
-
-int i2d_PBE2PARAM(PBE2PARAM *a, unsigned char **pp);
-PBE2PARAM *PBE2PARAM_new(void);
-PBE2PARAM *d2i_PBE2PARAM(PBE2PARAM **a, unsigned char **pp, long length);
-void PBE2PARAM_free(PBE2PARAM *a);
-
 /* PKCS#8 utilities */
 
-int i2d_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO *a, unsigned char **pp);
-PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void);
-PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a,
-                                         unsigned char **pp, long length);
-void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *a);
+DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
 
 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey);
@@ -1220,6 +1181,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_X509_strings(void);
 
 /* Error codes for the X509 functions. */
 
@@ -1258,9 +1220,12 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_F_X509_REQ_TO_X509                          123
 #define X509_F_X509_STORE_ADD_CERT                       124
 #define X509_F_X509_STORE_ADD_CRL                        125
+#define X509_F_X509_STORE_CTX_INIT                       143
+#define X509_F_X509_STORE_CTX_NEW                        142
 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT            134
 #define X509_F_X509_TO_X509_REQ                          126
 #define X509_F_X509_TRUST_ADD                            133
+#define X509_F_X509_TRUST_SET                            141
 #define X509_F_X509_VERIFY_CERT                          127
 
 /* Reason codes. */
@@ -1271,6 +1236,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 #define X509_R_ERR_ASN1_LIB                              102
 #define X509_R_INVALID_DIRECTORY                         113
 #define X509_R_INVALID_FIELD_NAME                        119
+#define X509_R_INVALID_TRUST                             123
 #define X509_R_KEY_TYPE_MISMATCH                         115
 #define X509_R_KEY_VALUES_MISMATCH                       116
 #define X509_R_LOADING_CERT_DIR                          103
@@ -1291,4 +1257,3 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 }
 #endif
 #endif
-
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index caafde658f..0bae3d32a1 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -149,8 +149,8 @@ err2:
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
-                        ASN1_OBJECT *obj, int type,
-                        unsigned char *bytes, int len)
+                        const ASN1_OBJECT *obj, int type,
+                        const unsigned char *bytes, int len)
 {
         X509_ATTRIBUTE *attr;
         STACK_OF(X509_ATTRIBUTE) *ret;
@@ -163,7 +163,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x,
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
                         int nid, int type,
-                        unsigned char *bytes, int len)
+                        const unsigned char *bytes, int len)
 {
         X509_ATTRIBUTE *attr;
         STACK_OF(X509_ATTRIBUTE) *ret;
@@ -175,8 +175,8 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
-                        char *attrname, int type,
-                        unsigned char *bytes, int len)
+                        const char *attrname, int type,
+                        const unsigned char *bytes, int len)
 {
         X509_ATTRIBUTE *attr;
         STACK_OF(X509_ATTRIBUTE) *ret;
@@ -188,7 +188,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-             int atrtype, void *data, int len)
+             int atrtype, const void *data, int len)
 {
         ASN1_OBJECT *obj;
         X509_ATTRIBUTE *ret;
@@ -205,7 +205,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-             ASN1_OBJECT *obj, int atrtype, void *data, int len)
+             const ASN1_OBJECT *obj, int atrtype, const void *data, int len)
 {
         X509_ATTRIBUTE *ret;
 
@@ -234,7 +234,7 @@ err:
 }
 
 X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-                char *atrname, int type, unsigned char *bytes, int len)
+                const char *atrname, int type, const unsigned char *bytes, int len)
         {
         ASN1_OBJECT *obj;
         X509_ATTRIBUTE *nattr;
@@ -252,7 +252,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
         return nattr;
         }
 
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
+int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
 {
         if ((attr == NULL) || (obj == NULL))
                 return(0);
@@ -261,7 +261,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, ASN1_OBJECT *obj)
         return(1);
 }
 
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int len)
+int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
 {
         ASN1_TYPE *ttmp;
         ASN1_STRING *stmp;
@@ -283,7 +283,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
         if(!(ttmp = ASN1_TYPE_new())) goto err;
         if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-        attr->set = 1;
+        attr->single = 0;
         ASN1_TYPE_set(ttmp, atype, stmp);
         return 1;
         err:
@@ -293,7 +293,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, void *data, int
 
 int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr)
 {
-        if(attr->set) return sk_ASN1_TYPE_num(attr->value.set);
+        if(!attr->single) return sk_ASN1_TYPE_num(attr->value.set);
         if(attr->value.single) return 1;
         return 0;
 }
@@ -321,6 +321,6 @@ ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
 {
         if (attr == NULL) return(NULL);
         if(idx >= X509_ATTRIBUTE_count(attr)) return NULL;
-        if(attr->set) return sk_ASN1_TYPE_value(attr->value.set, idx);
+        if(!attr->single) return sk_ASN1_TYPE_value(attr->value.set, idx);
         else return attr->value.single;
 }
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 3f9f9b3d47..cd20b6d66f 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -75,24 +75,26 @@ int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
         return(X509_NAME_cmp(ai->issuer,bi->issuer));
         }
 
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
 unsigned long X509_issuer_and_serial_hash(X509 *a)
         {
         unsigned long ret=0;
-        MD5_CTX ctx;
+        EVP_MD_CTX ctx;
         unsigned char md[16];
         char str[256];
 
+        EVP_MD_CTX_init(&ctx);
         X509_NAME_oneline(a->cert_info->issuer,str,256);
         ret=strlen(str);
-        MD5_Init(&ctx);
-        MD5_Update(&ctx,(unsigned char *)str,ret);
-        MD5_Update(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
+        EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
+        EVP_DigestUpdate(&ctx,(unsigned char *)str,ret);
+        EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
                 (unsigned long)a->cert_info->serialNumber->length);
-        MD5_Final(&(md[0]),&ctx);
+        EVP_DigestFinal_ex(&ctx,&(md[0]),NULL);
         ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
                 )&0xffffffffL;
+        EVP_MD_CTX_cleanup(&ctx);
         return(ret);
         }
 #endif
@@ -137,7 +139,7 @@ unsigned long X509_subject_name_hash(X509 *x)
         return(X509_NAME_hash(x->cert_info->subject));
         }
 
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
 /* Compare two certificates: they must be identical for
  * this to work. NB: Although "cmp" operations are generally
  * prototyped to take "const" arguments (eg. for use in
@@ -192,7 +194,7 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
         return(0);
         }
 
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
 /* I now DER encode the name and hash it.  Since I cache the DER encoding,
  * this is reasonably efficient. */
 unsigned long X509_NAME_hash(X509_NAME *x)
@@ -200,12 +202,9 @@ unsigned long X509_NAME_hash(X509_NAME *x)
         unsigned long ret=0;
         unsigned char md[16];
 
-        /* Ensure cached version is up to date */
+        /* Make sure X509_NAME structure contains valid cached encoding */
         i2d_X509_NAME(x,NULL);
-        /* Use cached encoding directly rather than copying: this should
-         * keep libsafe happy.
-         */
-        MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0]));
+        EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
 
         ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
@@ -258,6 +257,12 @@ EVP_PKEY *X509_get_pubkey(X509 *x)
         return(X509_PUBKEY_get(x->cert_info->key));
         }
 
+ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x)
+        {
+        if(!x) return NULL;
+        return x->cert_info->key->public_key;
+        }
+
 int X509_check_private_key(X509 *x, EVP_PKEY *k)
         {
         EVP_PKEY *xk=NULL;
@@ -271,7 +276,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
             }
         switch (k->type)
                 {
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
         case EVP_PKEY_RSA:
                 if (BN_cmp(xk->pkey.rsa->n,k->pkey.rsa->n) != 0
                     || BN_cmp(xk->pkey.rsa->e,k->pkey.rsa->e) != 0)
@@ -281,7 +286,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
                     }
                 break;
 #endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
         case EVP_PKEY_DSA:
                 if (BN_cmp(xk->pkey.dsa->pub_key,k->pkey.dsa->pub_key) != 0)
                     {
@@ -290,7 +295,7 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
                     }
                 break;
 #endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
         case EVP_PKEY_DH:
                 /* No idea */
                 X509err(X509_F_X509_CHECK_PRIVATE_KEY,X509_R_CANT_CHECK_DH_KEY);
diff --git a/src/lib/libcrypto/x509/x509_d2.c b/src/lib/libcrypto/x509/x509_d2.c
index 753d53eb43..51410cfd1a 100644
--- a/src/lib/libcrypto/x509/x509_d2.c
+++ b/src/lib/libcrypto/x509/x509_d2.c
@@ -61,7 +61,7 @@
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int X509_STORE_set_default_paths(X509_STORE *ctx)
         {
         X509_LOOKUP *lookup;
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
index 848add56e9..5bbf4acf76 100644
--- a/src/lib/libcrypto/x509/x509_err.c
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA X509_str_functs[]=
         {
 {ERR_PACK(0,X509_F_ADD_CERT_DIR,0),     "ADD_CERT_DIR"},
@@ -100,9 +100,12 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0), "X509_REQ_to_X509"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),      "X509_STORE_add_cert"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),       "X509_STORE_add_crl"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),      "X509_STORE_CTX_init"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),       "X509_STORE_CTX_new"},
 {ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),   "X509_STORE_CTX_purpose_inherit"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0), "X509_to_X509_REQ"},
 {ERR_PACK(0,X509_F_X509_TRUST_ADD,0),   "X509_TRUST_add"},
+{ERR_PACK(0,X509_F_X509_TRUST_SET,0),   "X509_TRUST_set"},
 {ERR_PACK(0,X509_F_X509_VERIFY_CERT,0), "X509_verify_cert"},
 {0,NULL}
         };
@@ -116,6 +119,7 @@ static ERR_STRING_DATA X509_str_reasons[]=
 {X509_R_ERR_ASN1_LIB                     ,"err asn1 lib"},
 {X509_R_INVALID_DIRECTORY                ,"invalid directory"},
 {X509_R_INVALID_FIELD_NAME               ,"invalid field name"},
+{X509_R_INVALID_TRUST                    ,"invalid trust"},
 {X509_R_KEY_TYPE_MISMATCH                ,"key type mismatch"},
 {X509_R_KEY_VALUES_MISMATCH              ,"key values mismatch"},
 {X509_R_LOADING_CERT_DIR                 ,"loading cert dir"},
@@ -143,7 +147,7 @@ void ERR_load_X509_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_X509,X509_str_functs);
                 ERR_load_strings(ERR_LIB_X509,X509_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/x509/x509_ext.c b/src/lib/libcrypto/x509/x509_ext.c
index 2955989807..e7fdacb5e4 100644
--- a/src/lib/libcrypto/x509/x509_ext.c
+++ b/src/lib/libcrypto/x509/x509_ext.c
@@ -101,6 +101,12 @@ void *X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx)
         return X509V3_get_d2i(x->crl->extensions, nid, crit, idx);
 }
 
+int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+{
+        return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);
+}
+
 int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
         {
         return(X509v3_add_ext(&(x->crl->extensions),ex,loc) != NULL);
@@ -146,6 +152,13 @@ void *X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx)
         return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx);
 }
 
+int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+{
+        return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit,
+                                                        flags);
+}
+
 int X509_REVOKED_get_ext_count(X509_REVOKED *x)
         {
         return(X509v3_get_ext_count(x->extensions));
@@ -187,5 +200,11 @@ void *X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx)
         return X509V3_get_d2i(x->extensions, nid, crit, idx);
 }
 
+int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
+                                                        unsigned long flags)
+{
+        return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);
+}
+
 IMPLEMENT_STACK_OF(X509_EXTENSION)
 IMPLEMENT_ASN1_SET_OF(X509_EXTENSION)
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 863c738cad..b780dae5e2 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -60,8 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
-
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
+#include <openssl/x509v3.h>
 
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
         {
@@ -185,9 +184,23 @@ X509_STORE *X509_STORE_new(void)
         ret->objs = sk_X509_OBJECT_new(x509_object_cmp);
         ret->cache=1;
         ret->get_cert_methods=sk_X509_LOOKUP_new_null();
-        ret->verify=NULL;
-        ret->verify_cb=NULL;
-        memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
+        ret->verify=0;
+        ret->verify_cb=0;
+
+        ret->purpose = 0;
+        ret->trust = 0;
+
+        ret->flags = 0;
+
+        ret->get_issuer = 0;
+        ret->check_issued = 0;
+        ret->check_revocation = 0;
+        ret->get_crl = 0;
+        ret->check_crl = 0;
+        ret->cert_crl = 0;
+        ret->cleanup = 0;
+
+        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
         ret->references=1;
         ret->depth=0;
         return ret;
@@ -230,7 +243,7 @@ void X509_STORE_free(X509_STORE *vfy)
         sk_X509_LOOKUP_free(sk);
         sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
-        CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
         OPENSSL_free(vfy);
         }
 
@@ -525,5 +538,20 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
         return 0;
 }
 
+void X509_STORE_set_flags(X509_STORE *ctx, long flags)
+        {
+        ctx->flags |= flags;
+        }
+
+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose)
+        {
+        return X509_PURPOSE_set(&ctx->purpose, purpose);
+        }
+
+int X509_STORE_set_trust(X509_STORE *ctx, int trust)
+        {
+        return X509_TRUST_set(&ctx->trust, trust);
+        }
+
 IMPLEMENT_STACK_OF(X509_LOOKUP)
 IMPLEMENT_STACK_OF(X509_OBJECT)
diff --git a/src/lib/libcrypto/x509/x509_obj.c b/src/lib/libcrypto/x509/x509_obj.c
index f0271fdfa1..1e718f76eb 100644
--- a/src/lib/libcrypto/x509/x509_obj.c
+++ b/src/lib/libcrypto/x509/x509_obj.c
@@ -94,6 +94,7 @@ int i;
                 OPENSSL_free(b);
                 }
             strncpy(buf,"NO X509_NAME",len);
+            buf[len-1]='\0';
             return buf;
             }
 
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 7eca1bd57a..0affa3bf30 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -156,9 +156,9 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
         for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
                 attr = sk_X509_ATTRIBUTE_value(sk, i);
                 if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
-                        if(attr->set && sk_ASN1_TYPE_num(attr->value.set))
+                        if(attr->single) ext = attr->value.single;
+                        else if(sk_ASN1_TYPE_num(attr->value.set))
                                 ext = sk_ASN1_TYPE_value(attr->value.set, 0);
-                        else ext = attr->value.single;
                         break;
                 }
         }
@@ -199,7 +199,7 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
         if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
         if(!sk_ASN1_TYPE_push(attr->value.set, at)) goto err;
         at = NULL;
-        attr->set = 1;
+        attr->single = 0;
         attr->object = OBJ_nid2obj(nid);
         if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err;
         return 1;
@@ -251,8 +251,8 @@ int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr)
 }
 
 int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-                        ASN1_OBJECT *obj, int type,
-                        unsigned char *bytes, int len)
+                        const ASN1_OBJECT *obj, int type,
+                        const unsigned char *bytes, int len)
 {
         if(X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj,
                                 type, bytes, len)) return 1;
@@ -261,7 +261,7 @@ int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
 
 int X509_REQ_add1_attr_by_NID(X509_REQ *req,
                         int nid, int type,
-                        unsigned char *bytes, int len)
+                        const unsigned char *bytes, int len)
 {
         if(X509at_add1_attr_by_NID(&req->req_info->attributes, nid,
                                 type, bytes, len)) return 1;
@@ -269,8 +269,8 @@ int X509_REQ_add1_attr_by_NID(X509_REQ *req,
 }
 
 int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-                        char *attrname, int type,
-                        unsigned char *bytes, int len)
+                        const char *attrname, int type,
+                        const unsigned char *bytes, int len)
 {
         if(X509at_add1_attr_by_txt(&req->req_info->attributes, attrname,
                                 type, bytes, len)) return 1;
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 86b3b79dcc..17d69ac005 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -66,6 +66,7 @@ static int tr_cmp(const X509_TRUST * const *a,
 static void trtable_free(X509_TRUST *p);
 
 static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags);
+static int trust_1oid(X509_TRUST *trust, X509 *x, int flags);
 static int trust_compat(X509_TRUST *trust, X509 *x, int flags);
 
 static int obj_trust(int id, X509 *x, int flags);
@@ -79,8 +80,10 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
 static X509_TRUST trstandard[] = {
 {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
 {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
-{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
+{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
 {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
+{X509_TRUST_OCSP_SIGN, 0, trust_1oid, "OCSP responder", NID_OCSP_sign, NULL},
+{X509_TRUST_OCSP_REQUEST, 0, trust_1oid, "OCSP request", NID_ad_OCSP, NULL}
 };
 
 #define X509_TRUST_COUNT        (sizeof(trstandard)/sizeof(X509_TRUST))
@@ -97,10 +100,10 @@ static int tr_cmp(const X509_TRUST * const *a,
 
 int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int)
 {
-int (*oldtrust)(int , X509 *, int);
-oldtrust = default_trust;
-default_trust = trust;
-return oldtrust;
+        int (*oldtrust)(int , X509 *, int);
+        oldtrust = default_trust;
+        default_trust = trust;
+        return oldtrust;
 }
 
 
@@ -141,6 +144,16 @@ int X509_TRUST_get_by_id(int id)
         return idx + X509_TRUST_COUNT;
 }
 
+int X509_TRUST_set(int *t, int trust)
+{
+        if(X509_TRUST_get_by_id(trust) == -1) {
+                X509err(X509_F_X509_TRUST_SET, X509_R_INVALID_TRUST);
+                return 0;
+        }
+        *t = trust;
+        return 1;
+}
+
 int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int),
                                         char *name, int arg1, void *arg2)
 {
@@ -236,6 +249,12 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags)
         return trust_compat(trust, x, flags);
 }
 
+static int trust_1oid(X509_TRUST *trust, X509 *x, int flags)
+{
+        if(x->aux) return obj_trust(trust->arg1, x, flags);
+        return X509_TRUST_UNTRUSTED;
+}
+
 static int trust_compat(X509_TRUST *trust, X509 *x, int flags)
 {
         X509_check_purpose(x, -1, 0);
diff --git a/src/lib/libcrypto/x509/x509_txt.c b/src/lib/libcrypto/x509/x509_txt.c
index cfb478d4bc..4f83db8ba2 100644
--- a/src/lib/libcrypto/x509/x509_txt.c
+++ b/src/lib/libcrypto/x509/x509_txt.c
@@ -83,7 +83,7 @@ const char *X509_verify_cert_error_string(long n)
         case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
                 return("unable to decrypt certificate's signature");
         case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
-                return("unable to decrypt CRL's's signature");
+                return("unable to decrypt CRL's signature");
         case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
                 return("unable to decode issuer public key");
         case X509_V_ERR_CERT_SIGNATURE_FAILURE:
@@ -95,7 +95,7 @@ const char *X509_verify_cert_error_string(long n)
         case X509_V_ERR_CRL_NOT_YET_VALID:
                 return("CRL is not yet valid");
         case X509_V_ERR_CERT_HAS_EXPIRED:
-                return("Certificate has expired");
+                return("certificate has expired");
         case X509_V_ERR_CRL_HAS_EXPIRED:
                 return("CRL has expired");
         case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
@@ -141,6 +141,12 @@ const char *X509_verify_cert_error_string(long n)
         case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
                 return("key usage does not include certificate signing");
 
+        case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
+                return("unable to get CRL issuer certificate");
+
+        case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
+                return("unhandled critical extension");
+
         default:
                 sprintf(buf,"error number %ld",n);
                 return(buf);
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 52887986fe..b5f7daa2e5 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -115,8 +115,8 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
         for ( ; lastpos < n; lastpos++)
                 {
                 ex=sk_X509_EXTENSION_value(sk,lastpos);
-                if (    (ex->critical && crit) ||
-                        (!ex->critical && !crit))
+                if (    ((ex->critical > 0) && crit) ||
+                        (!(ex->critical <= 0) && !crit))
                         return(lastpos);
                 }
         return(-1);
@@ -234,7 +234,7 @@ int X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj)
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
         {
         if (ex == NULL) return(0);
-        ex->critical=(crit)?0xFF:0;
+        ex->critical=(crit)?0xFF:-1;
         return(1);
         }
 
@@ -263,5 +263,6 @@ ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
 int X509_EXTENSION_get_critical(X509_EXTENSION *ex)
         {
         if (ex == NULL) return(0);
-        return(ex->critical);
+        if(ex->critical > 0) return 1;
+        return 0;
         }
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 0f4110cc64..db12f7bd35 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -75,15 +75,11 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
 static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
 static int check_chain_purpose(X509_STORE_CTX *ctx);
 static int check_trust(X509_STORE_CTX *ctx);
+static int check_revocation(X509_STORE_CTX *ctx);
+static int check_cert(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-#if 0
-static int x509_store_num=1;
-static STACK *x509_store_method=NULL;
-#endif
 
 static int null_callback(int ok, X509_STORE_CTX *e)
         {
@@ -113,7 +109,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
                 }
 
         cb=ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
 
         /* first we make sure the chain we are going to build is
          * present and that the first entry is in place */
@@ -299,6 +294,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
         /* We may as well copy down any DSA parameters that are required */
         X509_get_pubkey_parameters(NULL,ctx->chain);
 
+        /* Check revocation status: we do this after copying parameters
+         * because they may be needed for CRL signature verification.
+         */
+
+        ok = ctx->check_revocation(ctx);
+        if(!ok) goto end;
+
         /* At this point, we have a chain and just need to verify it */
         if (ctx->verify != NULL)
                 ok=ctx->verify(ctx);
@@ -346,8 +348,7 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
         ctx->error = ret;
         ctx->current_cert = x;
         ctx->current_issuer = issuer;
-        if (ctx->verify_cb)
-                return ctx->verify_cb(0, ctx);
+        return ctx->verify_cb(0, ctx);
         return 0;
 }
 
@@ -372,18 +373,26 @@ static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 
 static int check_chain_purpose(X509_STORE_CTX *ctx)
 {
-#ifdef NO_CHAIN_VERIFY
+#ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
         int i, ok=0;
         X509 *x;
         int (*cb)();
         cb=ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
         /* Check all untrusted certificates */
         for (i = 0; i < ctx->last_untrusted; i++)
                 {
                 x = sk_X509_value(ctx->chain, i);
+                if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+                        && (x->ex_flags & EXFLAG_CRITICAL))
+                        {
+                        ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
+                        ctx->error_depth = i;
+                        ctx->current_cert = x;
+                        ok=cb(0,ctx);
+                        if (!ok) goto end;
+                        }
                 if (!X509_check_purpose(x, ctx->purpose, i))
                         {
                         if (i)
@@ -414,21 +423,20 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 
 static int check_trust(X509_STORE_CTX *ctx)
 {
-#ifdef NO_CHAIN_VERIFY
+#ifdef OPENSSL_NO_CHAIN_VERIFY
         return 1;
 #else
         int i, ok;
         X509 *x;
         int (*cb)();
         cb=ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
 /* For now just check the last certificate in the chain */
         i = sk_X509_num(ctx->chain) - 1;
         x = sk_X509_value(ctx->chain, i);
         ok = X509_check_trust(x, ctx->trust, 0);
         if (ok == X509_TRUST_TRUSTED)
                 return 1;
-        ctx->error_depth = sk_X509_num(ctx->chain) - 1;
+        ctx->error_depth = i;
         ctx->current_cert = x;
         if (ok == X509_TRUST_REJECTED)
                 ctx->error = X509_V_ERR_CERT_REJECTED;
@@ -439,6 +447,183 @@ static int check_trust(X509_STORE_CTX *ctx)
 #endif
 }
 
+static int check_revocation(X509_STORE_CTX *ctx)
+        {
+        int i, last, ok;
+        if (!(ctx->flags & X509_V_FLAG_CRL_CHECK))
+                return 1;
+        if (ctx->flags & X509_V_FLAG_CRL_CHECK_ALL)
+                last = 0;
+        else
+                last = sk_X509_num(ctx->chain) - 1;
+        for(i = 0; i <= last; i++)
+                {
+                ctx->error_depth = i;
+                ok = check_cert(ctx);
+                if (!ok) return ok;
+                }
+        return 1;
+        }
+
+static int check_cert(X509_STORE_CTX *ctx)
+        {
+        X509_CRL *crl = NULL;
+        X509 *x;
+        int ok, cnum;
+        cnum = ctx->error_depth;
+        x = sk_X509_value(ctx->chain, cnum);
+        ctx->current_cert = x;
+        /* Try to retrieve relevant CRL */
+        ok = ctx->get_crl(ctx, &crl, x);
+        /* If error looking up CRL, nothing we can do except
+         * notify callback
+         */
+        if(!ok)
+                {
+                ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+                ok = ctx->verify_cb(0, ctx);
+                goto err;
+                }
+        ctx->current_crl = crl;
+        ok = ctx->check_crl(ctx, crl);
+        if (!ok) goto err;
+        ok = ctx->cert_crl(ctx, crl, x);
+        err:
+        ctx->current_crl = NULL;
+        X509_CRL_free(crl);
+        return ok;
+
+        }
+
+/* Retrieve CRL corresponding to certificate: currently just a
+ * subject lookup: maybe use AKID later...
+ * Also might look up any included CRLs too (e.g PKCS#7 signedData).
+ */
+static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+        {
+        int ok;
+        X509_OBJECT xobj;
+        ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj);
+        if (!ok) return 0;
+        *crl = xobj.data.crl;
+        return 1;
+        }
+
+/* Check CRL validity */
+static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
+        {
+        X509 *issuer = NULL;
+        EVP_PKEY *ikey = NULL;
+        int ok = 0, chnum, cnum, i;
+        time_t *ptime;
+        cnum = ctx->error_depth;
+        chnum = sk_X509_num(ctx->chain) - 1;
+        /* Find CRL issuer: if not last certificate then issuer
+         * is next certificate in chain.
+         */
+        if(cnum < chnum)
+                issuer = sk_X509_value(ctx->chain, cnum + 1);
+        else
+                {
+                issuer = sk_X509_value(ctx->chain, chnum);
+                /* If not self signed, can't check signature */
+                if(!ctx->check_issued(ctx, issuer, issuer))
+                        {
+                        ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
+                        ok = ctx->verify_cb(0, ctx);
+                        if(!ok) goto err;
+                        }
+                }
+
+        if(issuer)
+                {
+
+                /* Attempt to get issuer certificate public key */
+                ikey = X509_get_pubkey(issuer);
+
+                if(!ikey)
+                        {
+                        ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+                        ok = ctx->verify_cb(0, ctx);
+                        if (!ok) goto err;
+                        }
+                else
+                        {
+                        /* Verify CRL signature */
+                        if(X509_CRL_verify(crl, ikey) <= 0)
+                                {
+                                ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
+                                ok = ctx->verify_cb(0, ctx);
+                                if (!ok) goto err;
+                                }
+                        }
+                }
+
+        /* OK, CRL signature valid check times */
+        if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME)
+                ptime = &ctx->check_time;
+        else
+                ptime = NULL;
+
+        i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+        if (i == 0)
+                {
+                ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok) goto err;
+                }
+
+        if (i > 0)
+                {
+                ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
+                ok = ctx->verify_cb(0, ctx);
+                if (!ok) goto err;
+                }
+
+        if(X509_CRL_get_nextUpdate(crl))
+                {
+                i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+
+                if (i == 0)
+                        {
+                        ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
+                        ok = ctx->verify_cb(0, ctx);
+                        if (!ok) goto err;
+                        }
+
+                if (i < 0)
+                        {
+                        ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
+                        ok = ctx->verify_cb(0, ctx);
+                        if (!ok) goto err;
+                        }
+                }
+
+        ok = 1;
+
+        err:
+        EVP_PKEY_free(ikey);
+        return ok;
+        }
+
+/* Check certificate against CRL */
+static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
+        {
+        int idx, ok;
+        X509_REVOKED rtmp;
+        /* Look for serial number of certificate in CRL */
+        rtmp.serialNumber = X509_get_serialNumber(x);
+        idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
+        /* Not found: OK */
+        if(idx == -1) return 1;
+        /* Otherwise revoked: want something cleverer than
+         * this to handle entry extensions in V2 CRLs.
+         */
+        ctx->error = X509_V_ERR_CERT_REVOKED;
+        ok = ctx->verify_cb(0, ctx);
+        return ok;
+        }
+
 static int internal_verify(X509_STORE_CTX *ctx)
         {
         int i,ok=0,n;
@@ -448,7 +633,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
         int (*cb)();
 
         cb=ctx->verify_cb;
-        if (cb == NULL) cb=null_callback;
 
         n=sk_X509_num(ctx->chain);
         ctx->error_depth=n-1;
@@ -491,6 +675,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
                                 if (!ok) goto end;
                                 }
                         if (X509_verify(xs,pkey) <= 0)
+                                /* XXX  For the final trusted self-signed cert,
+                                 * this is a waste of time.  That check should
+                                 * optional so that e.g. 'openssl x509' can be
+                                 * used to detect invalid self-signatures, but
+                                 * we don't verify again and again in SSL
+                                 * handshakes and the like once the cert has
+                                 * been declared trusted. */
                                 {
                                 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
                                 ctx->current_cert=xs;
@@ -539,8 +730,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
                         if (!ok) goto end;
                         }
 
-                /* CRL CHECK */
-
                 /* The last error (if any) is still in the error value */
                 ctx->current_cert=xs;
                 ok=(*cb)(1,ctx);
@@ -648,14 +837,16 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
 ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *in_tm)
         {
         time_t t;
+        int type = -1;
 
         if (in_tm) t = *in_tm;
         else time(&t);
 
         t+=adj;
-        if (!s) return ASN1_TIME_set(s, t);
-        if (s->type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
-        return ASN1_GENERALIZEDTIME_set(s, t);
+        if (s) type = s->type;
+        if (type == V_ASN1_UTCTIME) return ASN1_UTCTIME_set(s,t);
+        if (type == V_ASN1_GENERALIZEDTIME) return ASN1_GENERALIZEDTIME_set(s, t);
+        return ASN1_TIME_set(s, t);
         }
 
 int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
@@ -702,12 +893,12 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
 
 int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-        {
-        x509_store_ctx_num++;
-        return CRYPTO_get_ex_new_index(x509_store_ctx_num-1,
-                &x509_store_ctx_method,
-                argl,argp,new_func,dup_func,free_func);
-        }
+        {
+        /* This function is (usually) called only once, by
+         * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
+        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
+                        new_func, dup_func, free_func);
+        }
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
         {
@@ -831,8 +1022,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
                         }
                 }
 
-        if (purpose) ctx->purpose = purpose;
-        if (trust) ctx->trust = trust;
+        if (purpose && !ctx->purpose) ctx->purpose = purpose;
+        if (trust && !ctx->trust) ctx->trust = trust;
         return 1;
 }
 
@@ -840,7 +1031,12 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
 {
         X509_STORE_CTX *ctx;
         ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
-        if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+        if (!ctx)
+                {
+                X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
+                return NULL;
+                }
+        memset(ctx, 0, sizeof(X509_STORE_CTX));
         return ctx;
 }
 
@@ -850,7 +1046,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
         OPENSSL_free(ctx);
 }
 
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
              STACK_OF(X509) *chain)
         {
         ctx->ctx=store;
@@ -858,10 +1054,7 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
         ctx->cert=x509;
         ctx->untrusted=chain;
         ctx->last_untrusted=0;
-        ctx->purpose=0;
-        ctx->trust=0;
         ctx->check_time=0;
-        ctx->flags=0;
         ctx->other_ctx=NULL;
         ctx->valid=0;
         ctx->chain=NULL;
@@ -870,12 +1063,80 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
         ctx->error_depth=0;
         ctx->current_cert=NULL;
         ctx->current_issuer=NULL;
-        ctx->check_issued = check_issued;
-        ctx->get_issuer = X509_STORE_CTX_get1_issuer;
-        ctx->verify_cb = store->verify_cb;
-        ctx->verify = store->verify;
-        ctx->cleanup = 0;
-        memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+
+        /* Inherit callbacks and flags from X509_STORE if not set
+         * use defaults.
+         */
+
+
+        if (store)
+                {
+                ctx->purpose=store->purpose;
+                ctx->trust=store->trust;
+                ctx->flags = store->flags;
+                ctx->cleanup = store->cleanup;
+                }
+        else
+                {
+                ctx->purpose = 0;
+                ctx->trust = 0;
+                ctx->flags = 0;
+                ctx->cleanup = 0;
+                }
+
+        if (store && store->check_issued)
+                ctx->check_issued = store->check_issued;
+        else
+                ctx->check_issued = check_issued;
+
+        if (store && store->get_issuer)
+                ctx->get_issuer = store->get_issuer;
+        else
+                ctx->get_issuer = X509_STORE_CTX_get1_issuer;
+
+        if (store && store->verify_cb)
+                ctx->verify_cb = store->verify_cb;
+        else
+                ctx->verify_cb = null_callback;
+
+        if (store && store->verify)
+                ctx->verify = store->verify;
+        else
+                ctx->verify = internal_verify;
+
+        if (store && store->check_revocation)
+                ctx->check_revocation = store->check_revocation;
+        else
+                ctx->check_revocation = check_revocation;
+
+        if (store && store->get_crl)
+                ctx->get_crl = store->get_crl;
+        else
+                ctx->get_crl = get_crl;
+
+        if (store && store->check_crl)
+                ctx->check_crl = store->check_crl;
+        else
+                ctx->check_crl = check_crl;
+
+        if (store && store->cert_crl)
+                ctx->cert_crl = store->cert_crl;
+        else
+                ctx->cert_crl = cert_crl;
+
+
+        /* This memset() can't make any sense anyway, so it's removed. As
+         * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
+         * corresponding "new" here and remove this bogus initialisation. */
+        /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
+        if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+                                &(ctx->ex_data)))
+                {
+                OPENSSL_free(ctx);
+                X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
+        return 1;
         }
 
 /* Set alternative lookup method: just a STACK of trusted certificates.
@@ -896,7 +1157,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
                 sk_X509_pop_free(ctx->chain,X509_free);
                 ctx->chain=NULL;
                 }
-        CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
+        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
         memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
         }
 
@@ -911,6 +1172,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
         ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
         }
 
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+                                  int (*verify_cb)(int, X509_STORE_CTX *))
+        {
+        ctx->verify_cb=verify_cb;
+        }
+
 IMPLEMENT_STACK_OF(X509)
 IMPLEMENT_ASN1_SET_OF(X509)
 
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index e289d5309a..f0be21f452 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -65,11 +65,12 @@
 #ifndef HEADER_X509_VFY_H
 #define HEADER_X509_VFY_H
 
-#ifndef NO_LHASH
+#ifndef OPENSSL_NO_LHASH
 #include <openssl/lhash.h>
 #endif
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
+#include <openssl/symhacks.h>
 
 #ifdef  __cplusplus
 extern "C" {
@@ -154,12 +155,10 @@ typedef struct x509_lookup_method_st
                             X509_OBJECT *ret);
         } X509_LOOKUP_METHOD;
 
-typedef struct x509_store_ctx_st X509_STORE_CTX;
-
 /* This is used to hold everything.  It is used for all certificate
  * validation.  Once we have a certificate chain, the 'verify'
  * function is then called to actually check the cert chain. */
-typedef struct x509_store_st
+struct x509_store_st
         {
         /* The following is a cache of trusted certs */
         int cache;      /* if true, stash any hits */
@@ -167,13 +166,29 @@ typedef struct x509_store_st
 
         /* These are external lookup methods */
         STACK_OF(X509_LOOKUP) *get_cert_methods;
+
+        /* The following fields are not used by X509_STORE but are
+         * inherited by X509_STORE_CTX when it is initialised.
+         */
+
+        unsigned long flags;    /* Various verify flags */
+        int purpose;
+        int trust;
+        /* Callbacks for various operations */
         int (*verify)(X509_STORE_CTX *ctx);     /* called to verify a certificate */
         int (*verify_cb)(int ok,X509_STORE_CTX *ctx);   /* error callback */
+        int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
+        int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+        int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+        int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+        int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+        int (*cleanup)(X509_STORE_CTX *ctx);
 
         CRYPTO_EX_DATA ex_data;
         int references;
         int depth;              /* how deep to look (still unused -- X509_STORE_CTX's depth is used) */
-        }  X509_STORE;
+        } /* X509_STORE */;
 
 #define X509_STORE_set_depth(ctx,d)       ((ctx)->depth=(d))
 
@@ -189,7 +204,7 @@ struct x509_lookup_st
         char *method_data;              /* method data */
 
         X509_STORE *store_ctx;  /* who owns us */
-        };
+        } /* X509_LOOKUP */;
 
 /* This is a used when verifying cert chains.  Since the
  * gathering of the cert chain can take some time (and have to be
@@ -213,6 +228,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
         int (*verify_cb)(int ok,X509_STORE_CTX *ctx);           /* error callback */
         int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
         int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+        int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+        int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+        int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+        int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
         int (*cleanup)(X509_STORE_CTX *ctx);
 
         /* The following is built up */
@@ -226,9 +245,10 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
         int error;
         X509 *current_cert;
         X509 *current_issuer;   /* cert currently being tested as valid issuer */
+        X509_CRL *current_crl;  /* current CRL */
 
         CRYPTO_EX_DATA ex_data;
-        };
+        } /* X509_STORE_CTX */;
 
 #define X509_STORE_CTX_set_depth(ctx,d)       ((ctx)->depth=(d))
 
@@ -282,6 +302,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
 #define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
 
+#define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
+#define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
+
 /* The application is not happy */
 #define         X509_V_ERR_APPLICATION_VERIFICATION             50
 
@@ -289,21 +312,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 
 #define X509_V_FLAG_CB_ISSUER_CHECK             0x1     /* Send issuer+subject checks to verify_cb */
 #define X509_V_FLAG_USE_CHECK_TIME              0x2     /* Use check time instead of current time */
-
-                  /* These functions are being redefined in another directory,
-                     and clash when the linker is case-insensitive, so let's
-                     hide them a little, by giving them an extra 'o' at the
-                     beginning of the name... */
-#ifdef VMS
-#undef X509v3_cleanup_extensions
-#define X509v3_cleanup_extensions oX509v3_cleanup_extensions
-#undef X509v3_add_extension
-#define X509v3_add_extension oX509v3_add_extension
-#undef X509v3_add_netscape_extensions
-#define X509v3_add_netscape_extensions oX509v3_add_netscape_extensions
-#undef X509v3_add_standard_extensions
-#define X509v3_add_standard_extensions oX509v3_add_standard_extensions
-#endif
+#define X509_V_FLAG_CRL_CHECK                   0x4     /* Lookup CRLs */
+#define X509_V_FLAG_CRL_CHECK_ALL               0x8     /* Lookup CRLs for whole chain */
+#define X509_V_FLAG_IGNORE_CRITICAL             0x10    /* Ignore unhandled critical extensions */
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
              X509_NAME *name);
@@ -314,12 +325,16 @@ void X509_OBJECT_free_contents(X509_OBJECT *a);
 X509_STORE *X509_STORE_new(void );
 void X509_STORE_free(X509_STORE *v);
 
+void X509_STORE_set_flags(X509_STORE *ctx, long flags);
+int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
+int X509_STORE_set_trust(X509_STORE *ctx, int trust);
+
 X509_STORE_CTX *X509_STORE_CTX_new(void);
 
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
                          X509 *x509, STACK_OF(X509) *chain);
 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
@@ -338,7 +353,7 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs,int type,X509_NAME *name,
 int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
         long argl, char **ret);
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
 int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
 int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
@@ -358,7 +373,7 @@ int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str,
         int len, X509_OBJECT *ret);
 int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
 
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
 int     X509_STORE_load_locations (X509_STORE *ctx,
                 const char *file, const char *dir);
 int     X509_STORE_set_default_paths(X509_STORE *ctx);
@@ -382,6 +397,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
                                 int purpose, int trust);
 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
 void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+                                  int (*verify_cb)(int, X509_STORE_CTX *));
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
new file mode 100644
index 0000000000..6cac440ea9
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -0,0 +1,169 @@
+/* crypto/x509/x509cset.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/asn1.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+int X509_CRL_set_version(X509_CRL *x, long version)
+        {
+        if (x == NULL) return(0);
+        if (x->crl->version == NULL)
+                {
+                if ((x->crl->version=M_ASN1_INTEGER_new()) == NULL)
+                        return(0);
+                }
+        return(ASN1_INTEGER_set(x->crl->version,version));
+        }
+
+int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
+        {
+        if ((x == NULL) || (x->crl == NULL)) return(0);
+        return(X509_NAME_set(&x->crl->issuer,name));
+        }
+
+
+int X509_CRL_set_lastUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->lastUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->lastUpdate);
+                        x->crl->lastUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_set_nextUpdate(X509_CRL *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->crl->nextUpdate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->crl->nextUpdate);
+                        x->crl->nextUpdate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_CRL_sort(X509_CRL *c)
+        {
+        int i;
+        X509_REVOKED *r;
+        /* sort the data so it will be written in serial
+         * number order */
+        sk_X509_REVOKED_sort(c->crl->revoked);
+        for (i=0; i<sk_X509_REVOKED_num(c->crl->revoked); i++)
+                {
+                r=sk_X509_REVOKED_value(c->crl->revoked,i);
+                r->sequence=i;
+                }
+        return 1;
+        }
+
+int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm)
+        {
+        ASN1_TIME *in;
+
+        if (x == NULL) return(0);
+        in=x->revocationDate;
+        if (in != tm)
+                {
+                in=M_ASN1_TIME_dup(tm);
+                if (in != NULL)
+                        {
+                        M_ASN1_TIME_free(x->revocationDate);
+                        x->revocationDate=in;
+                        }
+                }
+        return(in != NULL);
+        }
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial)
+        {
+        ASN1_INTEGER *in;
+
+        if (x == NULL) return(0);
+        in=x->serialNumber;
+        if (in != serial)
+                {
+                in=M_ASN1_INTEGER_dup(serial);
+                if (in != NULL)
+                        {
+                        M_ASN1_INTEGER_free(x->serialNumber);
+                        x->serialNumber=in;
+                        }
+                }
+        return(in != NULL);
+        }
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index fd0a534d88..4c3af946ec 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -59,7 +59,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/x509.h>
-#include <openssl/asn1_mac.h>
 
 int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 9bd6e2a39b..fb5015cd4d 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -67,224 +67,159 @@
 
 int X509_verify(X509 *a, EVP_PKEY *r)
         {
-        return(ASN1_verify((int (*)())i2d_X509_CINF,a->sig_alg,
-                a->signature,(char *)a->cert_info,r));
+        return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
+                a->signature,a->cert_info,r));
         }
 
 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
         {
-        return( ASN1_verify((int (*)())i2d_X509_REQ_INFO,
-                a->sig_alg,a->signature,(char *)a->req_info,r));
+        return( ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO),
+                a->sig_alg,a->signature,a->req_info,r));
         }
 
 int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r)
         {
-        return(ASN1_verify((int (*)())i2d_X509_CRL_INFO,
-                a->sig_alg, a->signature,(char *)a->crl,r));
+        return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO),
+                a->sig_alg, a->signature,a->crl,r));
         }
 
 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
         {
-        return(ASN1_verify((int (*)())i2d_NETSCAPE_SPKAC,
-                a->sig_algor,a->signature, (char *)a->spkac,r));
+        return(ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC),
+                a->sig_algor,a->signature,a->spkac,r));
         }
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
         {
-        return(ASN1_sign((int (*)())i2d_X509_CINF, x->cert_info->signature,
-                x->sig_alg, x->signature, (char *)x->cert_info,pkey,md));
+        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
+                x->sig_alg, x->signature, x->cert_info,pkey,md));
         }
 
 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md)
         {
-        return(ASN1_sign((int (*)())i2d_X509_REQ_INFO,x->sig_alg, NULL,
-                x->signature, (char *)x->req_info,pkey,md));
+        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO),x->sig_alg, NULL,
+                x->signature, x->req_info,pkey,md));
         }
 
 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
         {
-        return(ASN1_sign((int (*)())i2d_X509_CRL_INFO,x->crl->sig_alg,
-                x->sig_alg, x->signature, (char *)x->crl,pkey,md));
+        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO),x->crl->sig_alg,
+                x->sig_alg, x->signature, x->crl,pkey,md));
         }
 
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md)
         {
-        return(ASN1_sign((int (*)())i2d_NETSCAPE_SPKAC, x->sig_algor,NULL,
-                x->signature, (char *)x->spkac,pkey,md));
+        return(ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor,NULL,
+                x->signature, x->spkac,pkey,md));
         }
 
-X509_ATTRIBUTE *X509_ATTRIBUTE_dup(X509_ATTRIBUTE *xa)
-        {
-        return((X509_ATTRIBUTE *)ASN1_dup((int (*)())i2d_X509_ATTRIBUTE,
-                (char *(*)())d2i_X509_ATTRIBUTE,(char *)xa));
-        }
-
-X509 *X509_dup(X509 *x509)
-        {
-        return((X509 *)ASN1_dup((int (*)())i2d_X509,
-                (char *(*)())d2i_X509,(char *)x509));
-        }
-
-X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *ex)
-        {
-        return((X509_EXTENSION *)ASN1_dup(
-                (int (*)())i2d_X509_EXTENSION,
-                (char *(*)())d2i_X509_EXTENSION,(char *)ex));
-        }
-
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509 *d2i_X509_fp(FILE *fp, X509 **x509)
         {
-        return((X509 *)ASN1_d2i_fp((char *(*)())X509_new,
-                (char *(*)())d2i_X509, (fp),(unsigned char **)(x509)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509);
         }
 
 int i2d_X509_fp(FILE *fp, X509 *x509)
         {
-        return(ASN1_i2d_fp(i2d_X509,fp,(unsigned char *)x509));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509);
         }
 #endif
 
 X509 *d2i_X509_bio(BIO *bp, X509 **x509)
         {
-        return((X509 *)ASN1_d2i_bio((char *(*)())X509_new,
-                (char *(*)())d2i_X509, (bp),(unsigned char **)(x509)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509);
         }
 
 int i2d_X509_bio(BIO *bp, X509 *x509)
         {
-        return(ASN1_i2d_bio(i2d_X509,bp,(unsigned char *)x509));
-        }
-
-X509_CRL *X509_CRL_dup(X509_CRL *crl)
-        {
-        return((X509_CRL *)ASN1_dup((int (*)())i2d_X509_CRL,
-                (char *(*)())d2i_X509_CRL,(char *)crl));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl)
         {
-        return((X509_CRL *)ASN1_d2i_fp((char *(*)())
-                X509_CRL_new,(char *(*)())d2i_X509_CRL, (fp),
-                (unsigned char **)(crl)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
         }
 
 int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl)
         {
-        return(ASN1_i2d_fp(i2d_X509_CRL,fp,(unsigned char *)crl));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);
         }
 #endif
 
 X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl)
         {
-        return((X509_CRL *)ASN1_d2i_bio((char *(*)())
-                X509_CRL_new,(char *(*)())d2i_X509_CRL, (bp),
-                (unsigned char **)(crl)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
         }
 
 int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl)
         {
-        return(ASN1_i2d_bio(i2d_X509_CRL,bp,(unsigned char *)crl));
-        }
-
-PKCS7 *PKCS7_dup(PKCS7 *p7)
-        {
-        return((PKCS7 *)ASN1_dup((int (*)())i2d_PKCS7,
-                (char *(*)())d2i_PKCS7,(char *)p7));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7)
         {
-        return((PKCS7 *)ASN1_d2i_fp((char *(*)())
-                PKCS7_new,(char *(*)())d2i_PKCS7, (fp),
-                (unsigned char **)(p7)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
         }
 
 int i2d_PKCS7_fp(FILE *fp, PKCS7 *p7)
         {
-        return(ASN1_i2d_fp(i2d_PKCS7,fp,(unsigned char *)p7));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7);
         }
 #endif
 
 PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7)
         {
-        return((PKCS7 *)ASN1_d2i_bio((char *(*)())
-                PKCS7_new,(char *(*)())d2i_PKCS7, (bp),
-                (unsigned char **)(p7)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
         }
 
 int i2d_PKCS7_bio(BIO *bp, PKCS7 *p7)
         {
-        return(ASN1_i2d_bio(i2d_PKCS7,bp,(unsigned char *)p7));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7);
         }
 
-X509_REQ *X509_REQ_dup(X509_REQ *req)
-        {
-        return((X509_REQ *)ASN1_dup((int (*)())i2d_X509_REQ,
-                (char *(*)())d2i_X509_REQ,(char *)req));
-        }
-
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req)
         {
-        return((X509_REQ *)ASN1_d2i_fp((char *(*)())
-                X509_REQ_new, (char *(*)())d2i_X509_REQ, (fp),
-                (unsigned char **)(req)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
         }
 
 int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req)
         {
-        return(ASN1_i2d_fp(i2d_X509_REQ,fp,(unsigned char *)req));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);
         }
 #endif
 
 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req)
         {
-        return((X509_REQ *)ASN1_d2i_bio((char *(*)())
-                X509_REQ_new, (char *(*)())d2i_X509_REQ, (bp),
-                (unsigned char **)(req)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
         }
 
 int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req)
         {
-        return(ASN1_i2d_bio(i2d_X509_REQ,bp,(unsigned char *)req));
-        }
-
-#ifndef NO_RSA
-RSA *RSAPublicKey_dup(RSA *rsa)
-        {
-        return((RSA *)ASN1_dup((int (*)())i2d_RSAPublicKey,
-                (char *(*)())d2i_RSAPublicKey,(char *)rsa));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);
         }
 
-RSA *RSAPrivateKey_dup(RSA *rsa)
-        {
-        return((RSA *)ASN1_dup((int (*)())i2d_RSAPrivateKey,
-                (char *(*)())d2i_RSAPrivateKey,(char *)rsa));
-        }
+#ifndef OPENSSL_NO_RSA
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa)
         {
-        return((RSA *)ASN1_d2i_fp((char *(*)())
-                RSA_new,(char *(*)())d2i_RSAPrivateKey, (fp),
-                (unsigned char **)(rsa)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
         }
 
 int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa)
         {
-        return(ASN1_i2d_fp(i2d_RSAPrivateKey,fp,(unsigned char *)rsa));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa);
         }
 
 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa)
         {
-        return((RSA *)ASN1_d2i_fp((char *(*)())
-                RSA_new,(char *(*)())d2i_RSAPublicKey, (fp),
-                (unsigned char **)(rsa)));
+        return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
         }
 
+
 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
         {
         return((RSA *)ASN1_d2i_fp((char *(*)())
@@ -294,7 +229,7 @@ RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa)
 
 int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa)
         {
-        return(ASN1_i2d_fp(i2d_RSAPublicKey,fp,(unsigned char *)rsa));
+        return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa);
         }
 
 int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
@@ -305,23 +240,20 @@ int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa)
 
 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa)
         {
-        return((RSA *)ASN1_d2i_bio((char *(*)())
-                RSA_new,(char *(*)())d2i_RSAPrivateKey, (bp),
-                (unsigned char **)(rsa)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
         }
 
 int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa)
         {
-        return(ASN1_i2d_bio(i2d_RSAPrivateKey,bp,(unsigned char *)rsa));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa);
         }
 
 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa)
         {
-        return((RSA *)ASN1_d2i_bio((char *(*)())
-                RSA_new,(char *(*)())d2i_RSAPublicKey, (bp),
-                (unsigned char **)(rsa)));
+        return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
         }
 
+
 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
         {
         return((RSA *)ASN1_d2i_bio((char *(*)())
@@ -331,7 +263,7 @@ RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa)
 
 int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa)
         {
-        return(ASN1_i2d_bio(i2d_RSAPublicKey,bp,(unsigned char *)rsa));
+        return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa);
         }
 
 int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
@@ -340,8 +272,8 @@ int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa)
         }
 #endif
 
-#ifndef NO_DSA
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_FP_API
 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa)
         {
         return((DSA *)ASN1_d2i_fp((char *(*)())
@@ -393,57 +325,48 @@ int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa)
 
 #endif
 
-X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn)
-        {
-        return((X509_ALGOR *)ASN1_dup((int (*)())i2d_X509_ALGOR,
-        (char *(*)())d2i_X509_ALGOR,(char *)xn));
-        }
-
-X509_NAME *X509_NAME_dup(X509_NAME *xn)
-        {
-        return((X509_NAME *)ASN1_dup((int (*)())i2d_X509_NAME,
-                (char *(*)())d2i_X509_NAME,(char *)xn));
-        }
-
-X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne)
+int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
+             unsigned int *len)
         {
-        return((X509_NAME_ENTRY *)ASN1_dup((int (*)())i2d_X509_NAME_ENTRY,
-                (char *(*)())d2i_X509_NAME_ENTRY,(char *)ne));
+        ASN1_BIT_STRING *key;
+        key = X509_get0_pubkey_bitstr(data);
+        if(!key) return 0;
+        return EVP_Digest(key->data, key->length, md, len, type, NULL);
         }
 
 int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
-        return(ASN1_digest((int (*)())i2d_X509,type,(char *)data,md,len));
+        return(ASN1_item_digest(ASN1_ITEM_rptr(X509),type,(char *)data,md,len));
         }
 
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
-        return(ASN1_digest((int (*)())i2d_X509_CRL,type,(char *)data,md,len));
+        return(ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL),type,(char *)data,md,len));
         }
 
 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
-        return(ASN1_digest((int (*)())i2d_X509_REQ,type,(char *)data,md,len));
+        return(ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ),type,(char *)data,md,len));
         }
 
 int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md,
              unsigned int *len)
         {
-        return(ASN1_digest((int (*)())i2d_X509_NAME,type,(char *)data,md,len));
+        return(ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME),type,(char *)data,md,len));
         }
 
 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, const EVP_MD *type,
              unsigned char *md, unsigned int *len)
         {
-        return(ASN1_digest((int (*)())i2d_PKCS7_ISSUER_AND_SERIAL,type,
+        return(ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL),type,
                 (char *)data,md,len));
         }
 
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8)
         {
         return((X509_SIG *)ASN1_d2i_fp((char *(*)())X509_SIG_new,
@@ -467,7 +390,7 @@ int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8)
         return(ASN1_i2d_bio(i2d_X509_SIG,bp,(unsigned char *)p8));
         }
 
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
                                                  PKCS8_PRIV_KEY_INFO **p8inf)
         {
diff --git a/src/lib/libcrypto/x509v3/Makefile.ssl b/src/lib/libcrypto/x509v3/Makefile.ssl
index 236e13af4e..8620992280 100644
--- a/src/lib/libcrypto/x509v3/Makefile.ssl
+++ b/src/lib/libcrypto/x509v3/Makefile.ssl
@@ -5,13 +5,14 @@
 DIR=    x509v3
 TOP=    ../..
 CC=     cc
-INCLUDES= -I.. -I../../include
+INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
 MAKE=           make -f Makefile.ssl
-MAKEDEPEND=     $(TOP)/util/domd $(TOP)
+MAKEDEPPROG=    makedepend
+MAKEDEPEND=     $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile.ssl
 AR=             ar r
 
@@ -22,12 +23,14 @@ TEST=
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
-v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
-v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
+LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
+v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
+v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
+v3_ocsp.c v3_akeya.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
-v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o
+v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
+v3_ocsp.o v3_akeya.o
 
 SRC= $(LIBSRC)
 
@@ -43,8 +46,7 @@ all:	lib
 
 lib:    $(LIBOBJ)
         $(AR) $(LIB) $(LIBOBJ)
-        @echo You may get an error following this line.  Please ignore.
-        - $(RANLIB) $(LIB)
+        $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
 files:
@@ -83,432 +85,336 @@ clean:
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-v3_akey.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_akey.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_akey.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_akey.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_akey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_akey.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_akey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_akey.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_akey.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_akey.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_akey.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_akey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_akey.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_akey.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_akey.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_akey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_akey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_akey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_akey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_akey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_akey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_akey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_akey.o: ../cryptlib.h
-v3_alt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_alt.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_alt.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_akey.o: ../cryptlib.h v3_akey.c
+v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_akeya.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+v3_akeya.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+v3_akeya.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_akeya.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_akeya.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_akeya.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_akeya.o: ../../include/openssl/opensslconf.h
+v3_akeya.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_akeya.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_akeya.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_akeya.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_akeya.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_akeya.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_akeya.c
+v3_alt.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_alt.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_alt.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_alt.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_alt.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_alt.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_alt.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_alt.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_alt.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_alt.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_alt.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_alt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_alt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_alt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_alt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_alt.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_alt.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_alt.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_bcons.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_bcons.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_alt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_alt.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_alt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_alt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_alt.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_alt.o: ../cryptlib.h v3_alt.c
+v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_bcons.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_bcons.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_bcons.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_bcons.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_bcons.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_bcons.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_bcons.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_bcons.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_bcons.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_bcons.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_bcons.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_bcons.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_bcons.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_bcons.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_bcons.o: ../cryptlib.h
-v3_bitst.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_bitst.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_bitst.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_bitst.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_bcons.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_bcons.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_bcons.o: ../../include/openssl/opensslconf.h
+v3_bcons.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_bcons.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_bcons.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_bcons.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bcons.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bcons.c
+v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_bitst.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_bitst.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_bitst.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 v3_bitst.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_bitst.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_bitst.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_bitst.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_bitst.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_bitst.o: ../../include/openssl/opensslconf.h
-v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_bitst.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_bitst.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_bitst.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_bitst.o: ../cryptlib.h
-v3_conf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_conf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_conf.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_conf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_conf.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_bitst.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_bitst.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_bitst.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_bitst.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_bitst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_bitst.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_bitst.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_bitst.c
+v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_conf.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_conf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_conf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 v3_conf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_conf.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_conf.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_conf.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_conf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_conf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_conf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_conf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_conf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_conf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_conf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 v3_conf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_conf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_conf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_cpols.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_cpols.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_conf.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_conf.c
+v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_cpols.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_cpols.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_cpols.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_cpols.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_cpols.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_cpols.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_cpols.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_cpols.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_cpols.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_cpols.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_cpols.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_cpols.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_cpols.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_cpols.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_cpols.o: ../cryptlib.h
-v3_crld.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_crld.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_cpols.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_cpols.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_cpols.o: ../../include/openssl/opensslconf.h
+v3_cpols.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_cpols.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_cpols.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_cpols.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_cpols.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_cpols.c
+v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_crld.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_crld.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_crld.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_crld.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_crld.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_crld.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_crld.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_crld.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_crld.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_crld.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_crld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_crld.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_crld.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_crld.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_crld.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_crld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_crld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_crld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_crld.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_crld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_crld.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_crld.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_crld.o: ../cryptlib.h
-v3_enum.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_enum.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_enum.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_enum.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_enum.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_crld.o: ../cryptlib.h v3_crld.c
+v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_enum.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_enum.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_enum.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 v3_enum.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_enum.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_enum.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_enum.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_enum.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_enum.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_enum.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_enum.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_enum.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_enum.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_enum.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 v3_enum.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_enum.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_enum.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_extku.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_extku.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_enum.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_enum.c
+v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
+v3_extku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_extku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_extku.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_extku.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_extku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_extku.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_extku.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_extku.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_extku.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_extku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_extku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_extku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_extku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_extku.o: ../../include/openssl/opensslconf.h
-v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_extku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_extku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_extku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_extku.o: ../cryptlib.h
-v3_genn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_genn.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_extku.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_extku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_extku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_extku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_extku.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_extku.c
+v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_genn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_genn.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_genn.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_genn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_genn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_genn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_genn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_genn.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_genn.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_genn.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_genn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_genn.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_genn.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_genn.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_genn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_genn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_genn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_genn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_genn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_genn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_genn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_genn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_genn.o: ../cryptlib.h
-v3_ia5.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_ia5.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_ia5.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_genn.o: ../cryptlib.h v3_genn.c
+v3_ia5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_ia5.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_ia5.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_ia5.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_ia5.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_ia5.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_ia5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_ia5.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_ia5.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_ia5.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_ia5.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_ia5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_ia5.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_ia5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_ia5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_ia5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_ia5.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_ia5.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_ia5.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_info.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_info.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_ia5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ia5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ia5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ia5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_ia5.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ia5.o: ../cryptlib.h v3_ia5.c
+v3_info.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_info.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_info.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_info.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_info.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_info.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_info.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_info.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_info.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_info.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_info.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_info.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_info.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_info.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_info.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_info.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_info.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_info.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_info.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_info.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_info.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_info.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_info.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_info.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_info.o: ../cryptlib.h
-v3_int.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_int.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_info.o: ../cryptlib.h v3_info.c
+v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_int.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_int.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_int.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_int.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_int.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_int.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_int.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_int.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_int.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_int.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_int.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_int.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_int.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_int.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_int.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_int.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_int.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_lib.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_int.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_int.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_int.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_int.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_int.o: ../cryptlib.h v3_int.c
+v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_lib.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_lib.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_lib.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_lib.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_lib.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_lib.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ext_dat.h
-v3_pku.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_pku.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_lib.o: ../cryptlib.h ext_dat.h v3_lib.c
+v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_ocsp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_ocsp.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_ocsp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
+v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_ocsp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_ocsp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_ocsp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_ocsp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_ocsp.o: ../cryptlib.h v3_ocsp.c
+v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_pku.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_pku.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_pku.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_pku.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_pku.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_pku.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_pku.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_pku.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_pku.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_pku.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_pku.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_pku.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_pku.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_pku.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3_pku.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_pku.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_pku.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3_pku.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3_pku.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3_pku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3_pku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3_pku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_pku.o: ../cryptlib.h
-v3_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_prn.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_pku.o: ../cryptlib.h v3_pku.c
+v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_prn.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_prn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_prn.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_prn.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_prn.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_prn.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_prn.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_prn.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_prn.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_prn.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_prn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_prn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_prn.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_prn.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_prn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_prn.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_purp.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_purp.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_purp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_prn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_prn.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_prn.o: ../cryptlib.h v3_prn.c
+v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_purp.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_purp.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_purp.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_purp.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_purp.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_purp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_purp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_purp.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_purp.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_skey.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_skey.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_skey.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_skey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_skey.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+v3_purp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_purp.c
+v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+v3_skey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
+v3_skey.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+v3_skey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 v3_skey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_skey.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_skey.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_skey.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-v3_skey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-v3_skey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_skey.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_skey.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+v3_skey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+v3_skey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+v3_skey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_skey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 v3_skey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 v3_skey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 v3_skey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h
-v3_sxnet.o: ../../include/openssl/asn1.h ../../include/openssl/asn1_mac.h
-v3_sxnet.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+v3_skey.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_skey.c
+v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 v3_sxnet.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-v3_sxnet.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
-v3_sxnet.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+v3_sxnet.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 v3_sxnet.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-v3_sxnet.o: ../../include/openssl/e_os.h ../../include/openssl/e_os.h
 v3_sxnet.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3_sxnet.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3_sxnet.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3_sxnet.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3_sxnet.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3_sxnet.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3_sxnet.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-v3_sxnet.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
-v3_sxnet.o: ../cryptlib.h
-v3_utl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3_utl.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3_utl.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3_sxnet.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3_sxnet.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3_sxnet.o: ../../include/openssl/opensslconf.h
+v3_sxnet.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+v3_sxnet.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+v3_sxnet.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+v3_sxnet.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+v3_sxnet.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_sxnet.c
+v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3_utl.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3_utl.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
-v3_utl.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
-v3_utl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-v3_utl.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-v3_utl.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-v3_utl.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+v3_utl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+v3_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+v3_utl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
 v3_utl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 v3_utl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-v3_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-v3_utl.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-v3_utl.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-v3_utl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-v3_utl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-v3_utl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-v3_utl.o: ../../include/openssl/x509v3.h ../cryptlib.h
+v3_utl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+v3_utl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+v3_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+v3_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+v3_utl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3_utl.o: ../cryptlib.h v3_utl.c
 v3err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-v3err.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-v3err.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+v3err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 v3err.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-v3err.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-v3err.o: ../../include/openssl/dsa.h ../../include/openssl/e_os.h
+v3err.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 v3err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-v3err.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-v3err.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-v3err.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-v3err.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-v3err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-v3err.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h
-v3err.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-v3err.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+v3err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
+v3err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+v3err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+v3err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 v3err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 v3err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 v3err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 v3err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+v3err.o: v3err.c
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 801a585a52..586f116db5 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -58,9 +58,12 @@
 /* This file contains a table of "standard" extensions */
 
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+extern X509V3_EXT_METHOD v3_crl_hold;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -87,8 +90,17 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_crld,
 &v3_ext_ku,
 &v3_crl_reason,
+&v3_crl_invdate,
 &v3_sxnet,
 &v3_info,
+&v3_ocsp_nonce,
+&v3_ocsp_crlid,
+&v3_ocsp_accresp,
+&v3_ocsp_nocheck,
+&v3_ocsp_acutoff,
+&v3_ocsp_serviceloc,
+&v3_crl_hold,
+&v3_sinfo
 };
 
 /* Number of standard extensions */
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
index 0889a18993..97e686f97a 100644
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
@@ -69,72 +69,15 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                         X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 
 X509V3_EXT_METHOD v3_akey_id = {
-NID_authority_key_identifier, X509V3_EXT_MULTILINE,
-(X509V3_EXT_NEW)AUTHORITY_KEYID_new,
-(X509V3_EXT_FREE)AUTHORITY_KEYID_free,
-(X509V3_EXT_D2I)d2i_AUTHORITY_KEYID,
-(X509V3_EXT_I2D)i2d_AUTHORITY_KEYID,
-NULL, NULL,
+NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
 (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
-NULL,NULL,
+0,0,
 NULL
 };
 
-
-int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING);
-        M_ASN1_I2D_len_IMP_opt (a->issuer, i2d_GENERAL_NAMES);
-        M_ASN1_I2D_len_IMP_opt (a->serial, i2d_ASN1_INTEGER);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put_IMP_opt (a->keyid, i2d_ASN1_OCTET_STRING, 0);
-        M_ASN1_I2D_put_IMP_opt (a->issuer, i2d_GENERAL_NAMES, 1);
-        M_ASN1_I2D_put_IMP_opt (a->serial, i2d_ASN1_INTEGER, 2);
-
-        M_ASN1_I2D_finish();
-}
-
-AUTHORITY_KEYID *AUTHORITY_KEYID_new(void)
-{
-        AUTHORITY_KEYID *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, AUTHORITY_KEYID);
-        ret->keyid = NULL;
-        ret->issuer = NULL;
-        ret->serial = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_AUTHORITY_KEYID_NEW);
-}
-
-AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp,
-             long length)
-{
-        M_ASN1_D2I_vars(a,AUTHORITY_KEYID *,AUTHORITY_KEYID_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get_IMP_opt (ret->keyid, d2i_ASN1_OCTET_STRING, 0,
-                                                        V_ASN1_OCTET_STRING);
-        M_ASN1_D2I_get_IMP_opt (ret->issuer, d2i_GENERAL_NAMES, 1,
-                                                        V_ASN1_SEQUENCE);
-        M_ASN1_D2I_get_IMP_opt (ret->serial, d2i_ASN1_INTEGER, 2,
-                                                        V_ASN1_INTEGER);
-        M_ASN1_D2I_Finish(a, AUTHORITY_KEYID_free, ASN1_F_D2I_AUTHORITY_KEYID);
-}
-
-void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
-{
-        if (a == NULL) return;
-        M_ASN1_OCTET_STRING_free(a->keyid);
-        sk_GENERAL_NAME_pop_free(a->issuer, GENERAL_NAME_free);
-        M_ASN1_INTEGER_free (a->serial);
-        OPENSSL_free (a);
-}
-
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
              AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist)
 {
@@ -171,7 +114,7 @@ int i;
 CONF_VALUE *cnf;
 ASN1_OCTET_STRING *ikeyid = NULL;
 X509_NAME *isname = NULL;
-STACK_OF(GENERAL_NAME) * gens = NULL;
+GENERAL_NAMES * gens = NULL;
 GENERAL_NAME *gen = NULL;
 ASN1_INTEGER *serial = NULL;
 X509_EXTENSION *ext;
@@ -192,8 +135,6 @@ for(i = 0; i < sk_CONF_VALUE_num(values); i++) {
         }
 }
 
-
-
 if(!ctx || !ctx->issuer_cert) {
         if(ctx && (ctx->flags==CTX_TEST)) return AUTHORITY_KEYID_new();
         X509V3err(X509V3_F_V2I_AUTHORITY_KEYID,X509V3_R_NO_ISSUER_CERTIFICATE);
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
new file mode 100644
index 0000000000..2aafa26ba7
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_akeya.c
@@ -0,0 +1,72 @@
+/* v3_akey_asn1.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+ASN1_SEQUENCE(AUTHORITY_KEYID) = {
+        ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),
+        ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),
+        ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2)
+} ASN1_SEQUENCE_END(AUTHORITY_KEYID)
+
+IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index 94bebcd448..0e9e7dcb4f 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -61,33 +61,28 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
-static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens);
+static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
+static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
 X509V3_EXT_METHOD v3_alt[] = {
-{ NID_subject_alt_name, 0,
-(X509V3_EXT_NEW)GENERAL_NAMES_new,
-(X509V3_EXT_FREE)GENERAL_NAMES_free,
-(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
-(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
-NULL, NULL,
+{ NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
 (X509V3_EXT_V2I)v2i_subject_alt,
 NULL, NULL, NULL},
-{ NID_issuer_alt_name, 0,
-(X509V3_EXT_NEW)GENERAL_NAMES_new,
-(X509V3_EXT_FREE)GENERAL_NAMES_free,
-(X509V3_EXT_D2I)d2i_GENERAL_NAMES,
-(X509V3_EXT_I2D)i2d_GENERAL_NAMES,
-NULL, NULL,
+
+{ NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
 (X509V3_EXT_V2I)v2i_issuer_alt,
 NULL, NULL, NULL},
 };
 
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-                STACK_OF(GENERAL_NAME) *gens, STACK_OF(CONF_VALUE) *ret)
+                GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret)
 {
         int i;
         GENERAL_NAME *gen;
@@ -102,8 +97,8 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                                 GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
 {
-        char oline[256];
         unsigned char *p;
+        char oline[256];
         switch (gen->type)
         {
                 case GEN_OTHERNAME:
@@ -154,10 +149,63 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
         return ret;
 }
 
-static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
+int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
+{
+        unsigned char *p;
+        switch (gen->type)
+        {
+                case GEN_OTHERNAME:
+                BIO_printf(out, "othername:<unsupported>");
+                break;
+
+                case GEN_X400:
+                BIO_printf(out, "X400Name:<unsupported>");
+                break;
+
+                case GEN_EDIPARTY:
+                /* Maybe fix this: it is supported now */
+                BIO_printf(out, "EdiPartyName:<unsupported>");
+                break;
+
+                case GEN_EMAIL:
+                BIO_printf(out, "email:%s",gen->d.ia5->data);
+                break;
+
+                case GEN_DNS:
+                BIO_printf(out, "DNS:%s",gen->d.ia5->data);
+                break;
+
+                case GEN_URI:
+                BIO_printf(out, "URI:%s",gen->d.ia5->data);
+                break;
+
+                case GEN_DIRNAME:
+                BIO_printf(out, "DirName: ");
+                X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
+                break;
+
+                case GEN_IPADD:
+                p = gen->d.ip->data;
+                /* BUG: doesn't support IPV6 */
+                if(gen->d.ip->length != 4) {
+                        BIO_printf(out,"IP Address:<invalid>");
+                        break;
+                }
+                BIO_printf(out, "IP Address:%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+                break;
+
+                case GEN_RID:
+                BIO_printf(out, "Registered ID");
+                i2a_ASN1_OBJECT(out, gen->d.rid);
+                break;
+        }
+        return 1;
+}
+
+static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAMES *gens = NULL;
         CONF_VALUE *cnf;
         int i;
         if(!(gens = sk_GENERAL_NAME_new_null())) {
@@ -184,9 +232,9 @@ static STACK_OF(GENERAL_NAME) *v2i_issuer_alt(X509V3_EXT_METHOD *method,
 
 /* Append subject altname of issuer to issuer alt name of subject */
 
-static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
 {
-        STACK_OF(GENERAL_NAME) *ialt;
+        GENERAL_NAMES *ialt;
         GENERAL_NAME *gen;
         X509_EXTENSION *ext;
         int i;
@@ -219,10 +267,10 @@ static int copy_issuer(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
         
 }
 
-static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
+static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAMES *gens = NULL;
         CONF_VALUE *cnf;
         int i;
         if(!(gens = sk_GENERAL_NAME_new_null())) {
@@ -233,7 +281,10 @@ static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
                 cnf = sk_CONF_VALUE_value(nval, i);
                 if(!name_cmp(cnf->name, "email") && cnf->value &&
                                                 !strcmp(cnf->value, "copy")) {
-                        if(!copy_email(ctx, gens)) goto err;
+                        if(!copy_email(ctx, gens, 0)) goto err;
+                } else if(!name_cmp(cnf->name, "email") && cnf->value &&
+                                                !strcmp(cnf->value, "move")) {
+                        if(!copy_email(ctx, gens, 1)) goto err;
                 } else {
                         GENERAL_NAME *gen;
                         if(!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
@@ -251,7 +302,7 @@ static STACK_OF(GENERAL_NAME) *v2i_subject_alt(X509V3_EXT_METHOD *method,
  * GENERAL_NAMES
  */
 
-static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
+static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
 {
         X509_NAME *nm;
         ASN1_IA5STRING *email = NULL;
@@ -273,6 +324,11 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
                                          NID_pkcs9_emailAddress, i)) >= 0) {
                 ne = X509_NAME_get_entry(nm, i);
                 email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
+                if (move_p)
+                        {
+                        X509_NAME_delete_entry(nm, i);
+                        i--;
+                        }
                 if(!email || !(gen = GENERAL_NAME_new())) {
                         X509V3err(X509V3_F_COPY_EMAIL,ERR_R_MALLOC_FAILURE);
                         goto err;
@@ -297,11 +353,11 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
         
 }
 
-STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         GENERAL_NAME *gen;
-        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAMES *gens = NULL;
         CONF_VALUE *cnf;
         int i;
         if(!(gens = sk_GENERAL_NAME_new_null())) {
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
index c576b8e955..cbb012715e 100644
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -60,7 +60,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
@@ -69,62 +69,22 @@ static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V
 
 X509V3_EXT_METHOD v3_bcons = {
 NID_basic_constraints, 0,
-(X509V3_EXT_NEW)BASIC_CONSTRAINTS_new,
-(X509V3_EXT_FREE)BASIC_CONSTRAINTS_free,
-(X509V3_EXT_D2I)d2i_BASIC_CONSTRAINTS,
-(X509V3_EXT_I2D)i2d_BASIC_CONSTRAINTS,
-NULL, NULL,
+ASN1_ITEM_ref(BASIC_CONSTRAINTS),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
 (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
 NULL,NULL,
 NULL
 };
 
+ASN1_SEQUENCE(BASIC_CONSTRAINTS) = {
+        ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),
+        ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)
 
-int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-        if(a->ca) M_ASN1_I2D_len (a->ca, i2d_ASN1_BOOLEAN);
-        M_ASN1_I2D_len (a->pathlen, i2d_ASN1_INTEGER);
-
-        M_ASN1_I2D_seq_total();
-
-        if (a->ca) M_ASN1_I2D_put (a->ca, i2d_ASN1_BOOLEAN);
-        M_ASN1_I2D_put (a->pathlen, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_finish();
-}
-
-BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void)
-{
-        BASIC_CONSTRAINTS *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, BASIC_CONSTRAINTS);
-        ret->ca = 0;
-        ret->pathlen = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_BASIC_CONSTRAINTS_NEW);
-}
+IMPLEMENT_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
 
-BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a,
-             unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,BASIC_CONSTRAINTS *,BASIC_CONSTRAINTS_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        if((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) ==
-                 (V_ASN1_UNIVERSAL|V_ASN1_BOOLEAN) ) {
-                        M_ASN1_D2I_get_int (ret->ca, d2i_ASN1_BOOLEAN);
-        }
-        M_ASN1_D2I_get_opt (ret->pathlen, d2i_ASN1_INTEGER, V_ASN1_INTEGER);
-        M_ASN1_D2I_Finish(a, BASIC_CONSTRAINTS_free, ASN1_F_D2I_BASIC_CONSTRAINTS);
-}
-
-void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
-{
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free (a->pathlen);
-        OPENSSL_free (a);
-}
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
              BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist)
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index 0e1167d05c..16cf125562 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -66,6 +66,7 @@ static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
 static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
                                 ASN1_BIT_STRING *bits,
                                 STACK_OF(CONF_VALUE) *extlist);
+
 static BIT_STRING_BITNAME ns_cert_type_table[] = {
 {0, "SSL Client", "client"},
 {1, "SSL Server", "server"},
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index bdc9c1cbc1..1a3448e121 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -68,114 +68,137 @@
 
 static int v3_check_critical(char **value);
 static int v3_check_generic(char **value);
-static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
+static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value);
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, int crit, int type);
 static char *conf_lhash_get_string(void *db, char *section, char *value);
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section);
 static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
                                                  int crit, void *ext_struc);
-/* LHASH *conf:  Config file    */
+/* CONF *conf:  Config file    */
 /* char *name:  Name    */
 /* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name,
              char *value)
-{
+        {
         int crit;
         int ext_type;
         X509_EXTENSION *ret;
         crit = v3_check_critical(&value);
-        if((ext_type = v3_check_generic(&value))) 
+        if ((ext_type = v3_check_generic(&value))) 
                 return v3_generic_extension(name, value, crit, ext_type);
-        ret = do_ext_conf(conf, ctx, OBJ_sn2nid(name), crit, value);
-        if(!ret) {
+        ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
+        if (!ret)
+                {
                 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_ERROR_IN_EXTENSION);
                 ERR_add_error_data(4,"name=", name, ", value=", value);
-        }
+                }
         return ret;
-}
+        }
 
-/* LHASH *conf:  Config file    */
+/* CONF *conf:  Config file    */
 /* char *value:  Value    */
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
              char *value)
-{
+        {
         int crit;
         int ext_type;
         crit = v3_check_critical(&value);
-        if((ext_type = v3_check_generic(&value))) 
+        if ((ext_type = v3_check_generic(&value))) 
                 return v3_generic_extension(OBJ_nid2sn(ext_nid),
                                                          value, crit, ext_type);
-        return do_ext_conf(conf, ctx, ext_nid, crit, value);
-}
+        return do_ext_nconf(conf, ctx, ext_nid, crit, value);
+        }
 
-/* LHASH *conf:  Config file    */
+/* CONF *conf:  Config file    */
 /* char *value:  Value    */
-static X509_EXTENSION *do_ext_conf(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
              int crit, char *value)
-{
+        {
         X509V3_EXT_METHOD *method;
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
         void *ext_struc;
-        if(ext_nid == NID_undef) {
+        if (ext_nid == NID_undef)
+                {
                 X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION_NAME);
                 return NULL;
-        }
-        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+                }
+        if (!(method = X509V3_EXT_get_nid(ext_nid)))
+                {
                 X509V3err(X509V3_F_DO_EXT_CONF,X509V3_R_UNKNOWN_EXTENSION);
                 return NULL;
-        }
+                }
         /* Now get internal extension representation based on type */
-        if(method->v2i) {
-                if(*value == '@') nval = CONF_get_section(conf, value + 1);
+        if (method->v2i)
+                {
+                if(*value == '@') nval = NCONF_get_section(conf, value + 1);
                 else nval = X509V3_parse_list(value);
-                if(!nval) {
+                if(!nval)
+                        {
                         X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_INVALID_EXTENSION_STRING);
                         ERR_add_error_data(4, "name=", OBJ_nid2sn(ext_nid), ",section=", value);
                         return NULL;
-                }
+                        }
                 ext_struc = method->v2i(method, ctx, nval);
                 if(*value != '@') sk_CONF_VALUE_pop_free(nval,
                                                          X509V3_conf_free);
                 if(!ext_struc) return NULL;
-        } else if(method->s2i) {
+                }
+        else if(method->s2i)
+                {
                 if(!(ext_struc = method->s2i(method, ctx, value))) return NULL;
-        } else if(method->r2i) {
-                if(!ctx->db) {
+                }
+        else if(method->r2i)
+                {
+                if(!ctx->db)
+                        {
                         X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_NO_CONFIG_DATABASE);
                         return NULL;
-                }
+                        }
                 if(!(ext_struc = method->r2i(method, ctx, value))) return NULL;
-        } else {
+                }
+        else
+                {
                 X509V3err(X509V3_F_X509V3_EXT_CONF,X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
                 ERR_add_error_data(2, "name=", OBJ_nid2sn(ext_nid));
                 return NULL;
-        }
+                }
 
         ext  = do_ext_i2d(method, ext_nid, crit, ext_struc);
-        method->ext_free(ext_struc);
+        if(method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
+        else method->ext_free(ext_struc);
         return ext;
 
-}
+        }
 
 static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
                                                  int crit, void *ext_struc)
-{
-        unsigned char *ext_der, *p;
+        {
+        unsigned char *ext_der;
         int ext_len;
         ASN1_OCTET_STRING *ext_oct;
         X509_EXTENSION *ext;
         /* Convert internal representation to DER */
-        ext_len = method->i2d(ext_struc, NULL);
-        if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
-        p = ext_der;
-        method->i2d(ext_struc, &p);
-        if(!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
+        if (method->it)
+                {
+                ext_der = NULL;
+                ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
+                if (ext_len < 0) goto merr;
+                }
+         else
+                {
+                unsigned char *p;
+                ext_len = method->i2d(ext_struc, NULL);
+                if(!(ext_der = OPENSSL_malloc(ext_len))) goto merr;
+                p = ext_der;
+                method->i2d(ext_struc, &p);
+                }
+        if (!(ext_oct = M_ASN1_OCTET_STRING_new())) goto merr;
         ext_oct->data = ext_der;
         ext_oct->length = ext_len;
-        
+
         ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
-        if(!ext) goto merr;
+        if (!ext) goto merr;
         M_ASN1_OCTET_STRING_free(ext_oct);
 
         return ext;
@@ -184,14 +207,14 @@ static X509_EXTENSION *do_ext_i2d(X509V3_EXT_METHOD *method, int ext_nid,
         X509V3err(X509V3_F_DO_EXT_I2D,ERR_R_MALLOC_FAILURE);
         return NULL;
 
-}
+        }
 
 /* Given an internal structure, nid and critical flag create an extension */
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
-{
+        {
         X509V3_EXT_METHOD *method;
-        if(!(method = X509V3_EXT_get_nid(ext_nid))) {
+        if (!(method = X509V3_EXT_get_nid(ext_nid))) {
                 X509V3err(X509V3_F_X509V3_EXT_I2D,X509V3_R_UNKNOWN_EXTENSION);
                 return NULL;
         }
@@ -202,7 +225,7 @@ X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
 static int v3_check_critical(char **value)
 {
         char *p = *value;
-        if((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
+        if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0;
         p+=9;
         while(isspace((unsigned char)*p)) p++;
         *value = p;
@@ -213,9 +236,9 @@ static int v3_check_critical(char **value)
 static int v3_check_generic(char **value)
 {
         char *p = *value;
-        if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
+        if ((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
         p+=4;
-        while(isspace((unsigned char)*p)) p++;
+        while (isspace((unsigned char)*p)) p++;
         *value = p;
         return 1;
 }
@@ -223,148 +246,202 @@ static int v3_check_generic(char **value)
 /* Create a generic extension: for now just handle DER type */
 static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
              int crit, int type)
-{
-unsigned char *ext_der=NULL;
-long ext_len;
-ASN1_OBJECT *obj=NULL;
-ASN1_OCTET_STRING *oct=NULL;
-X509_EXTENSION *extension=NULL;
-if(!(obj = OBJ_txt2obj(ext, 0))) {
-        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
-        ERR_add_error_data(2, "name=", ext);
-        goto err;
-}
+        {
+        unsigned char *ext_der=NULL;
+        long ext_len;
+        ASN1_OBJECT *obj=NULL;
+        ASN1_OCTET_STRING *oct=NULL;
+        X509_EXTENSION *extension=NULL;
+        if (!(obj = OBJ_txt2obj(ext, 0)))
+                {
+                X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_NAME_ERROR);
+                ERR_add_error_data(2, "name=", ext);
+                goto err;
+                }
 
-if(!(ext_der = string_to_hex(value, &ext_len))) {
-        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
-        ERR_add_error_data(2, "value=", value);
-        goto err;
-}
+        if (!(ext_der = string_to_hex(value, &ext_len)))
+                {
+                X509V3err(X509V3_F_V3_GENERIC_EXTENSION,X509V3_R_EXTENSION_VALUE_ERROR);
+                ERR_add_error_data(2, "value=", value);
+                goto err;
+                }
 
-if(!(oct = M_ASN1_OCTET_STRING_new())) {
-        X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
-        goto err;
-}
+        if (!(oct = M_ASN1_OCTET_STRING_new()))
+                {
+                X509V3err(X509V3_F_V3_GENERIC_EXTENSION,ERR_R_MALLOC_FAILURE);
+                goto err;
+                }
 
-oct->data = ext_der;
-oct->length = ext_len;
-ext_der = NULL;
+        oct->data = ext_der;
+        oct->length = ext_len;
+        ext_der = NULL;
 
-extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+        extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
 
-err:
-ASN1_OBJECT_free(obj);
-M_ASN1_OCTET_STRING_free(oct);
-if(ext_der) OPENSSL_free(ext_der);
-return extension;
-}
+        err:
+        ASN1_OBJECT_free(obj);
+        M_ASN1_OCTET_STRING_free(oct);
+        if(ext_der) OPENSSL_free(ext_der);
+        return extension;
+
+        }
 
 
 /* This is the main function: add a bunch of extensions based on a config file
- * section
+ * section to an extension STACK.
  */
 
-int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
-             X509 *cert)
-{
+
+int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section,
+             STACK_OF(X509_EXTENSION) **sk)
+        {
         X509_EXTENSION *ext;
         STACK_OF(CONF_VALUE) *nval;
         CONF_VALUE *val;        
         int i;
-        if(!(nval = CONF_get_section(conf, section))) return 0;
-        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+        if (!(nval = NCONF_get_section(conf, section))) return 0;
+        for (i = 0; i < sk_CONF_VALUE_num(nval); i++)
+                {
                 val = sk_CONF_VALUE_value(nval, i);
-                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
                                                                 return 0;
-                if(cert) X509_add_ext(cert, ext, -1);
+                if (sk) X509v3_add_ext(sk, ext, -1);
                 X509_EXTENSION_free(ext);
-        }
+                }
         return 1;
-}
+        }
+
+/* Convenience functions to add extensions to a certificate, CRL and request */
+
+int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
+             X509 *cert)
+        {
+        STACK_OF(X509_EXTENSION) **sk = NULL;
+        if (cert)
+                sk = &cert->cert_info->extensions;
+        return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
+        }
 
 /* Same as above but for a CRL */
 
-int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
              X509_CRL *crl)
-{
-        X509_EXTENSION *ext;
-        STACK_OF(CONF_VALUE) *nval;
-        CONF_VALUE *val;        
-        int i;
-        if(!(nval = CONF_get_section(conf, section))) return 0;
-        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-                val = sk_CONF_VALUE_value(nval, i);
-                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
-                                                                return 0;
-                if(crl) X509_CRL_add_ext(crl, ext, -1);
-                X509_EXTENSION_free(ext);
+        {
+        STACK_OF(X509_EXTENSION) **sk = NULL;
+        if (crl)
+                sk = &crl->crl->extensions;
+        return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
         }
-        return 1;
-}
 
 /* Add extensions to certificate request */
 
-int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section,
              X509_REQ *req)
-{
-        X509_EXTENSION *ext;
-        STACK_OF(X509_EXTENSION) *extlist = NULL;
-        STACK_OF(CONF_VALUE) *nval;
-        CONF_VALUE *val;        
+        {
+        STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
         int i;
-        if(!(nval = CONF_get_section(conf, section))) return 0;
-        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-                val = sk_CONF_VALUE_value(nval, i);
-                if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
-                                                                return 0;
-                if(!extlist) extlist = sk_X509_EXTENSION_new_null();
-                sk_X509_EXTENSION_push(extlist, ext);
-        }
-        if(req) i = X509_REQ_add_extensions(req, extlist);
-        else i = 1;
+        if (req)
+                sk = &extlist;
+        i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
+        if (!i || !sk)
+                return i;
+        i = X509_REQ_add_extensions(req, extlist);
         sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
         return i;
-}
+        }
 
 /* Config database functions */
 
 char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section)
-{
-        if(ctx->db_meth->get_string)
+        {
+        if (ctx->db_meth->get_string)
                         return ctx->db_meth->get_string(ctx->db, name, section);
         return NULL;
-}
+        }
 
 STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section)
-{
-        if(ctx->db_meth->get_section)
+        {
+        if (ctx->db_meth->get_section)
                         return ctx->db_meth->get_section(ctx->db, section);
         return NULL;
-}
+        }
 
 void X509V3_string_free(X509V3_CTX *ctx, char *str)
-{
-        if(!str) return;
-        if(ctx->db_meth->free_string)
+        {
+        if (!str) return;
+        if (ctx->db_meth->free_string)
                         ctx->db_meth->free_string(ctx->db, str);
-}
+        }
 
 void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
-{
-        if(!section) return;
-        if(ctx->db_meth->free_section)
+        {
+        if (!section) return;
+        if (ctx->db_meth->free_section)
                         ctx->db_meth->free_section(ctx->db, section);
-}
+        }
+
+static char *nconf_get_string(void *db, char *section, char *value)
+        {
+        return NCONF_get_string(db, section, value);
+        }
+
+static STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section)
+        {
+        return NCONF_get_section(db, section);
+        }
+
+static X509V3_CONF_METHOD nconf_method = {
+nconf_get_string,
+nconf_get_section,
+NULL,
+NULL
+};
+
+void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
+        {
+        ctx->db_meth = &nconf_method;
+        ctx->db = conf;
+        }
+
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+             X509_CRL *crl, int flags)
+        {
+        ctx->issuer_cert = issuer;
+        ctx->subject_cert = subj;
+        ctx->crl = crl;
+        ctx->subject_req = req;
+        ctx->flags = flags;
+        }
+
+/* Old conf compatibility functions */
+
+X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
+             char *value)
+        {
+        CONF ctmp;
+        CONF_set_nconf(&ctmp, conf);
+        return X509V3_EXT_nconf(&ctmp, ctx, name, value);
+        }
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid,
+             char *value)
+        {
+        CONF ctmp;
+        CONF_set_nconf(&ctmp, conf);
+        return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
+        }
 
 static char *conf_lhash_get_string(void *db, char *section, char *value)
-{
+        {
         return CONF_get_string(db, section, value);
-}
+        }
 
 static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
-{
+        {
         return CONF_get_section(db, section);
-}
+        }
 
 static X509V3_CONF_METHOD conf_lhash_method = {
 conf_lhash_get_string,
@@ -374,17 +451,35 @@ NULL
 };
 
 void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash)
-{
+        {
         ctx->db_meth = &conf_lhash_method;
         ctx->db = lhash;
-}
+        }
 
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
-             X509_CRL *crl, int flags)
-{
-        ctx->issuer_cert = issuer;
-        ctx->subject_cert = subj;
-        ctx->crl = crl;
-        ctx->subject_req = req;
-        ctx->flags = flags;
-}
+int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509 *cert)
+        {
+        CONF ctmp;
+        CONF_set_nconf(&ctmp, conf);
+        return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
+        }
+
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_CRL *crl)
+        {
+        CONF ctmp;
+        CONF_set_nconf(&ctmp, conf);
+        return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
+        }
+
+/* Add extensions to certificate request */
+
+int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section,
+             X509_REQ *req)
+        {
+        CONF ctmp;
+        CONF_set_nconf(&ctmp, conf);
+        return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
+        }
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index 8203ed7571..0d4ab1f680 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 /* Certificate policies extension support: this one is a bit complex... */
@@ -76,18 +76,55 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
 static STACK_OF(ASN1_INTEGER) *nref_nos(STACK_OF(CONF_VALUE) *nos);
 
 X509V3_EXT_METHOD v3_cpols = {
-NID_certificate_policies, 0,
-(X509V3_EXT_NEW)CERTIFICATEPOLICIES_new,
-(X509V3_EXT_FREE)CERTIFICATEPOLICIES_free,
-(X509V3_EXT_D2I)d2i_CERTIFICATEPOLICIES,
-(X509V3_EXT_I2D)i2d_CERTIFICATEPOLICIES,
-NULL, NULL,
-NULL, NULL,
+NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES),
+0,0,0,0,
+0,0,
+0,0,
 (X509V3_EXT_I2R)i2r_certpol,
 (X509V3_EXT_R2I)r2i_certpol,
 NULL
 };
 
+ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)
+ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)
+
+IMPLEMENT_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
+
+ASN1_SEQUENCE(POLICYINFO) = {
+        ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),
+        ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO)
+} ASN1_SEQUENCE_END(POLICYINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(POLICYINFO)
+
+ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY);
+
+ASN1_ADB(POLICYQUALINFO) = {
+        ADB_ENTRY(NID_id_qt_cps, ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),
+        ADB_ENTRY(NID_id_qt_unotice, ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE))
+} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);
+
+ASN1_SEQUENCE(POLICYQUALINFO) = {
+        ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),
+        ASN1_ADB_OBJECT(POLICYQUALINFO)
+} ASN1_SEQUENCE_END(POLICYQUALINFO)
+
+IMPLEMENT_ASN1_FUNCTIONS(POLICYQUALINFO)
+
+ASN1_SEQUENCE(USERNOTICE) = {
+        ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),
+        ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT)
+} ASN1_SEQUENCE_END(USERNOTICE)
+
+IMPLEMENT_ASN1_FUNCTIONS(USERNOTICE)
+
+ASN1_SEQUENCE(NOTICEREF) = {
+        ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),
+        ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(NOTICEREF)
+
+IMPLEMENT_ASN1_FUNCTIONS(NOTICEREF)
 
 static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
                 X509V3_CTX *ctx, char *value)
@@ -327,83 +364,6 @@ static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
         return 1;
 }
 
-
-int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp)
-{
-
-return i2d_ASN1_SET_OF_POLICYINFO(a, pp, i2d_POLICYINFO, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
-
-STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void)
-{
-        return sk_POLICYINFO_new_null();
-}
-
-void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a)
-{
-        sk_POLICYINFO_pop_free(a, POLICYINFO_free);
-}
-
-STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a,
-                unsigned char **pp,long length)
-{
-return d2i_ASN1_SET_OF_POLICYINFO(a, pp, length, d2i_POLICYINFO,
-                         POLICYINFO_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
-}
-
-IMPLEMENT_STACK_OF(POLICYINFO)
-IMPLEMENT_ASN1_SET_OF(POLICYINFO)
-
-int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->policyid, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
-                                                         i2d_POLICYQUALINFO);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->policyid, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put_SEQUENCE_type(POLICYQUALINFO, a->qualifiers,
-                                                         i2d_POLICYQUALINFO);
-
-        M_ASN1_I2D_finish();
-}
-
-POLICYINFO *POLICYINFO_new(void)
-{
-        POLICYINFO *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, POLICYINFO);
-        ret->policyid = NULL;
-        ret->qualifiers = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_POLICYINFO_NEW);
-}
-
-POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp,long length)
-{
-        M_ASN1_D2I_vars(a,POLICYINFO *,POLICYINFO_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->policyid, d2i_ASN1_OBJECT);
-        if(!M_ASN1_D2I_end_sequence()) {
-                M_ASN1_D2I_get_seq_type (POLICYQUALINFO, ret->qualifiers,
-                                 d2i_POLICYQUALINFO, POLICYQUALINFO_free);
-        }
-        M_ASN1_D2I_Finish(a, POLICYINFO_free, ASN1_F_D2I_POLICYINFO);
-}
-
-void POLICYINFO_free(POLICYINFO *a)
-{
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->policyid);
-        sk_POLICYQUALINFO_pop_free(a->qualifiers, POLICYQUALINFO_free);
-        OPENSSL_free (a);
-}
-
 static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
                 int indent)
 {
@@ -459,202 +419,4 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent)
                 BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
                                                          notice->exptext->data);
 }
-                
-        
-
-int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->pqualid, i2d_ASN1_OBJECT);
-        switch(OBJ_obj2nid(a->pqualid)) {
-                case NID_id_qt_cps:
-                M_ASN1_I2D_len(a->d.cpsuri, i2d_ASN1_IA5STRING);
-                break;
-
-                case NID_id_qt_unotice:
-                M_ASN1_I2D_len(a->d.usernotice, i2d_USERNOTICE);
-                break;
-
-                default:
-                M_ASN1_I2D_len(a->d.other, i2d_ASN1_TYPE);
-                break;
-        }
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->pqualid, i2d_ASN1_OBJECT);
-        switch(OBJ_obj2nid(a->pqualid)) {
-                case NID_id_qt_cps:
-                M_ASN1_I2D_put(a->d.cpsuri, i2d_ASN1_IA5STRING);
-                break;
-
-                case NID_id_qt_unotice:
-                M_ASN1_I2D_put(a->d.usernotice, i2d_USERNOTICE);
-                break;
-
-                default:
-                M_ASN1_I2D_put(a->d.other, i2d_ASN1_TYPE);
-                break;
-        }
-
-        M_ASN1_I2D_finish();
-}
-
-POLICYQUALINFO *POLICYQUALINFO_new(void)
-{
-        POLICYQUALINFO *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, POLICYQUALINFO);
-        ret->pqualid = NULL;
-        ret->d.other = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_POLICYQUALINFO_NEW);
-}
-
-POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
-                long length)
-{
-        M_ASN1_D2I_vars(a,POLICYQUALINFO *,POLICYQUALINFO_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->pqualid, d2i_ASN1_OBJECT);
-        switch(OBJ_obj2nid(ret->pqualid)) {
-                case NID_id_qt_cps:
-                M_ASN1_D2I_get(ret->d.cpsuri, d2i_ASN1_IA5STRING);
-                break;
-
-                case NID_id_qt_unotice:
-                M_ASN1_D2I_get(ret->d.usernotice, d2i_USERNOTICE);
-                break;
-
-                default:
-                M_ASN1_D2I_get(ret->d.other, d2i_ASN1_TYPE);
-                break;
-        }
-        M_ASN1_D2I_Finish(a, POLICYQUALINFO_free, ASN1_F_D2I_POLICYQUALINFO);
-}
-
-void POLICYQUALINFO_free(POLICYQUALINFO *a)
-{
-        if (a == NULL) return;
-        switch(OBJ_obj2nid(a->pqualid)) {
-                case NID_id_qt_cps:
-                M_ASN1_IA5STRING_free(a->d.cpsuri);
-                break;
-
-                case NID_id_qt_unotice:
-                USERNOTICE_free(a->d.usernotice);
-                break;
-
-                default:
-                ASN1_TYPE_free(a->d.other);
-                break;
-        }
-        
-        ASN1_OBJECT_free(a->pqualid);
-        OPENSSL_free (a);
-}
-
-int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->noticeref, i2d_NOTICEREF);
-        M_ASN1_I2D_len (a->exptext, i2d_DISPLAYTEXT);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->noticeref, i2d_NOTICEREF);
-        M_ASN1_I2D_put (a->exptext, i2d_DISPLAYTEXT);
-
-        M_ASN1_I2D_finish();
-}
-
-USERNOTICE *USERNOTICE_new(void)
-{
-        USERNOTICE *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, USERNOTICE);
-        ret->noticeref = NULL;
-        ret->exptext = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_USERNOTICE_NEW);
-}
-
-USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp,long length)
-{
-        M_ASN1_D2I_vars(a,USERNOTICE *,USERNOTICE_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get_opt(ret->noticeref, d2i_NOTICEREF, V_ASN1_SEQUENCE);
-        if (!M_ASN1_D2I_end_sequence()) {
-                M_ASN1_D2I_get(ret->exptext, d2i_DISPLAYTEXT);
-        }
-        M_ASN1_D2I_Finish(a, USERNOTICE_free, ASN1_F_D2I_USERNOTICE);
-}
-
-void USERNOTICE_free(USERNOTICE *a)
-{
-        if (a == NULL) return;
-        NOTICEREF_free(a->noticeref);
-        M_DISPLAYTEXT_free(a->exptext);
-        OPENSSL_free (a);
-}
-
-int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->organization, i2d_DISPLAYTEXT);
-        M_ASN1_I2D_len_SEQUENCE_type(ASN1_INTEGER, a->noticenos,
-                                     i2d_ASN1_INTEGER);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->organization, i2d_DISPLAYTEXT);
-        M_ASN1_I2D_put_SEQUENCE_type(ASN1_INTEGER, a->noticenos,
-                                     i2d_ASN1_INTEGER);
-
-        M_ASN1_I2D_finish();
-}
-
-NOTICEREF *NOTICEREF_new(void)
-{
-        NOTICEREF *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, NOTICEREF);
-        ret->organization = NULL;
-        ret->noticenos = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_NOTICEREF_NEW);
-}
-
-NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp,long length)
-{
-        M_ASN1_D2I_vars(a,NOTICEREF *,NOTICEREF_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        /* This is to cope with some broken encodings that use IA5STRING for
-         * the organization field
-         */
-        M_ASN1_D2I_get_opt(ret->organization, d2i_ASN1_IA5STRING,
-                                                         V_ASN1_IA5STRING);
-        if(!ret->organization) {
-                 M_ASN1_D2I_get(ret->organization, d2i_DISPLAYTEXT);
-        }
-        M_ASN1_D2I_get_seq_type(ASN1_INTEGER, ret->noticenos, d2i_ASN1_INTEGER,
-                                ASN1_STRING_free);
-        M_ASN1_D2I_Finish(a, NOTICEREF_free, ASN1_F_D2I_NOTICEREF);
-}
-
-void NOTICEREF_free(NOTICEREF *a)
-{
-        if (a == NULL) return;
-        M_DISPLAYTEXT_free(a->organization);
-        sk_ASN1_INTEGER_pop_free(a->noticenos, ASN1_STRING_free);
-        OPENSSL_free (a);
-}
 
-IMPLEMENT_STACK_OF(POLICYQUALINFO)
-IMPLEMENT_ASN1_SET_OF(POLICYQUALINFO)
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index 67feea4017..894a8b94d8 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
@@ -69,15 +69,13 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
 X509V3_EXT_METHOD v3_crld = {
-NID_crl_distribution_points, X509V3_EXT_MULTILINE,
-(X509V3_EXT_NEW)CRL_DIST_POINTS_new,
-(X509V3_EXT_FREE)CRL_DIST_POINTS_free,
-(X509V3_EXT_D2I)d2i_CRL_DIST_POINTS,
-(X509V3_EXT_I2D)i2d_CRL_DIST_POINTS,
-NULL, NULL,
+NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_crld,
 (X509V3_EXT_V2I)v2i_crld,
-NULL, NULL, NULL
+0,0,
+NULL
 };
 
 static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
@@ -87,16 +85,16 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method,
         int i;
         for(i = 0; i < sk_DIST_POINT_num(crld); i++) {
                 point = sk_DIST_POINT_value(crld, i);
-                if(point->distpoint && point->distpoint->fullname) {
-                        exts = i2v_GENERAL_NAMES(NULL,
-                                         point->distpoint->fullname, exts);
+                if(point->distpoint) {
+                        if(point->distpoint->type == 0)
+                                exts = i2v_GENERAL_NAMES(NULL,
+                                         point->distpoint->name.fullname, exts);
+                        else X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
                 }
                 if(point->reasons) 
                         X509V3_add_value("reasons","<UNSUPPORTED>", &exts);
                 if(point->CRLissuer)
                         X509V3_add_value("CRLissuer","<UNSUPPORTED>", &exts);
-                if(point->distpoint && point->distpoint->relativename)
-                        X509V3_add_value("RelativeName","<UNSUPPORTED>", &exts);
         }
         return exts;
 }
@@ -105,7 +103,7 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
         STACK_OF(DIST_POINT) *crld = NULL;
-        STACK_OF(GENERAL_NAME) *gens = NULL;
+        GENERAL_NAMES *gens = NULL;
         GENERAL_NAME *gen = NULL;
         CONF_VALUE *cnf;
         int i;
@@ -123,7 +121,8 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
                         goto merr;
                 }
                 if(!(point->distpoint = DIST_POINT_NAME_new())) goto merr;
-                point->distpoint->fullname = gens;
+                point->distpoint->name.fullname = gens;
+                point->distpoint->type = 0;
                 gens = NULL;
         }
         return crld;
@@ -137,149 +136,27 @@ static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method,
         return NULL;
 }
 
-int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp)
-{
-
-return i2d_ASN1_SET_OF_DIST_POINT(a, pp, i2d_DIST_POINT, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);}
-
-STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void)
-{
-        return sk_DIST_POINT_new_null();
-}
-
-void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a)
-{
-        sk_DIST_POINT_pop_free(a, DIST_POINT_free);
-}
-
-STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
-                unsigned char **pp,long length)
-{
-return d2i_ASN1_SET_OF_DIST_POINT(a, pp, length, d2i_DIST_POINT,
-                         DIST_POINT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-
-}
-
 IMPLEMENT_STACK_OF(DIST_POINT)
 IMPLEMENT_ASN1_SET_OF(DIST_POINT)
 
-int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp)
-{
-        int v = 0;
-        M_ASN1_I2D_vars(a);
-        /* NB: underlying type is a CHOICE so need EXPLICIT tagging */
-        M_ASN1_I2D_len_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
-        M_ASN1_I2D_len_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING);
-        M_ASN1_I2D_len_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES);
 
-        M_ASN1_I2D_seq_total();
+ASN1_CHOICE(DIST_POINT_NAME) = {
+        ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),
+        ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1)
+} ASN1_CHOICE_END(DIST_POINT_NAME)
 
-        M_ASN1_I2D_put_EXP_opt (a->distpoint, i2d_DIST_POINT_NAME, 0, v);
-        M_ASN1_I2D_put_IMP_opt (a->reasons, i2d_ASN1_BIT_STRING, 1);
-        M_ASN1_I2D_put_IMP_opt (a->CRLissuer, i2d_GENERAL_NAMES, 2);
+IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME)
 
-        M_ASN1_I2D_finish();
-}
+ASN1_SEQUENCE(DIST_POINT) = {
+        ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),
+        ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),
+        ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2)
+} ASN1_SEQUENCE_END(DIST_POINT)
 
-DIST_POINT *DIST_POINT_new(void)
-{
-        DIST_POINT *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, DIST_POINT);
-        ret->distpoint = NULL;
-        ret->reasons = NULL;
-        ret->CRLissuer = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_DIST_POINT_NEW);
-}
+IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT)
 
-DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,DIST_POINT *,DIST_POINT_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get_EXP_opt (ret->distpoint, d2i_DIST_POINT_NAME, 0);
-        M_ASN1_D2I_get_IMP_opt (ret->reasons, d2i_ASN1_BIT_STRING, 1,
-                                                        V_ASN1_BIT_STRING);
-        M_ASN1_D2I_get_IMP_opt (ret->CRLissuer, d2i_GENERAL_NAMES, 2,
-                                                        V_ASN1_SEQUENCE);
-        M_ASN1_D2I_Finish(a, DIST_POINT_free, ASN1_F_D2I_DIST_POINT);
-}
+ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, DIST_POINT, DIST_POINT)
+ASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)
 
-void DIST_POINT_free(DIST_POINT *a)
-{
-        if (a == NULL) return;
-        DIST_POINT_NAME_free(a->distpoint);
-        M_ASN1_BIT_STRING_free(a->reasons);
-        sk_GENERAL_NAME_pop_free(a->CRLissuer, GENERAL_NAME_free);
-        OPENSSL_free (a);
-}
-
-int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        if(a->fullname) {
-                M_ASN1_I2D_len_IMP_opt (a->fullname, i2d_GENERAL_NAMES);
-        } else {
-                M_ASN1_I2D_len_IMP_SET_opt_type(X509_NAME_ENTRY,
-                                a->relativename, i2d_X509_NAME_ENTRY, 1);
-        }
-
-        /* Don't want a SEQUENCE so... */
-        if(pp == NULL) return ret;
-        p = *pp;
-
-        if(a->fullname) {
-                M_ASN1_I2D_put_IMP_opt (a->fullname, i2d_GENERAL_NAMES, 0);
-        } else {
-                M_ASN1_I2D_put_IMP_SET_opt_type(X509_NAME_ENTRY,
-                                a->relativename, i2d_X509_NAME_ENTRY, 1);
-        }
-        M_ASN1_I2D_finish();
-}
-
-DIST_POINT_NAME *DIST_POINT_NAME_new(void)
-{
-        DIST_POINT_NAME *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, DIST_POINT_NAME);
-        ret->fullname = NULL;
-        ret->relativename = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_DIST_POINT_NAME_NEW);
-}
-
-void DIST_POINT_NAME_free(DIST_POINT_NAME *a)
-{
-        if (a == NULL) return;
-        sk_X509_NAME_ENTRY_pop_free(a->relativename, X509_NAME_ENTRY_free);
-        sk_GENERAL_NAME_pop_free(a->fullname, GENERAL_NAME_free);
-        OPENSSL_free (a);
-}
-
-DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
-             long length)
-{
-        unsigned char _tmp, tag;
-        M_ASN1_D2I_vars(a,DIST_POINT_NAME *,DIST_POINT_NAME_new);
-        M_ASN1_D2I_Init();
-        c.slen = length;
-
-        _tmp = M_ASN1_next;
-        tag = _tmp & ~V_ASN1_CONSTRUCTED;
-        
-        if(tag == (0|V_ASN1_CONTEXT_SPECIFIC)) {
-                M_ASN1_D2I_get_imp(ret->fullname, d2i_GENERAL_NAMES,
-                                                        V_ASN1_SEQUENCE);
-        } else if (tag == (1|V_ASN1_CONTEXT_SPECIFIC)) {
-                M_ASN1_D2I_get_IMP_set_opt_type (X509_NAME_ENTRY,
-                        ret->relativename, d2i_X509_NAME_ENTRY, X509_NAME_ENTRY_free, 1);
-        } else {
-                c.error = ASN1_R_BAD_TAG;
-                goto err;
-        }
-
-        M_ASN1_D2I_Finish(a, DIST_POINT_NAME_free, ASN1_F_D2I_DIST_POINT_NAME);
-}
+IMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index aecfdc87f8..010c9d6260 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -73,14 +73,12 @@ static ENUMERATED_NAMES crl_reasons[] = {
 };
 
 X509V3_EXT_METHOD v3_crl_reason = { 
-NID_crl_reason, 0,
-(X509V3_EXT_NEW)ASN1_ENUMERATED_new,
-(X509V3_EXT_FREE)ASN1_ENUMERATED_free,
-(X509V3_EXT_D2I)d2i_ASN1_ENUMERATED,
-(X509V3_EXT_I2D)i2d_ASN1_ENUMERATED,
+NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED),
+0,0,0,0,
 (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
-(X509V3_EXT_S2I)0,
-NULL, NULL, NULL, NULL, crl_reasons};
+0,
+0,0,0,0,
+crl_reasons};
 
 
 char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index 53ec40a027..b1cfaba1aa 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -59,92 +59,84 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
-                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *extlist);
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+                void *eku, STACK_OF(CONF_VALUE) *extlist);
+
 X509V3_EXT_METHOD v3_ext_ku = {
-NID_ext_key_usage, 0,
-(X509V3_EXT_NEW)ext_ku_new,
-(X509V3_EXT_FREE)ext_ku_free,
-(X509V3_EXT_D2I)d2i_ext_ku,
-(X509V3_EXT_I2D)i2d_ext_ku,
-NULL, NULL,
-(X509V3_EXT_I2V)i2v_ext_ku,
-(X509V3_EXT_V2I)v2i_ext_ku,
-NULL,NULL,
-NULL
+        NID_ext_key_usage, 0,
+        ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
+        0,0,0,0,
+        0,0,
+        i2v_EXTENDED_KEY_USAGE,
+        v2i_EXTENDED_KEY_USAGE,
+        0,0,
+        NULL
 };
 
-STACK_OF(ASN1_OBJECT) *ext_ku_new(void)
-{
-        return sk_ASN1_OBJECT_new_null();
-}
-
-void ext_ku_free(STACK_OF(ASN1_OBJECT) *eku)
-{
-        sk_ASN1_OBJECT_pop_free(eku, ASN1_OBJECT_free);
-        return;
-}
-
-int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp)
-{
-        return i2d_ASN1_SET_OF_ASN1_OBJECT(a, pp, i2d_ASN1_OBJECT,
-                                V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE);
-}
-
-STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
-                                        unsigned char **pp, long length)
-{
-        return d2i_ASN1_SET_OF_ASN1_OBJECT(a, pp, length, d2i_ASN1_OBJECT,
-                         ASN1_OBJECT_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
+X509V3_EXT_METHOD v3_ocsp_accresp = {
+        NID_id_pkix_OCSP_acceptableResponses, 0,
+        ASN1_ITEM_ref(EXTENDED_KEY_USAGE),
+        0,0,0,0,
+        0,0,
+        i2v_EXTENDED_KEY_USAGE,
+        v2i_EXTENDED_KEY_USAGE,
+        0,0,
+        NULL
+};
 
+ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT)
+ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)
 
+IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
 
-static STACK_OF(CONF_VALUE) *i2v_ext_ku(X509V3_EXT_METHOD *method,
-                STACK_OF(ASN1_OBJECT) *eku, STACK_OF(CONF_VALUE) *ext_list)
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+                void *a, STACK_OF(CONF_VALUE) *ext_list)
 {
-int i;
-ASN1_OBJECT *obj;
-char obj_tmp[80];
-for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
-        obj = sk_ASN1_OBJECT_value(eku, i);
-        i2t_ASN1_OBJECT(obj_tmp, 80, obj);
-        X509V3_add_value(NULL, obj_tmp, &ext_list);
-}
-return ext_list;
+        EXTENDED_KEY_USAGE *eku = a;
+        int i;
+        ASN1_OBJECT *obj;
+        char obj_tmp[80];
+        for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+                obj = sk_ASN1_OBJECT_value(eku, i);
+                i2t_ASN1_OBJECT(obj_tmp, 80, obj);
+                X509V3_add_value(NULL, obj_tmp, &ext_list);
+        }
+        return ext_list;
 }
 
-static STACK_OF(ASN1_OBJECT) *v2i_ext_ku(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-STACK_OF(ASN1_OBJECT) *extku;
-char *extval;
-ASN1_OBJECT *objtmp;
-CONF_VALUE *val;
-int i;
+        EXTENDED_KEY_USAGE *extku;
+        char *extval;
+        ASN1_OBJECT *objtmp;
+        CONF_VALUE *val;
+        int i;
 
-if(!(extku = sk_ASN1_OBJECT_new_null())) {
-        X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
-        return NULL;
-}
-
-for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-        val = sk_CONF_VALUE_value(nval, i);
-        if(val->value) extval = val->value;
-        else extval = val->name;
-        if(!(objtmp = OBJ_txt2obj(extval, 0))) {
-                sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
-                X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
-                X509V3_conf_err(val);
+        if(!(extku = sk_ASN1_OBJECT_new_null())) {
+                X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
                 return NULL;
         }
-        sk_ASN1_OBJECT_push(extku, objtmp);
-}
-return extku;
+
+        for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+                val = sk_CONF_VALUE_value(nval, i);
+                if(val->value) extval = val->value;
+                else extval = val->name;
+                if(!(objtmp = OBJ_txt2obj(extval, 0))) {
+                        sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+                        X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+                        X509V3_conf_err(val);
+                        return NULL;
+                }
+                sk_ASN1_OBJECT_push(extku, objtmp);
+        }
+        return extku;
 }
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index d44751458e..650b510980 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -59,233 +59,43 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp)
-{
-        unsigned char *p;
-        int ret;
-
-        ret = 0;
-
-        /* Save the location of initial TAG */
-        if(pp) p = *pp;
-        else p = NULL;
-
-        /* GEN_DNAME needs special treatment because of EXPLICIT tag */
-
-        if(a->type == GEN_DIRNAME) {
-                int v = 0;
-                M_ASN1_I2D_len_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
-                if(!p) return ret;
-                M_ASN1_I2D_put_EXP_opt(a->d.dirn, i2d_X509_NAME, 4, v);
-                *pp = p;
-                return ret;
-        }
-
-        switch(a->type) {
-
-                case GEN_X400:
-                case GEN_EDIPARTY:
-                ret = i2d_ASN1_TYPE(a->d.other, pp);
-                break;
-
-                case GEN_OTHERNAME:
-                ret = i2d_OTHERNAME(a->d.otherName, pp);
-                break;
-
-                case GEN_EMAIL:
-                case GEN_DNS:
-                case GEN_URI:
-                ret = i2d_ASN1_IA5STRING(a->d.ia5, pp);
-                break;
-
-                case GEN_IPADD:
-                ret = i2d_ASN1_OCTET_STRING(a->d.ip, pp);
-                break;
-        
-                case GEN_RID:
-                ret = i2d_ASN1_OBJECT(a->d.rid, pp);
-                break;
-        }
-        /* Replace TAG with IMPLICIT value */
-        if(p) *p = (*p & V_ASN1_CONSTRUCTED) | a->type;
-        return ret;
-}
-
-GENERAL_NAME *GENERAL_NAME_new()
-{
-        GENERAL_NAME *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, GENERAL_NAME);
-        ret->type = -1;
-        ret->d.ptr = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_GENERAL_NAME_NEW);
-}
-
-GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp,
-                                                                 long length)
-{
-        unsigned char _tmp;
-        M_ASN1_D2I_vars(a,GENERAL_NAME *,GENERAL_NAME_new);
-        M_ASN1_D2I_Init();
-        c.slen = length;
-
-        _tmp = M_ASN1_next;
-        ret->type = _tmp & ~V_ASN1_CONSTRUCTED;
-
-        switch(ret->type) {
-                /* Just put these in a "blob" for now */
-                case GEN_X400:
-                case GEN_EDIPARTY:
-                M_ASN1_D2I_get_imp(ret->d.other, d2i_ASN1_TYPE,V_ASN1_SEQUENCE);
-                break;
-
-                case GEN_OTHERNAME:
-                M_ASN1_D2I_get_imp(ret->d.otherName, d2i_OTHERNAME,V_ASN1_SEQUENCE);
-                break;
-
-                case GEN_EMAIL:
-                case GEN_DNS:
-                case GEN_URI:
-                M_ASN1_D2I_get_imp(ret->d.ia5, d2i_ASN1_IA5STRING,
-                                                        V_ASN1_IA5STRING);
-                break;
-
-                case GEN_DIRNAME:
-                M_ASN1_D2I_get_EXP_opt(ret->d.dirn, d2i_X509_NAME, 4);
-                break;
-
-                case GEN_IPADD:
-                M_ASN1_D2I_get_imp(ret->d.ip, d2i_ASN1_OCTET_STRING,
-                                                        V_ASN1_OCTET_STRING);
-                break;
-        
-                case GEN_RID:
-                M_ASN1_D2I_get_imp(ret->d.rid, d2i_ASN1_OBJECT,V_ASN1_OBJECT);
-                break;
-
-                default:
-                c.error = ASN1_R_BAD_TAG;
-                goto err;
-        }
-
-        c.slen = 0;
-        M_ASN1_D2I_Finish(a, GENERAL_NAME_free, ASN1_F_D2I_GENERAL_NAME);
-}
-
-void GENERAL_NAME_free(GENERAL_NAME *a)
-{
-        if (a == NULL) return;
-        switch(a->type) {
-                case GEN_X400:
-                case GEN_EDIPARTY:
-                ASN1_TYPE_free(a->d.other);
-                break;
-
-                case GEN_OTHERNAME:
-                OTHERNAME_free(a->d.otherName);
-                break;
-
-                case GEN_EMAIL:
-                case GEN_DNS:
-                case GEN_URI:
-
-                M_ASN1_IA5STRING_free(a->d.ia5);
-                break;
-
-                case GEN_DIRNAME:
-                X509_NAME_free(a->d.dirn);
-                break;
-
-                case GEN_IPADD:
-                M_ASN1_OCTET_STRING_free(a->d.ip);
-                break;
-        
-                case GEN_RID:
-                ASN1_OBJECT_free(a->d.rid);
-                break;
-
-        }
-        OPENSSL_free (a);
-}
-
-/* Now the GeneralNames versions: a SEQUENCE OF GeneralName. These are needed as
- * explicit functions.
- */
-
-STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new()
-{
-        return sk_GENERAL_NAME_new_null();
-}
-
-void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a)
-{
-        sk_GENERAL_NAME_pop_free(a, GENERAL_NAME_free);
-}
-
-STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a,
-                                         unsigned char **pp, long length)
-{
-return d2i_ASN1_SET_OF_GENERAL_NAME(a, pp, length, d2i_GENERAL_NAME,
-                         GENERAL_NAME_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
-
-int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp)
-{
-return i2d_ASN1_SET_OF_GENERAL_NAME(a, pp, i2d_GENERAL_NAME, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
-}
-
-IMPLEMENT_STACK_OF(GENERAL_NAME)
-IMPLEMENT_ASN1_SET_OF(GENERAL_NAME)
-
-int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp)
-{
-        int v = 0;
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->type_id, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->type_id, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put_EXP_opt(a->value, i2d_ASN1_TYPE, 0, v);
-
-        M_ASN1_I2D_finish();
-}
-
-OTHERNAME *OTHERNAME_new(void)
-{
-        OTHERNAME *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, OTHERNAME);
-        ret->type_id = OBJ_nid2obj(NID_undef);
-        M_ASN1_New(ret->value, ASN1_TYPE_new);
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_OTHERNAME_NEW);
-}
-
-OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,OTHERNAME *,OTHERNAME_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->type_id, d2i_ASN1_OBJECT);
-        M_ASN1_D2I_get_EXP_opt(ret->value, d2i_ASN1_TYPE, 0);
-        M_ASN1_D2I_Finish(a, OTHERNAME_free, ASN1_F_D2I_OTHERNAME);
-}
-
-void OTHERNAME_free(OTHERNAME *a)
-{
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->type_id);
-        ASN1_TYPE_free(a->value);
-        OPENSSL_free (a);
-}
-
+ASN1_SEQUENCE(OTHERNAME) = {
+        ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
+        /* Maybe have a true ANY DEFINED BY later */
+        ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0)
+} ASN1_SEQUENCE_END(OTHERNAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
+
+ASN1_SEQUENCE(EDIPARTYNAME) = {
+        ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+        ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+} ASN1_SEQUENCE_END(EDIPARTYNAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
+
+ASN1_CHOICE(GENERAL_NAME) = {
+        ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
+        ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
+        ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
+        /* Don't decode this */
+        ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
+        /* X509_NAME is a CHOICE type so use EXPLICIT */
+        ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
+        ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
+        ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING, GEN_URI),
+        ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),
+        ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID)
+} ASN1_CHOICE_END(GENERAL_NAME)
+
+IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME)
+
+ASN1_ITEM_TEMPLATE(GENERAL_NAMES) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, GENERAL_NAME)
+ASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)
+
+IMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index a045a629ee..7f17f3231d 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -60,28 +60,48 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
-                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                AUTHORITY_INFO_ACCESS *ainfo,
                                                 STACK_OF(CONF_VALUE) *ret);
-static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
 X509V3_EXT_METHOD v3_info =
-{ NID_info_access, X509V3_EXT_MULTILINE,
-(X509V3_EXT_NEW)AUTHORITY_INFO_ACCESS_new,
-(X509V3_EXT_FREE)AUTHORITY_INFO_ACCESS_free,
-(X509V3_EXT_D2I)d2i_AUTHORITY_INFO_ACCESS,
-(X509V3_EXT_I2D)i2d_AUTHORITY_INFO_ACCESS,
-NULL, NULL,
+{ NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
+0,0,0,0,
+0,0,
 (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
 (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
-NULL, NULL, NULL};
+0,0,
+NULL};
+
+X509V3_EXT_METHOD v3_sinfo =
+{ NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
+0,0,0,0,
+0,0,
+(X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+(X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+0,0,
+NULL};
+
+ASN1_SEQUENCE(ACCESS_DESCRIPTION) = {
+        ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),
+        ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME)
+} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)
+
+IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
+
+ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) = 
+        ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION)
+ASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)
+
+IMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
-                                STACK_OF(ACCESS_DESCRIPTION) *ainfo,
+                                AUTHORITY_INFO_ACCESS *ainfo,
                                                 STACK_OF(CONF_VALUE) *ret)
 {
         ACCESS_DESCRIPTION *desc;
@@ -111,10 +131,10 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method
         return ret;
 }
 
-static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
                                  X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-        STACK_OF(ACCESS_DESCRIPTION) *ainfo = NULL;
+        AUTHORITY_INFO_ACCESS *ainfo = NULL;
         CONF_VALUE *cnf, ctmp;
         ACCESS_DESCRIPTION *acc;
         int i, objlen;
@@ -162,75 +182,11 @@ static STACK_OF(ACCESS_DESCRIPTION) *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD
         return NULL;
 }
 
-int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len(a->method, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_len(a->location, i2d_GENERAL_NAME);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put(a->method, i2d_ASN1_OBJECT);
-        M_ASN1_I2D_put(a->location, i2d_GENERAL_NAME);
-
-        M_ASN1_I2D_finish();
-}
-
-ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void)
-{
-        ACCESS_DESCRIPTION *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, ACCESS_DESCRIPTION);
-        ret->method = OBJ_nid2obj(NID_undef);
-        ret->location = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_ACCESS_DESCRIPTION_NEW);
-}
-
-ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
-             long length)
-{
-        M_ASN1_D2I_vars(a,ACCESS_DESCRIPTION *,ACCESS_DESCRIPTION_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->method, d2i_ASN1_OBJECT);
-        M_ASN1_D2I_get(ret->location, d2i_GENERAL_NAME);
-        M_ASN1_D2I_Finish(a, ACCESS_DESCRIPTION_free, ASN1_F_D2I_ACCESS_DESCRIPTION);
-}
-
-void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
-{
-        if (a == NULL) return;
-        ASN1_OBJECT_free(a->method);
-        GENERAL_NAME_free(a->location);
-        OPENSSL_free (a);
-}
-
-STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void)
-{
-        return sk_ACCESS_DESCRIPTION_new_null();
-}
-
-void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a)
-{
-        sk_ACCESS_DESCRIPTION_pop_free(a, ACCESS_DESCRIPTION_free);
-}
-
-STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
-                                         unsigned char **pp, long length)
-{
-return d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, length, d2i_ACCESS_DESCRIPTION,
-                         ACCESS_DESCRIPTION_free, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
-
-int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp)
-{
-return i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(a, pp, i2d_ACCESS_DESCRIPTION, V_ASN1_SEQUENCE,
-                                                 V_ASN1_UNIVERSAL, IS_SEQUENCE);
-}
-
-IMPLEMENT_STACK_OF(ACCESS_DESCRIPTION)
-IMPLEMENT_ASN1_SET_OF(ACCESS_DESCRIPTION)
-
-
+int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a)
+        {
+        i2a_ASN1_OBJECT(bp, a->method);
+#ifdef UNDEF
+        i2a_GENERAL_NAME(bp, a->location);
+#endif
+        return 2;
+        }
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index 63c201e5f4..f34cbfb731 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -61,12 +61,9 @@
 #include <openssl/x509v3.h>
 
 X509V3_EXT_METHOD v3_crl_num = { 
-NID_crl_number, 0,
-(X509V3_EXT_NEW)ASN1_INTEGER_new,
-(X509V3_EXT_FREE)ASN1_INTEGER_free,
-(X509V3_EXT_D2I)d2i_ASN1_INTEGER,
-(X509V3_EXT_I2D)i2d_ASN1_INTEGER,
+NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+0,0,0,0,
 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-(X509V3_EXT_S2I)0,
-NULL, NULL, NULL, NULL, NULL};
+0,
+0,0,0,0, NULL};
 
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index ea86b9ebb9..482ca8ccf5 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -163,8 +163,9 @@ void *X509V3_EXT_d2i(X509_EXTENSION *ext)
 {
         X509V3_EXT_METHOD *method;
         unsigned char *p;
-        if(!(method = X509V3_EXT_get(ext)) || !method->d2i) return NULL;
+        if(!(method = X509V3_EXT_get(ext))) return NULL;
         p = ext->value->data;
+        if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
         return method->d2i(NULL, &p, ext->value->length);
 }
 
@@ -212,7 +213,7 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
         }
         if(found_ex) {
                 /* Found it */
-                if(crit) *crit = found_ex->critical;
+                if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
                 return X509V3_EXT_d2i(found_ex);
         }
 
@@ -222,4 +223,79 @@ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
         return NULL;
 }
 
+/* This function is a general extension append, replace and delete utility.
+ * The precise operation is governed by the 'flags' value. The 'crit' and
+ * 'value' arguments (if relevant) are the extensions internal structure.
+ */
+
+int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
+                                        int crit, unsigned long flags)
+{
+        int extidx = -1;
+        int errcode;
+        X509_EXTENSION *ext, *extmp;
+        unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
+
+        /* If appending we don't care if it exists, otherwise
+         * look for existing extension.
+         */
+        if(ext_op != X509V3_ADD_APPEND)
+                extidx = X509v3_get_ext_by_NID(*x, nid, -1);
+
+        /* See if extension exists */
+        if(extidx >= 0) {
+                /* If keep existing, nothing to do */
+                if(ext_op == X509V3_ADD_KEEP_EXISTING)
+                        return 1;
+                /* If default then its an error */
+                if(ext_op == X509V3_ADD_DEFAULT) {
+                        errcode = X509V3_R_EXTENSION_EXISTS;
+                        goto err;
+                }
+                /* If delete, just delete it */
+                if(ext_op == X509V3_ADD_DELETE) {
+                        if(!sk_X509_EXTENSION_delete(*x, extidx)) return -1;
+                        return 1;
+                }
+        } else {
+                /* If replace existing or delete, error since 
+                 * extension must exist
+                 */
+                if((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
+                   (ext_op == X509V3_ADD_DELETE)) {
+                        errcode = X509V3_R_EXTENSION_NOT_FOUND;
+                        goto err;
+                }
+        }
+
+        /* If we get this far then we have to create an extension:
+         * could have some flags for alternative encoding schemes...
+         */
+
+        ext = X509V3_EXT_i2d(nid, crit, value);
+
+        if(!ext) {
+                X509V3err(X509V3_F_X509V3_ADD_I2D, X509V3_R_ERROR_CREATING_EXTENSION);
+                return 0;
+        }
+
+        /* If extension exists replace it.. */
+        if(extidx >= 0) {
+                extmp = sk_X509_EXTENSION_value(*x, extidx);
+                X509_EXTENSION_free(extmp);
+                if(!sk_X509_EXTENSION_set(*x, extidx, ext)) return -1;
+                return 1;
+        }
+
+        if(!*x && !(*x = sk_X509_EXTENSION_new_null())) return -1;
+        if(!sk_X509_EXTENSION_push(*x, ext)) return -1;
+
+        return 1;
+
+        err:
+        if(!(flags & X509V3_ADD_SILENT))
+                X509V3err(X509V3_F_X509V3_ADD_I2D, errcode);
+        return 0;
+}
+
 IMPLEMENT_STACK_OF(X509V3_EXT_METHOD)
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
new file mode 100644
index 0000000000..083112314e
--- /dev/null
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -0,0 +1,272 @@
+/* v3_ocsp.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/ocsp.h>
+#include <openssl/x509v3.h>
+
+/* OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent);
+
+static void *ocsp_nonce_new(void);
+static int i2d_ocsp_nonce(void *a, unsigned char **pp);
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
+static void ocsp_nonce_free(void *a);
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind);
+
+X509V3_EXT_METHOD v3_ocsp_crlid = {
+        NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_crlid,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_acutoff = {
+        NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_invdate = {
+        NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_acutoff,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_crl_hold = {
+        NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_object,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nonce = {
+        NID_id_pkix_OCSP_Nonce, 0, NULL,
+        ocsp_nonce_new,
+        ocsp_nonce_free,
+        d2i_ocsp_nonce,
+        i2d_ocsp_nonce,
+        0,0,
+        0,0,
+        i2r_ocsp_nonce,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_nocheck = {
+        NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL),
+        0,0,0,0,
+        0,s2i_ocsp_nocheck,
+        0,0,
+        i2r_ocsp_nocheck,0,
+        NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+        NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC),
+        0,0,0,0,
+        0,0,
+        0,0,
+        i2r_ocsp_serviceloc,0,
+        NULL
+};
+
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+        OCSP_CRLID *a = in;
+        if (a->crlUrl)
+                {
+                if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+                if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlNum)
+                {
+                if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
+                if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        if (a->crlTime)
+                {
+                if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+                if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
+                if (!BIO_write(bp, "\n", 1)) goto err;
+                }
+        return 1;
+        err:
+        return 0;
+}
+
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
+        return 1;
+}
+
+
+static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+{
+        if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+        if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+        return 1;
+}
+
+/* OCSP nonce. This is needs special treatment because it doesn't have
+ * an ASN1 encoding at all: it just contains arbitrary data.
+ */
+
+static void *ocsp_nonce_new(void)
+{
+        return ASN1_OCTET_STRING_new();
+}
+
+static int i2d_ocsp_nonce(void *a, unsigned char **pp)
+{
+        ASN1_OCTET_STRING *os = a;
+        if(pp) {
+                memcpy(*pp, os->data, os->length);
+                *pp += os->length;
+        }
+        return os->length;
+}
+
+static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length)
+{
+        ASN1_OCTET_STRING *os, **pos;
+        pos = a;
+        if(!pos || !*pos) os = ASN1_OCTET_STRING_new();
+        else os = *pos;
+        if(!ASN1_OCTET_STRING_set(os, *pp, length)) goto err;
+
+        *pp += length;
+
+        if(pos) *pos = os;
+        return os;
+
+        err:
+        if(os && (!pos || (*pos != os))) M_ASN1_OCTET_STRING_free(os);
+        OCSPerr(OCSP_F_D2I_OCSP_NONCE, ERR_R_MALLOC_FAILURE);
+        return NULL;
+}
+
+static void ocsp_nonce_free(void *a)
+{
+        M_ASN1_OCTET_STRING_free(a);
+}
+
+static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent)
+{
+        if(BIO_printf(out, "%*s", indent, "") <= 0) return 0;
+        if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
+        return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent)
+{
+        return 1;
+}
+
+static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+{
+        return ASN1_NULL_new();
+}
+
+static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+        {
+        int i;
+        OCSP_SERVICELOC *a = in;
+        ACCESS_DESCRIPTION *ad;
+
+        if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0) goto err;
+        if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0) goto err;
+        for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++)
+                {
+                                ad = sk_ACCESS_DESCRIPTION_value(a->locator,i);
+                                if (BIO_printf(bp, "\n%*s", (2*ind), "") <= 0) 
+                                        goto err;
+                                if(i2a_ASN1_OBJECT(bp, ad->method) <= 0) goto err;
+                                if(BIO_puts(bp, " - ") <= 0) goto err;
+                                if(GENERAL_NAME_print(bp, ad->location) <= 0) goto err;
+                }
+        return 1;
+err:
+        return 0;
+        }
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
index 47f9e8f123..49a2e4697a 100644
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -59,7 +59,7 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
@@ -67,62 +67,19 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *u
 static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
 */
 X509V3_EXT_METHOD v3_pkey_usage_period = {
-NID_private_key_usage_period, 0,
-(X509V3_EXT_NEW)PKEY_USAGE_PERIOD_new,
-(X509V3_EXT_FREE)PKEY_USAGE_PERIOD_free,
-(X509V3_EXT_D2I)d2i_PKEY_USAGE_PERIOD,
-(X509V3_EXT_I2D)i2d_PKEY_USAGE_PERIOD,
-NULL, NULL, NULL, NULL,
+NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD),
+0,0,0,0,
+0,0,0,0,
 (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD, NULL,
 NULL
 };
 
-int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME);
-        M_ASN1_I2D_len_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put_IMP_opt (a->notBefore, i2d_ASN1_GENERALIZEDTIME, 0);
-        M_ASN1_I2D_put_IMP_opt (a->notAfter, i2d_ASN1_GENERALIZEDTIME, 1);
-
-        M_ASN1_I2D_finish();
-}
-
-PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void)
-{
-        PKEY_USAGE_PERIOD *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, PKEY_USAGE_PERIOD);
-        ret->notBefore = NULL;
-        ret->notAfter = NULL;
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_PKEY_USAGE_PERIOD_NEW);
-}
+ASN1_SEQUENCE(PKEY_USAGE_PERIOD) = {
+        ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notBefore, ASN1_GENERALIZEDTIME, 0),
+        ASN1_IMP_OPT(PKEY_USAGE_PERIOD, notAfter, ASN1_GENERALIZEDTIME, 1)
+} ASN1_SEQUENCE_END(PKEY_USAGE_PERIOD)
 
-PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a,
-             unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,PKEY_USAGE_PERIOD *,PKEY_USAGE_PERIOD_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get_IMP_opt (ret->notBefore, d2i_ASN1_GENERALIZEDTIME, 0,
-                                                        V_ASN1_GENERALIZEDTIME);
-        M_ASN1_D2I_get_IMP_opt (ret->notAfter, d2i_ASN1_GENERALIZEDTIME, 1,
-                                                        V_ASN1_GENERALIZEDTIME);
-        M_ASN1_D2I_Finish(a, PKEY_USAGE_PERIOD_free, ASN1_F_D2I_PKEY_USAGE_PERIOD);
-}
-
-void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
-{
-        if (a == NULL) return;
-        M_ASN1_GENERALIZEDTIME_free(a->notBefore);
-        M_ASN1_GENERALIZEDTIME_free(a->notAfter);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
 
 static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
              PKEY_USAGE_PERIOD *usage, BIO *out, int indent)
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index 14b804c4ad..aeaf6170fe 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -64,6 +64,8 @@
 
 /* Extension printing routines */
 
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported);
+
 /* Print out a name+value stack */
 
 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
@@ -103,16 +105,22 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
 
 /* Main routine: print out a general extension */
 
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
 {
-        char *ext_str = NULL, *value = NULL;
+        void *ext_str = NULL;
+        char *value = NULL;
         unsigned char *p;
         X509V3_EXT_METHOD *method;      
         STACK_OF(CONF_VALUE) *nval = NULL;
         int ok = 1;
-        if(!(method = X509V3_EXT_get(ext))) return 0;
+        if(!(method = X509V3_EXT_get(ext)))
+                return unknown_ext_print(out, ext, flag, indent, 0);
         p = ext->value->data;
-        if(!(ext_str = method->d2i(NULL, &p, ext->value->length))) return 0;
+        if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));
+        else ext_str = method->d2i(NULL, &p, ext->value->length);
+
+        if(!ext_str) return unknown_ext_print(out, ext, flag, indent, 1);
+
         if(method->i2s) {
                 if(!(value = method->i2s(method, ext_str))) {
                         ok = 0;
@@ -148,11 +156,71 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
         err:
                 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
                 if(value) OPENSSL_free(value);
-                method->ext_free(ext_str);
+                if(method->it) ASN1_item_free(ext_str, ASN1_ITEM_ptr(method->it));
+                else method->ext_free(ext_str);
                 return ok;
 }
 
-#ifndef NO_FP_API
+int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
+{
+        int i, j;
+
+        if(sk_X509_EXTENSION_num(exts) <= 0) return 1;
+
+        if(title) 
+                {
+                BIO_printf(bp,"%*s%s:\n",indent, "", title);
+                indent += 4;
+                }
+
+        for (i=0; i<sk_X509_EXTENSION_num(exts); i++)
+                {
+                ASN1_OBJECT *obj;
+                X509_EXTENSION *ex;
+                ex=sk_X509_EXTENSION_value(exts, i);
+                if (BIO_printf(bp,"%*s",indent, "") <= 0) return 0;
+                obj=X509_EXTENSION_get_object(ex);
+                i2a_ASN1_OBJECT(bp,obj);
+                j=X509_EXTENSION_get_critical(ex);
+                if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
+                        return 0;
+                if(!X509V3_EXT_print(bp, ex, flag, 12))
+                        {
+                        BIO_printf(bp, "%*s", indent + 4, "");
+                        M_ASN1_OCTET_STRING_print(bp,ex->value);
+                        }
+                if (BIO_write(bp,"\n",1) <= 0) return 0;
+                }
+        return 1;
+}
+
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent, int supported)
+{
+        switch(flag & X509V3_EXT_UNKNOWN_MASK) {
+
+                case X509V3_EXT_DEFAULT:
+                return 0;
+
+                case X509V3_EXT_ERROR_UNKNOWN:
+                if(supported)
+                        BIO_printf(out, "%*s<Parse Error>", indent, "");
+                else
+                        BIO_printf(out, "%*s<Not Supported>", indent, "");
+                return 1;
+
+                case X509V3_EXT_PARSE_UNKNOWN:
+                        return ASN1_parse_dump(out,
+                                ext->value->data, ext->value->length, indent, -1);
+                case X509V3_EXT_DUMP_UNKNOWN:
+                        return BIO_dump_indent(out, (char *)ext->value->data, ext->value->length, indent);
+
+                default:
+                return 1;
+        }
+}
+        
+
+#ifndef OPENSSL_NO_FP_API
 int X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
 {
         BIO *bio_tmp;
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 8aecd00e63..b739e4fd83 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -1,9 +1,9 @@
 /* v3_purp.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 2001.
  */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2001 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -61,7 +61,6 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
-
 static void x509v3_cache_extensions(X509 *x);
 
 static int ca_check(const X509 *x);
@@ -74,6 +73,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
 
 static int xp_cmp(const X509_PURPOSE * const *a,
                 const X509_PURPOSE * const *b);
@@ -87,6 +87,7 @@ static X509_PURPOSE xstandard[] = {
         {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
         {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
         {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
+        {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
 };
 
 #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
@@ -120,6 +121,16 @@ int X509_check_purpose(X509 *x, int id, int ca)
         return pt->check_purpose(pt, x, ca);
 }
 
+int X509_PURPOSE_set(int *p, int purpose)
+{
+        if(X509_PURPOSE_get_by_id(purpose) == -1) {
+                X509V3err(X509V3_F_X509_PURPOSE_SET, X509V3_R_INVALID_PURPOSE);
+                return 0;
+        }
+        *p = purpose;
+        return 1;
+}
+
 int X509_PURPOSE_get_count(void)
 {
         if(!xptable) return X509_PURPOSE_COUNT;
@@ -144,7 +155,6 @@ int X509_PURPOSE_get_by_sname(char *sname)
         return -1;
 }
 
-
 int X509_PURPOSE_get_by_id(int purpose)
 {
         X509_PURPOSE tmp;
@@ -256,16 +266,55 @@ int X509_PURPOSE_get_trust(X509_PURPOSE *xp)
         return xp->trust;
 }
 
+static int nid_cmp(int *a, int *b)
+        {
+        return *a - *b;
+        }
+
+int X509_supported_extension(X509_EXTENSION *ex)
+        {
+        /* This table is a list of the NIDs of supported extensions:
+         * that is those which are used by the verify process. If
+         * an extension is critical and doesn't appear in this list
+         * then the verify process will normally reject the certificate.
+         * The list must be kept in numerical order because it will be
+         * searched using bsearch.
+         */
+
+        static int supported_nids[] = {
+                NID_netscape_cert_type, /* 71 */
+                NID_key_usage,          /* 83 */
+                NID_subject_alt_name,   /* 85 */
+                NID_basic_constraints,  /* 87 */
+                NID_ext_key_usage       /* 126 */
+        };
+
+        int ex_nid;
+
+        ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+
+        if (ex_nid == NID_undef) 
+                return 0;
+
+        if (OBJ_bsearch((char *)&ex_nid, (char *)supported_nids,
+                sizeof(supported_nids)/sizeof(int), sizeof(int),
+                (int (*)(const void *, const void *))nid_cmp))
+                return 1;
+        return 0;
+        }
+ 
+
 static void x509v3_cache_extensions(X509 *x)
 {
         BASIC_CONSTRAINTS *bs;
         ASN1_BIT_STRING *usage;
         ASN1_BIT_STRING *ns;
-        STACK_OF(ASN1_OBJECT) *extusage;
+        EXTENDED_KEY_USAGE *extusage;
+        X509_EXTENSION *ex;
         
         int i;
         if(x->ex_flags & EXFLAG_SET) return;
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
         X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
 #endif
         /* Does subject name match issuer ? */
@@ -320,6 +369,15 @@ static void x509v3_cache_extensions(X509 *x)
                                 case NID_ms_sgc:
                                 case NID_ns_sgc:
                                 x->ex_xkusage |= XKU_SGC;
+                                break;
+
+                                case NID_OCSP_sign:
+                                x->ex_xkusage |= XKU_OCSP_SIGN;
+                                break;
+
+                                case NID_time_stamp:
+                                x->ex_xkusage |= XKU_TIMESTAMP;
+                                break;
                         }
                 }
                 sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
@@ -333,6 +391,17 @@ static void x509v3_cache_extensions(X509 *x)
         }
         x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
         x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+        for (i = 0; i < X509_get_ext_count(x); i++)
+                {
+                ex = X509_get_ext(x, i);
+                if (!X509_EXTENSION_get_critical(ex))
+                        continue;
+                if (!X509_supported_extension(ex))
+                        {
+                        x->ex_flags |= EXFLAG_CRITICAL;
+                        break;
+                        }
+                }
         x->ex_flags |= EXFLAG_SET;
 }
 
@@ -472,6 +541,27 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
         return 1;
 }
 
+/* OCSP helper: this is *not* a full OCSP check. It just checks that
+ * each CA is valid. Additional checks must be made on the chain.
+ */
+
+static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+        /* Must be a valid CA */
+        if(ca) {
+                int ca_ret;
+                ca_ret = ca_check(x);
+                if(ca_ret != 2) return ca_ret;
+                if(x->ex_flags & EXFLAG_NSCERT) {
+                        if(x->ex_nscert & NS_ANY_CA) return ca_ret;
+                        return 0;
+                }
+                return 0;
+        }
+        /* leaf certificate is checked in OCSP_verify() */
+        return 1;
+}
+
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
         return 1;
@@ -513,7 +603,7 @@ int X509_check_issued(X509 *issuer, X509 *subject)
                          * There may be more than one but we only take any
                          * notice of the first.
                          */
-                        STACK_OF(GENERAL_NAME) *gens;
+                        GENERAL_NAMES *gens;
                         GENERAL_NAME *gen;
                         X509_NAME *nm = NULL;
                         int i;
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
index 939845fa8f..c0f044ac1b 100644
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -63,14 +63,12 @@
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 X509V3_EXT_METHOD v3_skey_id = { 
-NID_subject_key_identifier, 0,
-(X509V3_EXT_NEW)ASN1_OCTET_STRING_new,
-(X509V3_EXT_FREE)ASN1_OCTET_STRING_free,
-(X509V3_EXT_D2I)d2i_ASN1_OCTET_STRING,
-(X509V3_EXT_I2D)i2d_ASN1_OCTET_STRING,
+NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
+0,0,0,0,
 (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
 (X509V3_EXT_S2I)s2i_skey_id,
-NULL, NULL, NULL, NULL, NULL};
+0,0,0,0,
+NULL};
 
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
              ASN1_OCTET_STRING *oct)
@@ -106,7 +104,6 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
         ASN1_OCTET_STRING *oct;
         ASN1_BIT_STRING *pk;
         unsigned char pkey_dig[EVP_MAX_MD_SIZE];
-        EVP_MD_CTX md;
         unsigned int diglen;
 
         if(strcmp(str, "hash")) return s2i_ASN1_OCTET_STRING(method, ctx, str);
@@ -132,9 +129,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
                 goto err;
         }
 
-        EVP_DigestInit(&md, EVP_sha1());
-        EVP_DigestUpdate(&md, pk->data, pk->length);
-        EVP_DigestFinal(&md, pkey_dig, &diglen);
+        EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
 
         if(!M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {
                 X509V3err(X509V3_F_S2I_S2I_SKEY_ID,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
index bfecacd336..d3f4ba3a72 100644
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/conf.h>
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
+#include <openssl/asn1t.h>
 #include <openssl/x509v3.h>
 
 /* Support for Thawte strong extranet extension */
@@ -73,111 +73,33 @@ static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
                                                 STACK_OF(CONF_VALUE) *nval);
 #endif
 X509V3_EXT_METHOD v3_sxnet = {
-NID_sxnet, X509V3_EXT_MULTILINE,
-(X509V3_EXT_NEW)SXNET_new,
-(X509V3_EXT_FREE)SXNET_free,
-(X509V3_EXT_D2I)d2i_SXNET,
-(X509V3_EXT_I2D)i2d_SXNET,
-NULL, NULL,
-NULL, 
+NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET),
+0,0,0,0,
+0,0,
+0, 
 #ifdef SXNET_TEST
 (X509V3_EXT_V2I)sxnet_v2i,
 #else
-NULL,
+0,
 #endif
 (X509V3_EXT_I2R)sxnet_i2r,
-NULL,
+0,
 NULL
 };
 
+ASN1_SEQUENCE(SXNETID) = {
+        ASN1_SIMPLE(SXNETID, zone, ASN1_INTEGER),
+        ASN1_SIMPLE(SXNETID, user, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(SXNETID)
 
-int i2d_SXNET(SXNET *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->version, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->version, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put_SEQUENCE_type (SXNETID, a->ids, i2d_SXNETID);
+IMPLEMENT_ASN1_FUNCTIONS(SXNETID)
 
-        M_ASN1_I2D_finish();
-}
-
-SXNET *SXNET_new(void)
-{
-        SXNET *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, SXNET);
-        M_ASN1_New(ret->version,M_ASN1_INTEGER_new);
-        M_ASN1_New(ret->ids,sk_SXNETID_new_null);
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_SXNET_NEW);
-}
+ASN1_SEQUENCE(SXNET) = {
+        ASN1_SIMPLE(SXNET, version, ASN1_INTEGER),
+        ASN1_SEQUENCE_OF(SXNET, ids, SXNETID)
+} ASN1_SEQUENCE_END(SXNET)
 
-SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,SXNET *,SXNET_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get (ret->version, d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get_seq_type (SXNETID, ret->ids, d2i_SXNETID, SXNETID_free);
-        M_ASN1_D2I_Finish(a, SXNET_free, ASN1_F_D2I_SXNET);
-}
-
-void SXNET_free(SXNET *a)
-{
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free(a->version);
-        sk_SXNETID_pop_free(a->ids, SXNETID_free);
-        OPENSSL_free (a);
-}
-
-int i2d_SXNETID(SXNETID *a, unsigned char **pp)
-{
-        M_ASN1_I2D_vars(a);
-
-        M_ASN1_I2D_len (a->zone, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_len (a->user, i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_seq_total();
-
-        M_ASN1_I2D_put (a->zone, i2d_ASN1_INTEGER);
-        M_ASN1_I2D_put (a->user, i2d_ASN1_OCTET_STRING);
-
-        M_ASN1_I2D_finish();
-}
-
-SXNETID *SXNETID_new(void)
-{
-        SXNETID *ret=NULL;
-        ASN1_CTX c;
-        M_ASN1_New_Malloc(ret, SXNETID);
-        ret->zone = NULL;
-        M_ASN1_New(ret->user,M_ASN1_OCTET_STRING_new);
-        return (ret);
-        M_ASN1_New_Error(ASN1_F_SXNETID_NEW);
-}
-
-SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length)
-{
-        M_ASN1_D2I_vars(a,SXNETID *,SXNETID_new);
-        M_ASN1_D2I_Init();
-        M_ASN1_D2I_start_sequence();
-        M_ASN1_D2I_get(ret->zone, d2i_ASN1_INTEGER);
-        M_ASN1_D2I_get(ret->user, d2i_ASN1_OCTET_STRING);
-        M_ASN1_D2I_Finish(a, SXNETID_free, ASN1_F_D2I_SXNETID);
-}
-
-void SXNETID_free(SXNETID *a)
-{
-        if (a == NULL) return;
-        M_ASN1_INTEGER_free(a->zone);
-        M_ASN1_OCTET_STRING_free(a->user);
-        OPENSSL_free (a);
-}
+IMPLEMENT_ASN1_FUNCTIONS(SXNET)
 
 static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
              int indent)
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 619f161b58..283e943e46 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -66,7 +66,7 @@
 
 static char *strip_spaces(char *name);
 static int sk_strcmp(const char * const *a, const char * const *b);
-static STACK *get_email(X509_NAME *name, STACK_OF(GENERAL_NAME) *gens);
+static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens);
 static void str_free(void *str);
 static int append_ia5(STACK **sk, ASN1_IA5STRING *email);
 
@@ -154,21 +154,40 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value)
 {
         BIGNUM *bn = NULL;
         ASN1_INTEGER *aint;
+        int isneg, ishex;
+        int ret;
         bn = BN_new();
-        if(!value) {
+        if (!value) {
                 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_INVALID_NULL_VALUE);
                 return 0;
         }
-        if(!BN_dec2bn(&bn, value)) {
+        if (value[0] == '-') {
+                value++;
+                isneg = 1;
+        } else isneg = 0;
+
+        if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
+                value += 2;
+                ishex = 1;
+        } else ishex = 0;
+
+        if (ishex) ret = BN_hex2bn(&bn, value);
+        else ret = BN_dec2bn(&bn, value);
+
+        if (!ret) {
                 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_DEC2BN_ERROR);
                 return 0;
         }
 
-        if(!(aint = BN_to_ASN1_INTEGER(bn, NULL))) {
+        if (isneg && BN_is_zero(bn)) isneg = 0;
+
+        aint = BN_to_ASN1_INTEGER(bn, NULL);
+        BN_free(bn);
+        if (!aint) {
                 X509V3err(X509V3_F_S2I_ASN1_INTEGER,X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
                 return 0;
         }
-        BN_free(bn);
+        if (isneg) aint->type |= V_ASN1_NEG;
         return aint;
 }
 
@@ -221,7 +240,7 @@ int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint)
 
 /*#define DEBUG*/
 
-STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
+STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
 {
         char *p, *q, c;
         char *ntmp, *vtmp;
@@ -250,7 +269,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
                                 *p = 0;
                                 ntmp = strip_spaces(q);
                                 q = p + 1;
-#ifdef DEBUG
+#if 0
                                 printf("%s\n", ntmp);
 #endif
                                 if(!ntmp) {
@@ -266,7 +285,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
                                 state = HDR_NAME;
                                 *p = 0;
                                 vtmp = strip_spaces(q);
-#ifdef DEBUG
+#if 0
                                 printf("%s\n", ntmp);
 #endif
                                 if(!vtmp) {
@@ -283,7 +302,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
 
         if(state == HDR_VALUE) {
                 vtmp = strip_spaces(q);
-#ifdef DEBUG
+#if 0
                 printf("%s=%s\n", ntmp, vtmp);
 #endif
                 if(!vtmp) {
@@ -293,7 +312,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line)
                 X509V3_add_value(ntmp, vtmp, &values);
         } else {
                 ntmp = strip_spaces(q);
-#ifdef DEBUG
+#if 0
                 printf("%s\n", ntmp);
 #endif
                 if(!ntmp) {
@@ -439,7 +458,7 @@ static int sk_strcmp(const char * const *a, const char * const *b)
 
 STACK *X509_get1_email(X509 *x)
 {
-        STACK_OF(GENERAL_NAME) *gens;
+        GENERAL_NAMES *gens;
         STACK *ret;
         gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
         ret = get_email(X509_get_subject_name(x), gens);
@@ -449,7 +468,7 @@ STACK *X509_get1_email(X509 *x)
 
 STACK *X509_REQ_get1_email(X509_REQ *x)
 {
-        STACK_OF(GENERAL_NAME) *gens;
+        GENERAL_NAMES *gens;
         STACK_OF(X509_EXTENSION) *exts;
         STACK *ret;
         exts = X509_REQ_get_extensions(x);
@@ -461,7 +480,7 @@ STACK *X509_REQ_get1_email(X509_REQ *x)
 }
 
 
-static STACK *get_email(X509_NAME *name, STACK_OF(GENERAL_NAME) *gens)
+static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens)
 {
         STACK *ret = NULL;
         X509_NAME_ENTRY *ne;
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
index 21cf746f45..67ee14f334 100644
--- a/src/lib/libcrypto/x509v3/v3conf.c
+++ b/src/lib/libcrypto/x509v3/v3conf.c
@@ -60,7 +60,6 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
index aa4a605dc4..6458e95bb9 100644
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ b/src/lib/libcrypto/x509v3/v3err.c
@@ -63,7 +63,7 @@
 #include <openssl/x509v3.h>
 
 /* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
 static ERR_STRING_DATA X509V3_str_functs[]=
         {
 {ERR_PACK(0,X509V3_F_COPY_EMAIL,0),     "COPY_EMAIL"},
@@ -98,6 +98,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAME,0),       "v2i_GENERAL_NAME"},
 {ERR_PACK(0,X509V3_F_V2I_GENERAL_NAMES,0),      "v2i_GENERAL_NAMES"},
 {ERR_PACK(0,X509V3_F_V3_GENERIC_EXTENSION,0),   "V3_GENERIC_EXTENSION"},
+{ERR_PACK(0,X509V3_F_X509V3_ADD_I2D,0), "X509V3_ADD_I2D"},
 {ERR_PACK(0,X509V3_F_X509V3_ADD_VALUE,0),       "X509V3_add_value"},
 {ERR_PACK(0,X509V3_F_X509V3_EXT_ADD,0), "X509V3_EXT_add"},
 {ERR_PACK(0,X509V3_F_X509V3_EXT_ADD_ALIAS,0),   "X509V3_EXT_add_alias"},
@@ -106,6 +107,7 @@ static ERR_STRING_DATA X509V3_str_functs[]=
 {ERR_PACK(0,X509V3_F_X509V3_GET_VALUE_BOOL,0),  "X509V3_get_value_bool"},
 {ERR_PACK(0,X509V3_F_X509V3_PARSE_LIST,0),      "X509V3_parse_list"},
 {ERR_PACK(0,X509V3_F_X509_PURPOSE_ADD,0),       "X509_PURPOSE_add"},
+{ERR_PACK(0,X509V3_F_X509_PURPOSE_SET,0),       "X509_PURPOSE_set"},
 {0,NULL}
         };
 
@@ -117,8 +119,10 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_BN_TO_ASN1_INTEGER_ERROR       ,"bn to asn1 integer error"},
 {X509V3_R_DUPLICATE_ZONE_ID              ,"duplicate zone id"},
 {X509V3_R_ERROR_CONVERTING_ZONE          ,"error converting zone"},
+{X509V3_R_ERROR_CREATING_EXTENSION       ,"error creating extension"},
 {X509V3_R_ERROR_IN_EXTENSION             ,"error in extension"},
 {X509V3_R_EXPECTED_A_SECTION_NAME        ,"expected a section name"},
+{X509V3_R_EXTENSION_EXISTS               ,"extension exists"},
 {X509V3_R_EXTENSION_NAME_ERROR           ,"extension name error"},
 {X509V3_R_EXTENSION_NOT_FOUND            ,"extension not found"},
 {X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED,"extension setting not supported"},
@@ -135,6 +139,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
 {X509V3_R_INVALID_OBJECT_IDENTIFIER      ,"invalid object identifier"},
 {X509V3_R_INVALID_OPTION                 ,"invalid option"},
 {X509V3_R_INVALID_POLICY_IDENTIFIER      ,"invalid policy identifier"},
+{X509V3_R_INVALID_PURPOSE                ,"invalid purpose"},
 {X509V3_R_INVALID_SECTION                ,"invalid section"},
 {X509V3_R_INVALID_SYNTAX                 ,"invalid syntax"},
 {X509V3_R_ISSUER_DECODE_ERROR            ,"issuer decode error"},
@@ -167,7 +172,7 @@ void ERR_load_X509V3_strings(void)
         if (init)
                 {
                 init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
                 ERR_load_strings(ERR_LIB_X509V3,X509V3_str_functs);
                 ERR_load_strings(ERR_LIB_X509V3,X509V3_str_reasons);
 #endif
diff --git a/src/lib/libcrypto/x509v3/v3prin.c b/src/lib/libcrypto/x509v3/v3prin.c
index ee798859f0..b529814319 100644
--- a/src/lib/libcrypto/x509v3/v3prin.c
+++ b/src/lib/libcrypto/x509v3/v3prin.c
@@ -59,9 +59,7 @@
 
 
 #include <stdio.h>
-#include "cryptlib.h"
 #include <openssl/asn1.h>
-#include <openssl/asn1_mac.h>
 #include <openssl/conf.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 0453b12d63..daecc55271 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -88,6 +88,9 @@ typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx
 struct v3_ext_method {
 int ext_nid;
 int ext_flags;
+/* If this is set the following four fields are ignored */
+ASN1_ITEM_EXP *it;
+/* Old style ASN1 calls */
 X509V3_EXT_NEW ext_new;
 X509V3_EXT_FREE ext_free;
 X509V3_EXT_D2I d2i;
@@ -156,35 +159,56 @@ ASN1_OBJECT *type_id;
 ASN1_TYPE *value;
 } OTHERNAME;
 
+typedef struct EDIPartyName_st {
+        ASN1_STRING *nameAssigner;
+        ASN1_STRING *partyName;
+} EDIPARTYNAME;
+
 typedef struct GENERAL_NAME_st {
 
-#define GEN_OTHERNAME   (0|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_EMAIL       (1|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_DNS         (2|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_X400        (3|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_DIRNAME     (4|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_EDIPARTY    (5|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_URI         (6|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_IPADD       (7|V_ASN1_CONTEXT_SPECIFIC)
-#define GEN_RID         (8|V_ASN1_CONTEXT_SPECIFIC)
+#define GEN_OTHERNAME   0
+#define GEN_EMAIL       1
+#define GEN_DNS         2
+#define GEN_X400        3
+#define GEN_DIRNAME     4
+#define GEN_EDIPARTY    5
+#define GEN_URI         6
+#define GEN_IPADD       7
+#define GEN_RID         8
 
 int type;
 union {
         char *ptr;
-        ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
+        OTHERNAME *otherName; /* otherName */
+        ASN1_IA5STRING *rfc822Name;
+        ASN1_IA5STRING *dNSName;
+        ASN1_TYPE *x400Address;
+        X509_NAME *directoryName;
+        EDIPARTYNAME *ediPartyName;
+        ASN1_IA5STRING *uniformResourceIdentifier;
+        ASN1_OCTET_STRING *iPAddress;
+        ASN1_OBJECT *registeredID;
+
+        /* Old names */
         ASN1_OCTET_STRING *ip; /* iPAddress */
         X509_NAME *dirn;                /* dirn */
+        ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
         ASN1_OBJECT *rid; /* registeredID */
-        OTHERNAME *otherName; /* otherName */
-        ASN1_TYPE *other; /* ediPartyName, x400Address */
+        ASN1_TYPE *other; /* x400Address */
 } d;
 } GENERAL_NAME;
 
+typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
+
 typedef struct ACCESS_DESCRIPTION_st {
         ASN1_OBJECT *method;
         GENERAL_NAME *location;
 } ACCESS_DESCRIPTION;
 
+typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
+
+typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
+
 DECLARE_STACK_OF(GENERAL_NAME)
 DECLARE_ASN1_SET_OF(GENERAL_NAME)
 
@@ -192,23 +216,27 @@ DECLARE_STACK_OF(ACCESS_DESCRIPTION)
 DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION)
 
 typedef struct DIST_POINT_NAME_st {
-/* NB: this is a CHOICE type and only one of these should be set */
-STACK_OF(GENERAL_NAME) *fullname;
-STACK_OF(X509_NAME_ENTRY) *relativename;
+int type;
+union {
+        GENERAL_NAMES *fullname;
+        STACK_OF(X509_NAME_ENTRY) *relativename;
+} name;
 } DIST_POINT_NAME;
 
 typedef struct DIST_POINT_st {
 DIST_POINT_NAME *distpoint;
 ASN1_BIT_STRING *reasons;
-STACK_OF(GENERAL_NAME) *CRLissuer;
+GENERAL_NAMES *CRLissuer;
 } DIST_POINT;
 
+typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
+
 DECLARE_STACK_OF(DIST_POINT)
 DECLARE_ASN1_SET_OF(DIST_POINT)
 
 typedef struct AUTHORITY_KEYID_st {
 ASN1_OCTET_STRING *keyid;
-STACK_OF(GENERAL_NAME) *issuer;
+GENERAL_NAMES *issuer;
 ASN1_INTEGER *serial;
 } AUTHORITY_KEYID;
 
@@ -254,6 +282,8 @@ typedef struct POLICYINFO_st {
         STACK_OF(POLICYQUALINFO) *qualifiers;
 } POLICYINFO;
 
+typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
+
 DECLARE_STACK_OF(POLICYINFO)
 DECLARE_ASN1_SET_OF(POLICYINFO)
 
@@ -262,32 +292,24 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 
 #define X509V3_set_ctx_test(ctx) \
                         X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
-#define X509V3_set_ctx_nodb(ctx) ctx->db = NULL;
+#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
 
-#define EXT_BITSTRING(nid, table) { nid, 0, \
-                        (X509V3_EXT_NEW)ASN1_BIT_STRING_new, \
-                        (X509V3_EXT_FREE)ASN1_BIT_STRING_free, \
-                        (X509V3_EXT_D2I)d2i_ASN1_BIT_STRING, \
-                        (X509V3_EXT_I2D)i2d_ASN1_BIT_STRING, \
-                        NULL, NULL, \
+#define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
+                        0,0,0,0, \
+                        0,0, \
                         (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
                         (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
                         NULL, NULL, \
-                        (char *)table}
+                        table}
 
-#define EXT_IA5STRING(nid) { nid, 0, \
-                        (X509V3_EXT_NEW)ASN1_IA5STRING_new, \
-                        (X509V3_EXT_FREE)ASN1_IA5STRING_free, \
-                        (X509V3_EXT_D2I)d2i_ASN1_IA5STRING, \
-                        (X509V3_EXT_I2D)i2d_ASN1_IA5STRING, \
+#define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
+                        0,0,0,0, \
                         (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
                         (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
-                        NULL, NULL, NULL, NULL, \
+                        0,0,0,0, \
                         NULL}
 
-#define EXT_END { -1, 0, NULL, NULL, NULL, NULL, NULL, NULL, \
-                         NULL, NULL, NULL, NULL, \
-                         NULL}
+#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 
 
 /* X509_PURPOSE stuff */
@@ -302,6 +324,7 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define EXFLAG_V1               0x40
 #define EXFLAG_INVALID          0x80
 #define EXFLAG_SET              0x100
+#define EXFLAG_CRITICAL         0x200
 
 #define KU_DIGITAL_SIGNATURE    0x0080
 #define KU_NON_REPUDIATION      0x0040
@@ -320,12 +343,15 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define NS_SSL_CA               0x04
 #define NS_SMIME_CA             0x02
 #define NS_OBJSIGN_CA           0x01
+#define NS_ANY_CA               (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
 
 #define XKU_SSL_SERVER          0x1     
 #define XKU_SSL_CLIENT          0x2
 #define XKU_SMIME               0x4
 #define XKU_CODE_SIGN           0x8
 #define XKU_SGC                 0x10
+#define XKU_OCSP_SIGN           0x20
+#define XKU_TIMESTAMP           0x40
 
 #define X509_PURPOSE_DYNAMIC    0x1
 #define X509_PURPOSE_DYNAMIC_NAME       0x2
@@ -348,33 +374,40 @@ typedef struct x509_purpose_st {
 #define X509_PURPOSE_SMIME_ENCRYPT      5
 #define X509_PURPOSE_CRL_SIGN           6
 #define X509_PURPOSE_ANY                7
+#define X509_PURPOSE_OCSP_HELPER        8
 
 #define X509_PURPOSE_MIN                1
-#define X509_PURPOSE_MAX                7
+#define X509_PURPOSE_MAX                8
+
+/* Flags for X509V3_EXT_print() */
+
+#define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
+/* Return error for unknown extensions */
+#define X509V3_EXT_DEFAULT              0
+/* Print error for unknown extensions */
+#define X509V3_EXT_ERROR_UNKNOWN        (1L << 16)
+/* ASN1 parse unknown extensions */
+#define X509V3_EXT_PARSE_UNKNOWN        (2L << 16)
+/* BIO_dump unknown extensions */
+#define X509V3_EXT_DUMP_UNKNOWN         (3L << 16)
+
+/* Flags for X509V3_add1_i2d */
+
+#define X509V3_ADD_OP_MASK              0xfL
+#define X509V3_ADD_DEFAULT              0L
+#define X509V3_ADD_APPEND               1L
+#define X509V3_ADD_REPLACE              2L
+#define X509V3_ADD_REPLACE_EXISTING     3L
+#define X509V3_ADD_KEEP_EXISTING        4L
+#define X509V3_ADD_DELETE               5L
+#define X509V3_ADD_SILENT               0x10
 
 DECLARE_STACK_OF(X509_PURPOSE)
 
-void ERR_load_X509V3_strings(void);
-int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp);
-BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, unsigned char **pp, long length);
-BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
-void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a);
-
-int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **pp);
-GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, unsigned char **pp, long length);
-GENERAL_NAME *GENERAL_NAME_new(void);
-void GENERAL_NAME_free(GENERAL_NAME *a);
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
-
-int i2d_SXNET(SXNET *a, unsigned char **pp);
-SXNET *d2i_SXNET(SXNET **a, unsigned char **pp, long length);
-SXNET *SXNET_new(void);
-void SXNET_free(SXNET *a);
+DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
 
-int i2d_SXNETID(SXNETID *a, unsigned char **pp);
-SXNETID *d2i_SXNETID(SXNETID **a, unsigned char **pp, long length);
-SXNETID *SXNETID_new(void);
-void SXNETID_free(SXNETID *a);
+DECLARE_ASN1_FUNCTIONS(SXNET)
+DECLARE_ASN1_FUNCTIONS(SXNETID)
 
 int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen); 
 int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen); 
@@ -384,108 +417,66 @@ ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
 ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
 ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
 
-int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **pp);
-AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, unsigned char **pp, long length);
-AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
-void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
+DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
 
-int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **pp);
-PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, unsigned char **pp, long length);
-PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
-void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
+DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
+
+DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
+int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
+
+DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
 
-STACK_OF(GENERAL_NAME) *GENERAL_NAMES_new(void);
-void GENERAL_NAMES_free(STACK_OF(GENERAL_NAME) *a);
-STACK_OF(GENERAL_NAME) *d2i_GENERAL_NAMES(STACK_OF(GENERAL_NAME) **a, unsigned char **pp, long length);
-int i2d_GENERAL_NAMES(STACK_OF(GENERAL_NAME) *a, unsigned char **pp);
 STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-                STACK_OF(GENERAL_NAME) *gen, STACK_OF(CONF_VALUE) *extlist);
-STACK_OF(GENERAL_NAME) *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+                GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
+GENERAL_NAMES *v2i_GENERAL_NAMES(X509V3_EXT_METHOD *method,
                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 
-int i2d_OTHERNAME(OTHERNAME *a, unsigned char **pp);
-OTHERNAME *OTHERNAME_new(void);
-OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, unsigned char **pp, long length);
-void OTHERNAME_free(OTHERNAME *a);
+DECLARE_ASN1_FUNCTIONS(OTHERNAME)
+DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
 
 char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
 ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 
-int i2d_ext_ku(STACK_OF(ASN1_OBJECT) *a, unsigned char **pp);
-STACK_OF(ASN1_OBJECT) *d2i_ext_ku(STACK_OF(ASN1_OBJECT) **a,
-                                        unsigned char **pp, long length);
-void ext_ku_free(STACK_OF(ASN1_OBJECT) *a);
-STACK_OF(ASN1_OBJECT) *ext_ku_new(void);
-
-int i2d_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) *a, unsigned char **pp);
-STACK_OF(POLICYINFO) *CERTIFICATEPOLICIES_new(void);
-void CERTIFICATEPOLICIES_free(STACK_OF(POLICYINFO) *a);
-STACK_OF(POLICYINFO) *d2i_CERTIFICATEPOLICIES(STACK_OF(POLICYINFO) **a, unsigned char **pp, long length);
-
-int i2d_POLICYINFO(POLICYINFO *a, unsigned char **pp);
-POLICYINFO *POLICYINFO_new(void);
-POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, unsigned char **pp, long length);
-void POLICYINFO_free(POLICYINFO *a);
-
-int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **pp);
-POLICYQUALINFO *POLICYQUALINFO_new(void);
-POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, unsigned char **pp,
-                                                                 long length);
-void POLICYQUALINFO_free(POLICYQUALINFO *a);
-
-int i2d_USERNOTICE(USERNOTICE *a, unsigned char **pp);
-USERNOTICE *USERNOTICE_new(void);
-USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, unsigned char **pp, long length);
-void USERNOTICE_free(USERNOTICE *a);
-
-int i2d_NOTICEREF(NOTICEREF *a, unsigned char **pp);
-NOTICEREF *NOTICEREF_new(void);
-NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, unsigned char **pp, long length);
-void NOTICEREF_free(NOTICEREF *a);
-
-int i2d_CRL_DIST_POINTS(STACK_OF(DIST_POINT) *a, unsigned char **pp);
-STACK_OF(DIST_POINT) *CRL_DIST_POINTS_new(void);
-void CRL_DIST_POINTS_free(STACK_OF(DIST_POINT) *a);
-STACK_OF(DIST_POINT) *d2i_CRL_DIST_POINTS(STACK_OF(DIST_POINT) **a,
-                unsigned char **pp,long length);
-
-int i2d_DIST_POINT(DIST_POINT *a, unsigned char **pp);
-DIST_POINT *DIST_POINT_new(void);
-DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, unsigned char **pp, long length);
-void DIST_POINT_free(DIST_POINT *a);
-
-int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **pp);
-DIST_POINT_NAME *DIST_POINT_NAME_new(void);
-void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
-DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, unsigned char **pp,
-             long length);
-
-int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **pp);
-ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
-void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
-ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, unsigned char **pp,
-             long length);
-
-STACK_OF(ACCESS_DESCRIPTION) *AUTHORITY_INFO_ACCESS_new(void);
-void AUTHORITY_INFO_ACCESS_free(STACK_OF(ACCESS_DESCRIPTION) *a);
-STACK_OF(ACCESS_DESCRIPTION) *d2i_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) **a,
-                                         unsigned char **pp, long length);
-int i2d_AUTHORITY_INFO_ACCESS(STACK_OF(ACCESS_DESCRIPTION) *a, unsigned char **pp);
+DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
+int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
+
+DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
+DECLARE_ASN1_FUNCTIONS(POLICYINFO)
+DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
+DECLARE_ASN1_FUNCTIONS(USERNOTICE)
+DECLARE_ASN1_FUNCTIONS(NOTICEREF)
 
+DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
+DECLARE_ASN1_FUNCTIONS(DIST_POINT)
+DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
 
+DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
+DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
 
 #ifdef HEADER_CONF_H
 GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, CONF_VALUE *cnf);
 void X509V3_conf_free(CONF_VALUE *val);
+
+X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value);
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value);
+int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk);
+int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
+int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
+
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
 int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
 int X509V3_EXT_REQ_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
 int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
+
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
                                                 STACK_OF(CONF_VALUE) **extlist);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
+void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
 void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH *lhash);
 #endif
 
@@ -516,11 +507,13 @@ void X509V3_EXT_cleanup(void);
 X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
 X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
-STACK_OF(CONF_VALUE) *X509V3_parse_list(char *line);
+STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
 void *X509V3_EXT_d2i(X509_EXTENSION *ext);
 void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx);
 
+
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
 
 char *hex_to_string(unsigned char *buffer, long len);
 unsigned char *string_to_hex(char *str, long *len);
@@ -528,10 +521,14 @@ int name_cmp(const char *name, const char *cmp);
 
 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
                                                                  int ml);
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent);
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
 
+int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
+
 int X509_check_purpose(X509 *x, int id, int ca);
+int X509_supported_extension(X509_EXTENSION *ex);
+int X509_PURPOSE_set(int *p, int purpose);
 int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE * X509_PURPOSE_get0(int idx);
@@ -555,6 +552,7 @@ void X509_email_free(STACK *sk);
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+void ERR_load_X509V3_strings(void);
 
 /* Error codes for the X509V3 functions. */
 
@@ -591,6 +589,7 @@ void X509_email_free(STACK *sk);
 #define X509V3_F_V2I_GENERAL_NAME                        117
 #define X509V3_F_V2I_GENERAL_NAMES                       118
 #define X509V3_F_V3_GENERIC_EXTENSION                    116
+#define X509V3_F_X509V3_ADD_I2D                          140
 #define X509V3_F_X509V3_ADD_VALUE                        105
 #define X509V3_F_X509V3_EXT_ADD                          104
 #define X509V3_F_X509V3_EXT_ADD_ALIAS                    106
@@ -599,6 +598,7 @@ void X509_email_free(STACK *sk);
 #define X509V3_F_X509V3_GET_VALUE_BOOL                   110
 #define X509V3_F_X509V3_PARSE_LIST                       109
 #define X509V3_F_X509_PURPOSE_ADD                        137
+#define X509V3_F_X509_PURPOSE_SET                        141
 
 /* Reason codes. */
 #define X509V3_R_BAD_IP_ADDRESS                          118
@@ -607,8 +607,10 @@ void X509_email_free(STACK *sk);
 #define X509V3_R_BN_TO_ASN1_INTEGER_ERROR                101
 #define X509V3_R_DUPLICATE_ZONE_ID                       133
 #define X509V3_R_ERROR_CONVERTING_ZONE                   131
+#define X509V3_R_ERROR_CREATING_EXTENSION                144
 #define X509V3_R_ERROR_IN_EXTENSION                      128
 #define X509V3_R_EXPECTED_A_SECTION_NAME                 137
+#define X509V3_R_EXTENSION_EXISTS                        145
 #define X509V3_R_EXTENSION_NAME_ERROR                    115
 #define X509V3_R_EXTENSION_NOT_FOUND                     102
 #define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED         103
@@ -625,6 +627,7 @@ void X509_email_free(STACK *sk);
 #define X509V3_R_INVALID_OBJECT_IDENTIFIER               110
 #define X509V3_R_INVALID_OPTION                          138
 #define X509V3_R_INVALID_POLICY_IDENTIFIER               134
+#define X509V3_R_INVALID_PURPOSE                         146
 #define X509V3_R_INVALID_SECTION                         135
 #define X509V3_R_INVALID_SYNTAX                          143
 #define X509V3_R_ISSUER_DECODE_ERROR                     126
@@ -650,4 +653,3 @@ void X509_email_free(STACK *sk);
 }
 #endif
 #endif
-