16 files changed, 0 insertions, 14010 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
deleted file mode 100644
index 58493fa988..0000000000
--- a/src/lib/libssl/ssl.h
+++ /dev/null
@@ -1,2382 +0,0 @@
-/* $OpenBSD: ssl.h,v 1.96 2015/10/25 16:07:04 doug Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#ifndef HEADER_SSL_H
-#define HEADER_SSL_H
-#include <stdint.h>
-#include <openssl/opensslconf.h>
-#include <openssl/hmac.h>
-#include <openssl/pem.h>
-#include <openssl/safestack.h>
-#ifndef OPENSSL_NO_BIO
-#include <openssl/bio.h>
-#endif
-#ifndef OPENSSL_NO_DEPRECATED
-#include <openssl/buffer.h>
-#include <openssl/crypto.h>
-#include <openssl/lhash.h>
-#ifndef OPENSSL_NO_X509
-#include <openssl/x509.h>
-#endif
-#endif
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* SSLeay version number for ASN.1 encoding of the session information */
-/* Version 0 - initial version
- * Version 1 - added the optional peer certificate
- */
-#define SSL_SESSION_ASN1_VERSION 0x0001
-/* text strings for the ciphers */
-#define SSL_TXT_NULL_WITH_MD5           SSL2_TXT_NULL_WITH_MD5
-#define SSL_TXT_RC4_128_WITH_MD5        SSL2_TXT_RC4_128_WITH_MD5
-#define SSL_TXT_RC4_128_EXPORT40_WITH_MD5 SSL2_TXT_RC4_128_EXPORT40_WITH_MD5
-#define SSL_TXT_RC2_128_CBC_WITH_MD5    SSL2_TXT_RC2_128_CBC_WITH_MD5
-#define SSL_TXT_RC2_128_CBC_EXPORT40_WITH_MD5 SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5
-#define SSL_TXT_IDEA_128_CBC_WITH_MD5   SSL2_TXT_IDEA_128_CBC_WITH_MD5
-#define SSL_TXT_DES_64_CBC_WITH_MD5     SSL2_TXT_DES_64_CBC_WITH_MD5
-#define SSL_TXT_DES_64_CBC_WITH_SHA     SSL2_TXT_DES_64_CBC_WITH_SHA
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
-#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
-#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
-#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA
-#define SSL_TXT_KRB5_RC4_40_SHA       SSL3_TXT_KRB5_RC4_40_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5
-#define SSL_TXT_KRB5_RC4_40_MD5       SSL3_TXT_KRB5_RC4_40_MD5
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_MAX_KRB5_PRINCIPAL_LENGTH  256
-#define SSL_MAX_SSL_SESSION_ID_LENGTH           32
-#define SSL_MAX_SID_CTX_LENGTH                  32
-#define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES     (512/8)
-#define SSL_MAX_KEY_ARG_LENGTH                  8
-#define SSL_MAX_MASTER_KEY_LENGTH               48
-/* These are used to specify which ciphers to use and not to use */
-#define SSL_TXT_LOW             "LOW"
-#define SSL_TXT_MEDIUM          "MEDIUM"
-#define SSL_TXT_HIGH            "HIGH"
-#define SSL_TXT_kFZA            "kFZA" /* unused! */
-#define SSL_TXT_aFZA            "aFZA" /* unused! */
-#define SSL_TXT_eFZA            "eFZA" /* unused! */
-#define SSL_TXT_FZA             "FZA"  /* unused! */
-#define SSL_TXT_aNULL           "aNULL"
-#define SSL_TXT_eNULL           "eNULL"
-#define SSL_TXT_NULL            "NULL"
-#define SSL_TXT_kRSA            "kRSA"
-#define SSL_TXT_kDHr            "kDHr" /* no such ciphersuites supported! */
-#define SSL_TXT_kDHd            "kDHd" /* no such ciphersuites supported! */
-#define SSL_TXT_kDH             "kDH"  /* no such ciphersuites supported! */
-#define SSL_TXT_kEDH            "kEDH"
-#define SSL_TXT_kKRB5           "kKRB5"
-#define SSL_TXT_kECDHr          "kECDHr"
-#define SSL_TXT_kECDHe          "kECDHe"
-#define SSL_TXT_kECDH           "kECDH"
-#define SSL_TXT_kEECDH          "kEECDH"
-#define SSL_TXT_kPSK            "kPSK"
-#define SSL_TXT_kGOST           "kGOST"
-#define SSL_TXT_kSRP            "kSRP"
-#define SSL_TXT_aRSA            "aRSA"
-#define SSL_TXT_aDSS            "aDSS"
-#define SSL_TXT_aDH             "aDH" /* no such ciphersuites supported! */
-#define SSL_TXT_aECDH           "aECDH"
-#define SSL_TXT_aKRB5           "aKRB5"
-#define SSL_TXT_aECDSA          "aECDSA"
-#define SSL_TXT_aPSK            "aPSK"
-#define SSL_TXT_aGOST94         "aGOST94"
-#define SSL_TXT_aGOST01         "aGOST01"
-#define SSL_TXT_aGOST           "aGOST"
-#define SSL_TXT_DSS             "DSS"
-#define SSL_TXT_DH              "DH"
-#define SSL_TXT_DHE             "DHE" /* same as "kDHE:-ADH" */
-#define SSL_TXT_EDH             "EDH" /* previous name for DHE */
-#define SSL_TXT_ADH             "ADH"
-#define SSL_TXT_RSA             "RSA"
-#define SSL_TXT_ECDH            "ECDH"
-#define SSL_TXT_ECDHE           "ECDHE" /* same as "kECDHE:-AECDH" */
-#define SSL_TXT_EECDH           "EECDH" /* previous name for ECDHE */
-#define SSL_TXT_AECDH           "AECDH"
-#define SSL_TXT_ECDSA           "ECDSA"
-#define SSL_TXT_KRB5            "KRB5"
-#define SSL_TXT_PSK             "PSK"
-#define SSL_TXT_SRP             "SRP"
-#define SSL_TXT_DES             "DES"
-#define SSL_TXT_3DES            "3DES"
-#define SSL_TXT_RC4             "RC4"
-#define SSL_TXT_RC2             "RC2"
-#define SSL_TXT_IDEA            "IDEA"
-#define SSL_TXT_SEED            "SEED"
-#define SSL_TXT_AES128          "AES128"
-#define SSL_TXT_AES256          "AES256"
-#define SSL_TXT_AES             "AES"
-#define SSL_TXT_AES_GCM         "AESGCM"
-#define SSL_TXT_CAMELLIA128     "CAMELLIA128"
-#define SSL_TXT_CAMELLIA256     "CAMELLIA256"
-#define SSL_TXT_CAMELLIA        "CAMELLIA"
-#define SSL_TXT_CHACHA20        "CHACHA20"
-#define SSL_TXT_AEAD            "AEAD"
-#define SSL_TXT_MD5             "MD5"
-#define SSL_TXT_SHA1            "SHA1"
-#define SSL_TXT_SHA             "SHA" /* same as "SHA1" */
-#define SSL_TXT_GOST94          "GOST94"
-#define SSL_TXT_GOST89MAC               "GOST89MAC"
-#define SSL_TXT_SHA256          "SHA256"
-#define SSL_TXT_SHA384          "SHA384"
-#define SSL_TXT_STREEBOG256             "STREEBOG256"
-#define SSL_TXT_STREEBOG512             "STREEBOG512"
-#define SSL_TXT_DTLS1           "DTLSv1"
-#define SSL_TXT_SSLV2           "SSLv2"
-#define SSL_TXT_SSLV3           "SSLv3"
-#define SSL_TXT_TLSV1           "TLSv1"
-#define SSL_TXT_TLSV1_1         "TLSv1.1"
-#define SSL_TXT_TLSV1_2         "TLSv1.2"
-#define SSL_TXT_EXP             "EXP"
-#define SSL_TXT_EXPORT          "EXPORT"
-#define SSL_TXT_ALL             "ALL"
-/*
- * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
- * ciphers normally not being used.
- * Example: "RC4" will activate all ciphers using RC4 including ciphers
- * without authentication, which would normally disabled by DEFAULT (due
- * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
- * will make sure that it is also disabled in the specific selection.
- * COMPLEMENTOF* identifiers are portable between version, as adjustments
- * to the default cipher setup will also be included here.
- *
- * COMPLEMENTOFDEFAULT does not experience the same special treatment that
- * DEFAULT gets, as only selection is being done and no sorting as needed
- * for DEFAULT.
- */
-#define SSL_TXT_CMPALL          "COMPLEMENTOFALL"
-#define SSL_TXT_CMPDEF          "COMPLEMENTOFDEFAULT"
-/* The following cipher list is used by default.
- * It also is substituted when an application-defined cipher list string
- * starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
-/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
- * starts with a reasonable order, and all we have to do for DEFAULT is
- * throwing out anonymous and unencrypted ciphersuites!
- * (The latter are not actually enabled by ALL, but "ALL:RSA" would enable
- * some of them.)
- */
-/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
-#define SSL_SENT_SHUTDOWN       1
-#define SSL_RECEIVED_SHUTDOWN   2
-#define SSL_FILETYPE_ASN1       X509_FILETYPE_ASN1
-#define SSL_FILETYPE_PEM        X509_FILETYPE_PEM
-/* This is needed to stop compilers complaining about the
- * 'struct ssl_st *' function parameters used to prototype callbacks
- * in SSL_CTX. */
-typedef struct ssl_st *ssl_crock_st;
-typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
-typedef struct ssl_method_st SSL_METHOD;
-typedef struct ssl_cipher_st SSL_CIPHER;
-typedef struct ssl_session_st SSL_SESSION;
-DECLARE_STACK_OF(SSL_CIPHER)
-/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
-typedef struct srtp_protection_profile_st {
-        const char *name;
-        unsigned long id;
-} SRTP_PROTECTION_PROFILE;
-DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
-typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
-    int len, void *arg);
-typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
-    STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
-#ifndef OPENSSL_NO_SSL_INTERN
-/* used to hold info on the particular ciphers used */
-struct ssl_cipher_st {
-        int valid;
-        const char *name;               /* text name */
-        unsigned long id;               /* id, 4 bytes, first is version */
-        unsigned long algorithm_mkey;   /* key exchange algorithm */
-        unsigned long algorithm_auth;   /* server authentication */
-        unsigned long algorithm_enc;    /* symmetric encryption */
-        unsigned long algorithm_mac;    /* symmetric authentication */
-        unsigned long algorithm_ssl;    /* (major) protocol version */
-        unsigned long algo_strength;    /* strength and export flags */
-        unsigned long algorithm2;       /* Extra flags */
-        int strength_bits;              /* Number of bits really used */
-        int alg_bits;                   /* Number of bits for algorithm */
-};
-/* Used to hold functions for SSLv3/TLSv1 functions */
-struct ssl_method_st {
-        int version;
-        int (*ssl_new)(SSL *s);
-        void (*ssl_clear)(SSL *s);
-        void (*ssl_free)(SSL *s);
-        int (*ssl_accept)(SSL *s);
-        int (*ssl_connect)(SSL *s);
-        int (*ssl_read)(SSL *s, void *buf, int len);
-        int (*ssl_peek)(SSL *s, void *buf, int len);
-        int (*ssl_write)(SSL *s, const void *buf, int len);
-        int (*ssl_shutdown)(SSL *s);
-        int (*ssl_renegotiate)(SSL *s);
-        int (*ssl_renegotiate_check)(SSL *s);
-        long (*ssl_get_message)(SSL *s, int st1, int stn, int mt,
-            long max, int *ok);
-        int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf,
-            int len, int peek);
-        int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
-        int (*ssl_dispatch_alert)(SSL *s);
-        long (*ssl_ctrl)(SSL *s, int cmd, long larg, void *parg);
-        long (*ssl_ctx_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg);
-        const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
-        int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr);
-        int (*ssl_pending)(const SSL *s);
-        int (*num_ciphers)(void);
-        const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
-        const struct ssl_method_st *(*get_ssl_method)(int version);
-        long (*get_timeout)(void);
-        struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
-        int (*ssl_version)(void);
-        long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
-        long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
-};
-/* Lets make this into an ASN.1 type structure as follows
- * SSL_SESSION_ID ::= SEQUENCE {
- *      version                 INTEGER,        -- structure version number
- *      SSLversion              INTEGER,        -- SSL version number
- *      Cipher                  OCTET STRING,   -- the 3 byte cipher ID
- *      Session_ID              OCTET STRING,   -- the Session ID
- *      Master_key              OCTET STRING,   -- the master key
- *      KRB5_principal          OCTET STRING    -- optional Kerberos principal
- *      Time [ 1 ] EXPLICIT     INTEGER,        -- optional Start Time
- *      Timeout [ 2 ] EXPLICIT  INTEGER,        -- optional Timeout ins seconds
- *      Peer [ 3 ] EXPLICIT     X509,           -- optional Peer Certificate
- *      Session_ID_context [ 4 ] EXPLICIT OCTET STRING,   -- the Session ID context
- *      Verify_result [ 5 ] EXPLICIT INTEGER,   -- X509_V_... code for `Peer'
- *      HostName [ 6 ] EXPLICIT OCTET STRING,   -- optional HostName from servername TLS extension
- *      PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
- *      PSK_identity [ 8 ] EXPLICIT OCTET STRING,  -- optional PSK identity
- *      Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
- *      Ticket [10]             EXPLICIT OCTET STRING, -- session ticket (clients only)
- *      Compression_meth [11]   EXPLICIT OCTET STRING, -- optional compression method
- *      SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
- *      }
- * Look in ssl/ssl_asn1.c for more details
- * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
- */
-struct ssl_session_st {
-        int ssl_version;        /* what ssl version session info is
-                                 * being kept in here? */
-        int master_key_length;
-        unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
-        /* session_id - valid? */
-        unsigned int session_id_length;
-        unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
-        /* this is used to determine whether the session is being reused in
-         * the appropriate context. It is up to the application to set this,
-         * via SSL_new */
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        /* Used to indicate that session resumption is not allowed.
-         * Applications can also set this bit for a new session via
-         * not_resumable_session_cb to disable session caching and tickets. */
-        int not_resumable;
-        /* The cert is the certificate used to establish this connection */
-        struct sess_cert_st /* SESS_CERT */ *sess_cert;
-        /* This is the cert for the other end.
-         * On clients, it will be the same as sess_cert->peer_key->x509
-         * (the latter is not enough as sess_cert is not retained
-         * in the external representation of sessions, see ssl_asn1.c). */
-        X509 *peer;
-        /* when app_verify_callback accepts a session where the peer's certificate
-         * is not ok, we must remember the error for session reuse: */
-        long verify_result; /* only for servers */
-        long timeout;
-        time_t time;
-        int references;
-        const SSL_CIPHER *cipher;
-        unsigned long cipher_id;        /* when ASN.1 loaded, this
-                                         * needs to be used to load
-                                         * the 'cipher' structure */
-        STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
-        CRYPTO_EX_DATA ex_data; /* application specific data */
-        /* These are used to make removal of session-ids more
-         * efficient and to implement a maximum cache size. */
-        struct ssl_session_st *prev, *next;
-        char *tlsext_hostname;
-        size_t tlsext_ecpointformatlist_length;
-        uint8_t *tlsext_ecpointformatlist; /* peer's list */
-        size_t tlsext_ellipticcurvelist_length;
-        uint16_t *tlsext_ellipticcurvelist; /* peer's list */
-        /* RFC4507 info */
-        unsigned char *tlsext_tick;     /* Session ticket */
-        size_t tlsext_ticklen;          /* Session ticket length */
-        long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
-};
-#endif
-/* Allow initial connection to servers that don't support RI */
-#define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
-#define SSL_OP_TLSEXT_PADDING                           0x00000010L
-/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
- * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.
- * Unfortunately some broken SSL/TLS implementations cannot handle it
- * at all, which is why it was previously included in SSL_OP_ALL.
- * Now it's not.
- */
-#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L
-/* DTLS options */
-#define SSL_OP_NO_QUERY_MTU                             0x00001000L
-/* Turn on Cookie Exchange (on relevant for servers) */
-#define SSL_OP_COOKIE_EXCHANGE                          0x00002000L
-/* Don't use RFC4507 ticket extension */
-#define SSL_OP_NO_TICKET                                0x00004000L
-/* As server, disallow session resumption on renegotiation */
-#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
-/* If set, always create a new key when using tmp_ecdh parameters */
-#define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
-#define SSL_OP_SINGLE_DH_USE                            0x00100000L
-/* Set on servers to choose the cipher according to the server's
- * preferences */
-#define SSL_OP_CIPHER_SERVER_PREFERENCE                 0x00400000L
-/* If set, a server will allow a client to issue a SSLv3.0 version number
- * as latest version supported in the premaster secret, even when TLSv1.0
- * (version 3.1) was announced in the client hello. Normally this is
- * forbidden to prevent version rollback attacks. */
-#define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
-#define SSL_OP_NO_TLSv1                                 0x04000000L
-#define SSL_OP_NO_TLSv1_2                               0x08000000L
-#define SSL_OP_NO_TLSv1_1                               0x10000000L
-/* Make server add server-hello extension from early version of
- * cryptopro draft, when GOST ciphersuite is negotiated.
- * Required for interoperability with CryptoPro CSP 3.x
- */
-#define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     0x80000000L
-/* SSL_OP_ALL: various bug workarounds that should be rather harmless. */
-#define SSL_OP_ALL \
-    (SSL_OP_LEGACY_SERVER_CONNECT | \
-     SSL_OP_TLSEXT_PADDING | \
-     SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-/* Obsolete flags kept for compatibility. No sane code should use them. */
-#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x0
-#define SSL_OP_CISCO_ANYCONNECT                         0x0
-#define SSL_OP_EPHEMERAL_RSA                            0x0
-#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x0
-#define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x0
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x0
-#define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
-#define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x0
-#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x0
-#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x0
-#define SSL_OP_NO_COMPRESSION                           0x0
-#define SSL_OP_NO_SSLv2                                 0x0
-#define SSL_OP_NO_SSLv3                                 0x0
-#define SSL_OP_PKCS1_CHECK_1                            0x0
-#define SSL_OP_PKCS1_CHECK_2                            0x0
-#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   0x0
-#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
-#define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
-#define SSL_OP_TLS_D5_BUG                               0x0
-/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
- * when just a single record has been written): */
-#define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
-/* Make it possible to retry SSL_write() with changed buffer location
- * (buffer contents must stay the same!); this is not the default to avoid
- * the misconception that non-blocking SSL_write() behaves like
- * non-blocking write(): */
-#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
-/* Never bother the application with retries if the transport
- * is blocking: */
-#define SSL_MODE_AUTO_RETRY 0x00000004L
-/* Don't attempt to automatically build certificate chain */
-#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
-/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
- * TLS only.)  "Released" buffers are put onto a free-list in the context
- * or just freed (depending on the context's setting for freelist_max_len). */
-#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
-#define SSL_CTX_set_options(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
-#define SSL_CTX_clear_options(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-#define SSL_CTX_get_options(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
-#define SSL_set_options(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
-#define SSL_clear_options(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-#define SSL_get_options(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
-#define SSL_CTX_set_mode(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
-#define SSL_CTX_clear_mode(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
-#define SSL_CTX_get_mode(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
-#define SSL_clear_mode(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
-#define SSL_set_mode(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
-#define SSL_get_mode(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
-#define SSL_set_mtu(ssl, mtu) \
-        SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
-#define SSL_get_secure_renegotiation_support(ssl) \
-        SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
-void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p,
-    int version, int content_type, const void *buf, size_t len, SSL *ssl,
-    void *arg));
-void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
-    int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
-#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-struct ssl_aead_ctx_st;
-typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
-#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
-#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT      (1024*20)
-/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
- * them. It is used to override the generation of SSL/TLS session IDs in a
- * server. Return value should be zero on an error, non-zero to proceed. Also,
- * callbacks should themselves check if the id they generate is unique otherwise
- * the SSL handshake will fail with an error - callbacks can do this using the
- * 'ssl' value they're passed by;
- *      SSL_has_matching_session_id(ssl, id, *id_len)
- * The length value passed in is set at the maximum size the session ID can be.
- * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
- * can alter this length to be less if desired, but under SSLv2 session IDs are
- * supposed to be fixed at 16 bytes so the id will be padded after the callback
- * returns in this case. It is also an error for the callback to set the size to
- * zero. */
-typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
-    unsigned int *id_len);
-typedef struct ssl_comp_st SSL_COMP;
-#ifndef OPENSSL_NO_SSL_INTERN
-struct ssl_comp_st {
-        int id;
-        const char *name;
-};
-DECLARE_STACK_OF(SSL_COMP)
-DECLARE_LHASH_OF(SSL_SESSION);
-struct ssl_ctx_st {
-        const SSL_METHOD *method;
-        STACK_OF(SSL_CIPHER) *cipher_list;
-        /* same as above but sorted for lookup */
-        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-        struct x509_store_st /* X509_STORE */ *cert_store;
-        LHASH_OF(SSL_SESSION) *sessions;
-        /* Most session-ids that will be cached, default is
-         * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
-        unsigned long session_cache_size;
-        struct ssl_session_st *session_cache_head;
-        struct ssl_session_st *session_cache_tail;
-        /* This can have one of 2 values, ored together,
-         * SSL_SESS_CACHE_CLIENT,
-         * SSL_SESS_CACHE_SERVER,
-         * Default is SSL_SESSION_CACHE_SERVER, which means only
-         * SSL_accept which cache SSL_SESSIONS. */
-        int session_cache_mode;
-        /* If timeout is not 0, it is the default timeout value set
-         * when SSL_new() is called.  This has been put in to make
-         * life easier to set things up */
-        long session_timeout;
-        /* If this callback is not null, it will be called each
-         * time a session id is added to the cache.  If this function
-         * returns 1, it means that the callback will do a
-         * SSL_SESSION_free() when it has finished using it.  Otherwise,
-         * on 0, it means the callback has finished with it.
-         * If remove_session_cb is not null, it will be called when
-         * a session-id is removed from the cache.  After the call,
-         * OpenSSL will SSL_SESSION_free() it. */
-        int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
-        void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
-        SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
-        unsigned char *data, int len, int *copy);
-        struct {
-                int sess_connect;       /* SSL new conn - started */
-                int sess_connect_renegotiate;/* SSL reneg - requested */
-                int sess_connect_good;  /* SSL new conne/reneg - finished */
-                int sess_accept;        /* SSL new accept - started */
-                int sess_accept_renegotiate;/* SSL reneg - requested */
-                int sess_accept_good;   /* SSL accept/reneg - finished */
-                int sess_miss;          /* session lookup misses  */
-                int sess_timeout;       /* reuse attempt on timeouted session */
-                int sess_cache_full;    /* session removed due to full cache */
-                int sess_hit;           /* session reuse actually done */
-                int sess_cb_hit;        /* session-id that was not
-                                         * in the cache was
-                                         * passed back via the callback.  This
-                                         * indicates that the application is
-                                         * supplying session-id's from other
-                                         * processes - spooky :-) */
-        } stats;
-        int references;
-        /* if defined, these override the X509_verify_cert() calls */
-        int (*app_verify_callback)(X509_STORE_CTX *, void *);
-        void *app_verify_arg;
-        /* Default password callback. */
-        pem_password_cb *default_passwd_callback;
-        /* Default password callback user data. */
-        void *default_passwd_callback_userdata;
-        /* get client cert callback */
-        int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
-        /* cookie generate callback */
-        int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
-        unsigned int *cookie_len);
-        /* verify cookie callback */
-        int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
-        unsigned int cookie_len);
-        CRYPTO_EX_DATA ex_data;
-        const EVP_MD *md5;      /* For SSLv3/TLSv1 'ssl3-md5' */
-        const EVP_MD *sha1;     /* For SSLv3/TLSv1 'ssl3-sha1' */
-        STACK_OF(X509) *extra_certs;
-        /* Default values used when no per-SSL value is defined follow */
-        void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
-        /* what we put in client cert requests */
-        STACK_OF(X509_NAME) *client_CA;
-        /* Default values to use in SSL structures follow (these are copied by SSL_new) */
-        unsigned long options;
-        unsigned long mode;
-        long max_cert_list;
-        struct cert_st /* CERT */ *cert;
-        int read_ahead;
-        /* callback that allows applications to peek at protocol messages */
-        void (*msg_callback)(int write_p, int version, int content_type,
-            const void *buf, size_t len, SSL *ssl, void *arg);
-        void *msg_callback_arg;
-        int verify_mode;
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
-        /* Default generate session ID callback. */
-        GEN_SESSION_CB generate_session_id;
-        X509_VERIFY_PARAM *param;
-        int quiet_shutdown;
-        /* Maximum amount of data to send in one fragment.
-         * actual record size can be more than this due to
-         * padding and MAC overheads.
-         */
-        unsigned int max_send_fragment;
-#ifndef OPENSSL_NO_ENGINE
-        /* Engine to pass requests for client certs to
-         */
-        ENGINE *client_cert_engine;
-#endif
-        /* TLS extensions servername callback */
-        int (*tlsext_servername_callback)(SSL*, int *, void *);
-        void *tlsext_servername_arg;
-        /* RFC 4507 session ticket keys */
-        unsigned char tlsext_tick_key_name[16];
-        unsigned char tlsext_tick_hmac_key[16];
-        unsigned char tlsext_tick_aes_key[16];
-        /* Callback to support customisation of ticket key setting */
-        int (*tlsext_ticket_key_cb)(SSL *ssl, unsigned char *name,
-            unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
-        /* certificate status request info */
-        /* Callback for status request */
-        int (*tlsext_status_cb)(SSL *ssl, void *arg);
-        void *tlsext_status_arg;
-        /* Next protocol negotiation information */
-        /* (for experimental NPN extension). */
-        /* For a server, this contains a callback function by which the set of
-         * advertised protocols can be provided. */
-        int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
-            unsigned int *len, void *arg);
-        void *next_protos_advertised_cb_arg;
-        /* For a client, this contains a callback function that selects the
-         * next protocol from the list provided by the server. */
-        int (*next_proto_select_cb)(SSL *s, unsigned char **out,
-            unsigned char *outlen, const unsigned char *in,
-            unsigned int inlen, void *arg);
-        void *next_proto_select_cb_arg;
-        /*
-         * ALPN information
-         * (we are in the process of transitioning from NPN to ALPN).
-         */
-        /*
-         * Server callback function that allows the server to select the
-         * protocol for the connection.
-         *   out: on successful return, this must point to the raw protocol
-         *       name (without the length prefix).
-         *   outlen: on successful return, this contains the length of out.
-         *   in: points to the client's list of supported protocols in
-         *       wire-format.
-         *   inlen: the length of in.
-         */
-        int (*alpn_select_cb)(SSL *s, const unsigned char **out,
-            unsigned char *outlen, const unsigned char *in, unsigned int inlen,
-            void *arg);
-        void *alpn_select_cb_arg;
-        /* Client list of supported protocols in wire format. */
-        unsigned char *alpn_client_proto_list;
-        unsigned int alpn_client_proto_list_len;
-        /* SRTP profiles we are willing to do from RFC 5764 */
-        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-};
-#endif
-#define SSL_SESS_CACHE_OFF                      0x0000
-#define SSL_SESS_CACHE_CLIENT                   0x0001
-#define SSL_SESS_CACHE_SERVER                   0x0002
-#define SSL_SESS_CACHE_BOTH     (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
-#define SSL_SESS_CACHE_NO_AUTO_CLEAR            0x0080
-/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
-#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP       0x0100
-#define SSL_SESS_CACHE_NO_INTERNAL_STORE        0x0200
-#define SSL_SESS_CACHE_NO_INTERNAL \
-        (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
-LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
-#define SSL_CTX_sess_number(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
-#define SSL_CTX_sess_connect(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
-#define SSL_CTX_sess_connect_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
-#define SSL_CTX_sess_connect_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
-#define SSL_CTX_sess_accept(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
-#define SSL_CTX_sess_accept_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
-#define SSL_CTX_sess_accept_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
-#define SSL_CTX_sess_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
-#define SSL_CTX_sess_cb_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
-#define SSL_CTX_sess_misses(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
-#define SSL_CTX_sess_timeouts(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
-#define SSL_CTX_sess_cache_full(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
-void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
-    int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
-int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
-    SSL_SESSION *sess);
-void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
-    void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess));
-void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
-    SSL_SESSION *sess);
-void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
-    SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
-    int len, int *copy));
-SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
-    unsigned char *Data, int len, int *copy);
-void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,
-    int type, int val));
-void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,
-    int val);
-void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
-    int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
-int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
-    EVP_PKEY **pkey);
-#ifndef OPENSSL_NO_ENGINE
-int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
-#endif
-void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
-    int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
-    unsigned int *cookie_len));
-void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
-    int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie,
-    unsigned int cookie_len));
-void
-SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
-    const unsigned char **out, unsigned int *outlen, void *arg), void *arg);
-void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s, int (*cb)(SSL *ssl,
-    unsigned char **out, unsigned char *outlen, const unsigned char *in,
-    unsigned int inlen, void *arg), void *arg);
-int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-    const unsigned char *in, unsigned int inlen, const unsigned char *client,
-    unsigned int client_len);
-void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
-    unsigned *len);
-#define OPENSSL_NPN_UNSUPPORTED 0
-#define OPENSSL_NPN_NEGOTIATED  1
-#define OPENSSL_NPN_NO_OVERLAP  2
-int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
-    unsigned int protos_len);
-int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
-    unsigned int protos_len);
-void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
-    int (*cb)(SSL *ssl, const unsigned char **out, unsigned char *outlen,
-    const unsigned char *in, unsigned int inlen, void *arg), void *arg);
-void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
-    unsigned int *len);
-#define SSL_NOTHING     1
-#define SSL_WRITING     2
-#define SSL_READING     3
-#define SSL_X509_LOOKUP 4
-/* These will only be used when doing non-blocking IO */
-#define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
-#define SSL_want_read(s)        (SSL_want(s) == SSL_READING)
-#define SSL_want_write(s)       (SSL_want(s) == SSL_WRITING)
-#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
-#define SSL_MAC_FLAG_READ_MAC_STREAM 1
-#define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
-#ifndef OPENSSL_NO_SSL_INTERN
-struct ssl_st {
-        /* protocol version
-         * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
-         */
-        int version;
-        int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
-        const SSL_METHOD *method; /* SSLv3 */
-        /* There are 2 BIO's even though they are normally both the
-         * same.  This is so data can be read and written to different
-         * handlers */
-#ifndef OPENSSL_NO_BIO
-        BIO *rbio; /* used by SSL_read */
-        BIO *wbio; /* used by SSL_write */
-        BIO *bbio; /* used during session-id reuse to concatenate
-                    * messages */
-#else
-        char *rbio; /* used by SSL_read */
-        char *wbio; /* used by SSL_write */
-        char *bbio;
-#endif
-        /* This holds a variable that indicates what we were doing
-         * when a 0 or -1 is returned.  This is needed for
-         * non-blocking IO so we know what request needs re-doing when
-         * in SSL_accept or SSL_connect */
-        int rwstate;
-        /* true when we are actually in SSL_accept() or SSL_connect() */
-        int in_handshake;
-        int (*handshake_func)(SSL *);
-        /* Imagine that here's a boolean member "init" that is
-         * switched as soon as SSL_set_{accept/connect}_state
-         * is called for the first time, so that "state" and
-         * "handshake_func" are properly initialized.  But as
-         * handshake_func is == 0 until then, we use this
-         * test instead of an "init" member.
-         */
-        int server;     /* are we the server side? - mostly used by SSL_clear*/
-        int new_session;/* Generate a new session or reuse an old one.
-                         * NB: For servers, the 'new' session may actually be a previously
-                         * cached session or even the previous session unless
-                         * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
-        int quiet_shutdown;/* don't send shutdown packets */
-        int shutdown;   /* we have shut things down, 0x01 sent, 0x02
-                         * for received */
-        int state;      /* where we are */
-        int rstate;     /* where we are when reading */
-        BUF_MEM *init_buf;      /* buffer used during init */
-        void *init_msg;         /* pointer to handshake message body, set by ssl3_get_message() */
-        int init_num;           /* amount read/written */
-        int init_off;           /* amount read/written */
-        /* used internally to point at a raw packet */
-        unsigned char *packet;
-        unsigned int packet_length;
-        struct ssl3_state_st *s3; /* SSLv3 variables */
-        struct dtls1_state_st *d1; /* DTLSv1 variables */
-        int read_ahead;         /* Read as many input bytes as possible
-                                 * (for non-blocking reads) */
-        /* callback that allows applications to peek at protocol messages */
-        void (*msg_callback)(int write_p, int version, int content_type,
-            const void *buf, size_t len, SSL *ssl, void *arg);
-        void *msg_callback_arg;
-        int hit;                /* reusing a previous session */
-        X509_VERIFY_PARAM *param;
-        /* crypto */
-        STACK_OF(SSL_CIPHER) *cipher_list;
-        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
-        /* These are the ones being used, the ones in SSL_SESSION are
-         * the ones to be 'copied' into these ones */
-        int mac_flags;
-        SSL_AEAD_CTX *aead_read_ctx;    /* AEAD context. If non-NULL, then
-                                           enc_read_ctx and read_hash are
-                                           ignored. */
-        EVP_CIPHER_CTX *enc_read_ctx;           /* cryptographic state */
-        EVP_MD_CTX *read_hash;                  /* used for mac generation */
-        SSL_AEAD_CTX *aead_write_ctx;   /* AEAD context. If non-NULL, then
-                                           enc_write_ctx and write_hash are
-                                           ignored. */
-        EVP_CIPHER_CTX *enc_write_ctx;          /* cryptographic state */
-        EVP_MD_CTX *write_hash;                 /* used for mac generation */
-        /* session info */
-        /* client cert? */
-        /* This is used to hold the server certificate used */
-        struct cert_st /* CERT */ *cert;
-        /* the session_id_context is used to ensure sessions are only reused
-         * in the appropriate context */
-        unsigned int sid_ctx_length;
-        unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-        /* This can also be in the session once a session is established */
-        SSL_SESSION *session;
-        /* Default generate session ID callback. */
-        GEN_SESSION_CB generate_session_id;
-        /* Used in SSL2 and SSL3 */
-        int verify_mode;        /* 0 don't care about verify failure.
-                                 * 1 fail if verify fails */
-        int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
-        void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
-        int error;              /* error bytes to be written */
-        int error_code;         /* actual code */
-        SSL_CTX *ctx;
-        /* set this flag to 1 and a sleep(1) is put into all SSL_read()
-         * and SSL_write() calls, good for nbio debuging :-) */
-        int debug;
-        /* extra application data */
-        long verify_result;
-        CRYPTO_EX_DATA ex_data;
-        /* for server side, keep the list of CA_dn we can use */
-        STACK_OF(X509_NAME) *client_CA;
-        int references;
-        unsigned long options; /* protocol behaviour */
-        unsigned long mode; /* API behaviour */
-        long max_cert_list;
-        int first_packet;
-        int client_version;     /* what was passed, used for
-                                 * SSLv3/TLS rollback check */
-        unsigned int max_send_fragment;
-        /* TLS extension debug callback */
-        void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
-            unsigned char *data, int len, void *arg);
-        void *tlsext_debug_arg;
-        char *tlsext_hostname;
-        int servername_done;    /* no further mod of servername
-                                   0 : call the servername extension callback.
-                                   1 : prepare 2, allow last ack just after in server callback.
-                                   2 : don't call servername callback, no ack in server hello
-                                   */
-        /* certificate status request info */
-        /* Status type or -1 if no status type */
-        int tlsext_status_type;
-        /* Expect OCSP CertificateStatus message */
-        int tlsext_status_expected;
-        /* OCSP status request only */
-        STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
-        X509_EXTENSIONS *tlsext_ocsp_exts;
-        /* OCSP response received or to be sent */
-        unsigned char *tlsext_ocsp_resp;
-        int tlsext_ocsp_resplen;
-        /* RFC4507 session ticket expected to be received or sent */
-        int tlsext_ticket_expected;
-        size_t tlsext_ecpointformatlist_length;
-        uint8_t *tlsext_ecpointformatlist; /* our list */
-        size_t tlsext_ellipticcurvelist_length;
-        uint16_t *tlsext_ellipticcurvelist; /* our list */
-        /* TLS Session Ticket extension override */
-        TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
-        /* TLS Session Ticket extension callback */
-        tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
-        void *tls_session_ticket_ext_cb_arg;
-        /* TLS pre-shared secret session resumption */
-        tls_session_secret_cb_fn tls_session_secret_cb;
-        void *tls_session_secret_cb_arg;
-        SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
-        /* Next protocol negotiation. For the client, this is the protocol that
-         * we sent in NextProtocol and is set when handling ServerHello
-         * extensions.
-         *
-         * For a server, this is the client's selected_protocol from
-         * NextProtocol and is set when handling the NextProtocol message,
-         * before the Finished message. */
-        unsigned char *next_proto_negotiated;
-        unsigned char next_proto_negotiated_len;
-#define session_ctx initial_ctx
-        STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;       /* What we'll do */
-        SRTP_PROTECTION_PROFILE *srtp_profile;                  /* What's been chosen */
-        unsigned int tlsext_heartbeat;  /* Is use of the Heartbeat extension negotiated?
-                                           0: disabled
-                                           1: enabled
-                                           2: enabled, but not allowed to send Requests
-                                           */
-        unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
-        unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
-        /* Client list of supported protocols in wire format. */
-        unsigned char *alpn_client_proto_list;
-        unsigned int alpn_client_proto_list_len;
-        int renegotiate;/* 1 if we are renegotiating.
-                         * 2 if we are a server and are inside a handshake
-                         * (i.e. not just sending a HelloRequest) */
-};
-#endif
-#ifdef __cplusplus
-}
-#endif
-#include <openssl/ssl2.h>
-#include <openssl/ssl3.h>
-#include <openssl/tls1.h>       /* This is mostly sslv3 with a few tweaks */
-#include <openssl/dtls1.h>      /* Datagram TLS */
-#include <openssl/ssl23.h>
-#include <openssl/srtp.h>       /* Support for the use_srtp extension */
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* compatibility */
-#define SSL_set_app_data(s,arg)         (SSL_set_ex_data(s,0,(char *)arg))
-#define SSL_get_app_data(s)             (SSL_get_ex_data(s,0))
-#define SSL_SESSION_set_app_data(s,a)   (SSL_SESSION_set_ex_data(s,0,(char *)a))
-#define SSL_SESSION_get_app_data(s)     (SSL_SESSION_get_ex_data(s,0))
-#define SSL_CTX_get_app_data(ctx)       (SSL_CTX_get_ex_data(ctx,0))
-#define SSL_CTX_set_app_data(ctx,arg)   (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
-/* The following are the possible values for ssl->state are are
- * used to indicate where we are up to in the SSL connection establishment.
- * The macros that follow are about the only things you should need to use
- * and even then, only when using non-blocking IO.
- * It can also be useful to work out where you were when the connection
- * failed */
-#define SSL_ST_CONNECT                  0x1000
-#define SSL_ST_ACCEPT                   0x2000
-#define SSL_ST_MASK                     0x0FFF
-#define SSL_ST_INIT                     (SSL_ST_CONNECT|SSL_ST_ACCEPT)
-#define SSL_ST_BEFORE                   0x4000
-#define SSL_ST_OK                       0x03
-#define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
-#define SSL_CB_LOOP                     0x01
-#define SSL_CB_EXIT                     0x02
-#define SSL_CB_READ                     0x04
-#define SSL_CB_WRITE                    0x08
-#define SSL_CB_ALERT                    0x4000 /* used in callback */
-#define SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)
-#define SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)
-#define SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)
-#define SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)
-#define SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)
-#define SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)
-#define SSL_CB_HANDSHAKE_START          0x10
-#define SSL_CB_HANDSHAKE_DONE           0x20
-/* Is the SSL_connection established? */
-#define SSL_get_state(a)                SSL_state(a)
-#define SSL_is_init_finished(a)         (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a)                  (SSL_state(a)&SSL_ST_INIT)
-#define SSL_in_before(a)                (SSL_state(a)&SSL_ST_BEFORE)
-#define SSL_in_connect_init(a)          (SSL_state(a)&SSL_ST_CONNECT)
-#define SSL_in_accept_init(a)           (SSL_state(a)&SSL_ST_ACCEPT)
-/* The following 2 states are kept in ssl->rstate when reads fail,
- * you should not need these */
-#define SSL_ST_READ_HEADER              0xF0
-#define SSL_ST_READ_BODY                0xF1
-#define SSL_ST_READ_DONE                0xF2
-/* Obtain latest Finished message
- *   -- that we sent (SSL_get_finished)
- *   -- that we expected from peer (SSL_get_peer_finished).
- * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
-/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
- * are 'ored' with SSL_VERIFY_PEER if they are desired */
-#define SSL_VERIFY_NONE                 0x00
-#define SSL_VERIFY_PEER                 0x01
-#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-#define SSL_VERIFY_CLIENT_ONCE          0x04
-#define OpenSSL_add_ssl_algorithms()    SSL_library_init()
-#define SSLeay_add_ssl_algorithms()     SSL_library_init()
-/* More backward compatibility */
-#define SSL_get_cipher(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-#define SSL_get_cipher_bits(s,np) \
-                SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
-#define SSL_get_cipher_version(s) \
-                SSL_CIPHER_get_version(SSL_get_current_cipher(s))
-#define SSL_get_cipher_name(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-#define SSL_get_time(a)         SSL_SESSION_get_time(a)
-#define SSL_set_time(a,b)       SSL_SESSION_set_time((a),(b))
-#define SSL_get_timeout(a)      SSL_SESSION_get_timeout(a)
-#define SSL_set_timeout(a,b)    SSL_SESSION_set_timeout((a),(b))
-#define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
-#define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
-DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
-#define SSL_AD_REASON_OFFSET            1000 /* offset to get SSL_R_... value from SSL_AD_... */
-/* These alert types are for SSLv3 and TLSv1 */
-#define SSL_AD_CLOSE_NOTIFY             SSL3_AD_CLOSE_NOTIFY
-#define SSL_AD_UNEXPECTED_MESSAGE       SSL3_AD_UNEXPECTED_MESSAGE /* fatal */
-#define SSL_AD_BAD_RECORD_MAC           SSL3_AD_BAD_RECORD_MAC     /* fatal */
-#define SSL_AD_DECRYPTION_FAILED        TLS1_AD_DECRYPTION_FAILED
-#define SSL_AD_RECORD_OVERFLOW          TLS1_AD_RECORD_OVERFLOW
-#define SSL_AD_DECOMPRESSION_FAILURE    SSL3_AD_DECOMPRESSION_FAILURE/* fatal */
-#define SSL_AD_HANDSHAKE_FAILURE        SSL3_AD_HANDSHAKE_FAILURE/* fatal */
-#define SSL_AD_NO_CERTIFICATE           SSL3_AD_NO_CERTIFICATE /* Not for TLS */
-#define SSL_AD_BAD_CERTIFICATE          SSL3_AD_BAD_CERTIFICATE
-#define SSL_AD_UNSUPPORTED_CERTIFICATE  SSL3_AD_UNSUPPORTED_CERTIFICATE
-#define SSL_AD_CERTIFICATE_REVOKED      SSL3_AD_CERTIFICATE_REVOKED
-#define SSL_AD_CERTIFICATE_EXPIRED      SSL3_AD_CERTIFICATE_EXPIRED
-#define SSL_AD_CERTIFICATE_UNKNOWN      SSL3_AD_CERTIFICATE_UNKNOWN
-#define SSL_AD_ILLEGAL_PARAMETER        SSL3_AD_ILLEGAL_PARAMETER   /* fatal */
-#define SSL_AD_UNKNOWN_CA               TLS1_AD_UNKNOWN_CA      /* fatal */
-#define SSL_AD_ACCESS_DENIED            TLS1_AD_ACCESS_DENIED   /* fatal */
-#define SSL_AD_DECODE_ERROR             TLS1_AD_DECODE_ERROR    /* fatal */
-#define SSL_AD_DECRYPT_ERROR            TLS1_AD_DECRYPT_ERROR
-#define SSL_AD_EXPORT_RESTRICTION       TLS1_AD_EXPORT_RESTRICTION/* fatal */
-#define SSL_AD_PROTOCOL_VERSION         TLS1_AD_PROTOCOL_VERSION /* fatal */
-#define SSL_AD_INSUFFICIENT_SECURITY    TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
-#define SSL_AD_INTERNAL_ERROR           TLS1_AD_INTERNAL_ERROR  /* fatal */
-#define SSL_AD_INAPPROPRIATE_FALLBACK   TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
-#define SSL_AD_USER_CANCELLED           TLS1_AD_USER_CANCELLED
-#define SSL_AD_NO_RENEGOTIATION         TLS1_AD_NO_RENEGOTIATION
-#define SSL_AD_UNSUPPORTED_EXTENSION    TLS1_AD_UNSUPPORTED_EXTENSION
-#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
-#define SSL_AD_UNRECOGNIZED_NAME        TLS1_AD_UNRECOGNIZED_NAME
-#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
-#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-#define SSL_ERROR_NONE                  0
-#define SSL_ERROR_SSL                   1
-#define SSL_ERROR_WANT_READ             2
-#define SSL_ERROR_WANT_WRITE            3
-#define SSL_ERROR_WANT_X509_LOOKUP      4
-#define SSL_ERROR_SYSCALL               5 /* look at error stack/return value/errno */
-#define SSL_ERROR_ZERO_RETURN           6
-#define SSL_ERROR_WANT_CONNECT          7
-#define SSL_ERROR_WANT_ACCEPT           8
-#define SSL_CTRL_NEED_TMP_RSA                   1
-#define SSL_CTRL_SET_TMP_RSA                    2
-#define SSL_CTRL_SET_TMP_DH                     3
-#define SSL_CTRL_SET_TMP_ECDH                   4
-#define SSL_CTRL_SET_TMP_RSA_CB                 5
-#define SSL_CTRL_SET_TMP_DH_CB                  6
-#define SSL_CTRL_SET_TMP_ECDH_CB                7
-#define SSL_CTRL_GET_SESSION_REUSED             8
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST        9
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS         10
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS       11
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS       12
-#define SSL_CTRL_GET_FLAGS                      13
-#define SSL_CTRL_EXTRA_CHAIN_CERT               14
-#define SSL_CTRL_SET_MSG_CALLBACK               15
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG           16
-/* only applies to datagram connections */
-#define SSL_CTRL_SET_MTU                17
-/* Stats */
-#define SSL_CTRL_SESS_NUMBER                    20
-#define SSL_CTRL_SESS_CONNECT                   21
-#define SSL_CTRL_SESS_CONNECT_GOOD              22
-#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE       23
-#define SSL_CTRL_SESS_ACCEPT                    24
-#define SSL_CTRL_SESS_ACCEPT_GOOD               25
-#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE        26
-#define SSL_CTRL_SESS_HIT                       27
-#define SSL_CTRL_SESS_CB_HIT                    28
-#define SSL_CTRL_SESS_MISSES                    29
-#define SSL_CTRL_SESS_TIMEOUTS                  30
-#define SSL_CTRL_SESS_CACHE_FULL                31
-#define SSL_CTRL_OPTIONS                        32
-#define SSL_CTRL_MODE                           33
-#define SSL_CTRL_GET_READ_AHEAD                 40
-#define SSL_CTRL_SET_READ_AHEAD                 41
-#define SSL_CTRL_SET_SESS_CACHE_SIZE            42
-#define SSL_CTRL_GET_SESS_CACHE_SIZE            43
-#define SSL_CTRL_SET_SESS_CACHE_MODE            44
-#define SSL_CTRL_GET_SESS_CACHE_MODE            45
-#define SSL_CTRL_GET_MAX_CERT_LIST              50
-#define SSL_CTRL_SET_MAX_CERT_LIST              51
-#define SSL_CTRL_SET_MAX_SEND_FRAGMENT          52
-/* see tls1.h for macros based on these */
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB       53
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG      54
-#define SSL_CTRL_SET_TLSEXT_HOSTNAME            55
-#define SSL_CTRL_SET_TLSEXT_DEBUG_CB            56
-#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG           57
-#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS         58
-#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS         59
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB       63
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG   64
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE     65
-#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS     66
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS     67
-#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS      68
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS      69
-#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP        70
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP        71
-#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB       72
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB    75
-#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB                76
-#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB             77
-#define SSL_CTRL_SET_SRP_ARG            78
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME               79
-#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH               80
-#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD               81
-#define DTLS_CTRL_GET_TIMEOUT           73
-#define DTLS_CTRL_HANDLE_TIMEOUT        74
-#define DTLS_CTRL_LISTEN                        75
-#define SSL_CTRL_GET_RI_SUPPORT                 76
-#define SSL_CTRL_CLEAR_OPTIONS                  77
-#define SSL_CTRL_CLEAR_MODE                     78
-#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS          82
-#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS        83
-#define SSL_CTRL_SET_ECDH_AUTO                          94
-#define SSL_CTRL_SET_DH_AUTO                    118
-#define DTLSv1_get_timeout(ssl, arg) \
-        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
-#define DTLSv1_handle_timeout(ssl) \
-        SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
-#define DTLSv1_listen(ssl, peer) \
-        SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
-#define SSL_session_reused(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
-#define SSL_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
-#define SSL_clear_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
-#define SSL_total_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
-#define SSL_CTX_need_tmp_RSA(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_NEED_TMP_RSA,0,NULL)
-#define SSL_CTX_set_tmp_rsa(ctx,rsa) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
-#define SSL_CTX_set_tmp_dh(ctx,dh) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
-#define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
-#define SSL_CTX_set_dh_auto(ctx, onoff) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
-#define SSL_CTX_set_ecdh_auto(ctx, onoff) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
-#define SSL_need_tmp_RSA(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_NEED_TMP_RSA,0,NULL)
-#define SSL_set_tmp_rsa(ssl,rsa) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA,0,(char *)rsa)
-#define SSL_set_tmp_dh(ssl,dh) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)dh)
-#define SSL_set_tmp_ecdh(ssl,ecdh) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
-#define SSL_set_dh_auto(s, onoff) \
-        SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
-#define SSL_set_ecdh_auto(s, onoff) \
-        SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
-#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
-#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
-#define SSL_CTX_clear_extra_chain_certs(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
-#ifndef OPENSSL_NO_BIO
-BIO_METHOD *BIO_f_ssl(void);
-BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
-BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
-BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
-int BIO_ssl_copy_session_id(BIO *to, BIO *from);
-void BIO_ssl_shutdown(BIO *ssl_bio);
-#endif
-int     SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
-SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
-void    SSL_CTX_free(SSL_CTX *);
-long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
-long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
-void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
-int SSL_want(const SSL *s);
-int     SSL_clear(SSL *s);
-void    SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
-const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id);
-const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value);
-int     SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
-char *  SSL_CIPHER_get_version(const SSL_CIPHER *c);
-const char *    SSL_CIPHER_get_name(const SSL_CIPHER *c);
-unsigned long   SSL_CIPHER_get_id(const SSL_CIPHER *c);
-uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
-int     SSL_get_fd(const SSL *s);
-int     SSL_get_rfd(const SSL *s);
-int     SSL_get_wfd(const SSL *s);
-const char  * SSL_get_cipher_list(const SSL *s, int n);
-char *  SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
-int     SSL_get_read_ahead(const SSL * s);
-int     SSL_pending(const SSL *s);
-int     SSL_set_fd(SSL *s, int fd);
-int     SSL_set_rfd(SSL *s, int fd);
-int     SSL_set_wfd(SSL *s, int fd);
-#ifndef OPENSSL_NO_BIO
-void    SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
-BIO *   SSL_get_rbio(const SSL *s);
-BIO *   SSL_get_wbio(const SSL *s);
-#endif
-int     SSL_set_cipher_list(SSL *s, const char *str);
-void    SSL_set_read_ahead(SSL *s, int yes);
-int     SSL_get_verify_mode(const SSL *s);
-int     SSL_get_verify_depth(const SSL *s);
-int     (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *);
-void    SSL_set_verify(SSL *s, int mode,
-            int (*callback)(int ok, X509_STORE_CTX *ctx));
-void    SSL_set_verify_depth(SSL *s, int depth);
-int     SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
-int     SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
-int     SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-int     SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len);
-int     SSL_use_certificate(SSL *ssl, X509 *x);
-int     SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
-int     SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
-int     SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
-int     SSL_use_certificate_file(SSL *ssl, const char *file, int type);
-int     SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
-int     SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM type */
-int     SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len);
-STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
-int     SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-            const char *file);
-int     SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-            const char *dir);
-void    SSL_load_error_strings(void );
-const char *SSL_state_string(const SSL *s);
-const char *SSL_rstate_string(const SSL *s);
-const char *SSL_state_string_long(const SSL *s);
-const char *SSL_rstate_string_long(const SSL *s);
-long    SSL_SESSION_get_time(const SSL_SESSION *s);
-long    SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long    SSL_SESSION_get_timeout(const SSL_SESSION *s);
-long    SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void    SSL_copy_session_id(SSL *to, const SSL *from);
-X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
-int
-SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
-unsigned int sid_ctx_len);
-SSL_SESSION *SSL_SESSION_new(void);
-const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
-            unsigned int *len);
-unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
-int     SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
-#ifndef OPENSSL_NO_BIO
-int     SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
-#endif
-void    SSL_SESSION_free(SSL_SESSION *ses);
-int     i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
-int     SSL_set_session(SSL *to, SSL_SESSION *session);
-int     SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
-int     SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c);
-int     SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
-int     SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
-int     SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
-            unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
-            long length);
-#ifdef HEADER_X509_H
-X509 *  SSL_get_peer_certificate(const SSL *s);
-#endif
-STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
-int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
-void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
-    int (*callback)(int, X509_STORE_CTX *));
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg);
-int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
-int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
-int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d, long len);
-int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
-void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
-void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
-int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-int SSL_check_private_key(const SSL *ctx);
-int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
-SSL *SSL_new(SSL_CTX *ctx);
-int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
-int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
-int SSL_set_purpose(SSL *s, int purpose);
-int SSL_CTX_set_trust(SSL_CTX *s, int trust);
-int SSL_set_trust(SSL *s, int trust);
-int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
-int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
-void    SSL_free(SSL *ssl);
-int     SSL_accept(SSL *ssl);
-int     SSL_connect(SSL *ssl);
-int     SSL_read(SSL *ssl, void *buf, int num);
-int     SSL_peek(SSL *ssl, void *buf, int num);
-int     SSL_write(SSL *ssl, const void *buf, int num);
-long    SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
-long    SSL_callback_ctrl(SSL *, int, void (*)(void));
-long    SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
-long    SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
-int     SSL_get_error(const SSL *s, int ret_code);
-const char *SSL_get_version(const SSL *s);
-/* This sets the 'default' SSL version that SSL_new() will create */
-int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-const SSL_METHOD *SSLv23_method(void);          /* SSLv3 or TLSv1.* */
-const SSL_METHOD *SSLv23_server_method(void);   /* SSLv3 or TLSv1.* */
-const SSL_METHOD *SSLv23_client_method(void);   /* SSLv3 or TLSv1.* */
-const SSL_METHOD *TLSv1_method(void);           /* TLSv1.0 */
-const SSL_METHOD *TLSv1_server_method(void);    /* TLSv1.0 */
-const SSL_METHOD *TLSv1_client_method(void);    /* TLSv1.0 */
-const SSL_METHOD *TLSv1_1_method(void);         /* TLSv1.1 */
-const SSL_METHOD *TLSv1_1_server_method(void);  /* TLSv1.1 */
-const SSL_METHOD *TLSv1_1_client_method(void);  /* TLSv1.1 */
-const SSL_METHOD *TLSv1_2_method(void);         /* TLSv1.2 */
-const SSL_METHOD *TLSv1_2_server_method(void);  /* TLSv1.2 */
-const SSL_METHOD *TLSv1_2_client_method(void);  /* TLSv1.2 */
-const SSL_METHOD *TLS_method(void);             /* TLS v1.0 or later */
-const SSL_METHOD *TLS_server_method(void);      /* TLS v1.0 or later */
-const SSL_METHOD *TLS_client_method(void);      /* TLS v1.0 or later */
-const SSL_METHOD *DTLSv1_method(void);          /* DTLSv1.0 */
-const SSL_METHOD *DTLSv1_server_method(void);   /* DTLSv1.0 */
-const SSL_METHOD *DTLSv1_client_method(void);   /* DTLSv1.0 */
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
-int SSL_do_handshake(SSL *s);
-int SSL_renegotiate(SSL *s);
-int SSL_renegotiate_abbreviated(SSL *s);
-int SSL_renegotiate_pending(SSL *s);
-int SSL_shutdown(SSL *s);
-const SSL_METHOD *SSL_get_ssl_method(SSL *s);
-int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
-const char *SSL_alert_type_string_long(int value);
-const char *SSL_alert_type_string(int value);
-const char *SSL_alert_desc_string_long(int value);
-const char *SSL_alert_desc_string(int value);
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
-int SSL_add_client_CA(SSL *ssl, X509 *x);
-int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
-void SSL_set_connect_state(SSL *s);
-void SSL_set_accept_state(SSL *s);
-long SSL_get_default_timeout(const SSL *s);
-int SSL_library_init(void );
-char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
-STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
-SSL *SSL_dup(SSL *ssl);
-X509 *SSL_get_certificate(const SSL *ssl);
-/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
-void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
-void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(const SSL *ssl);
-void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(const SSL *ssl);
-int SSL_version(const SSL *ssl);
-int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
-    const char *CApath);
-int SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len);
-#define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(const SSL *ssl);
-SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
-SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx);
-void SSL_set_info_callback(SSL *ssl,
-    void (*cb)(const SSL *ssl, int type, int val));
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val);
-int SSL_state(const SSL *ssl);
-void SSL_set_state(SSL *ssl, int state);
-void SSL_set_verify_result(SSL *ssl, long v);
-long SSL_get_verify_result(const SSL *ssl);
-int SSL_set_ex_data(SSL *ssl, int idx, void *data);
-void *SSL_get_ex_data(const SSL *ssl, int idx);
-int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-    CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
-int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
-void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx);
-int SSL_SESSION_get_ex_new_index(long argl, void *argp,
-    CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
-    CRYPTO_EX_free *free_func);
-int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data);
-void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx);
-int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-    CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
-int SSL_get_ex_data_X509_STORE_CTX_idx(void );
-#define SSL_CTX_sess_set_cache_size(ctx,t) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
-#define SSL_CTX_sess_get_cache_size(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
-#define SSL_CTX_set_session_cache_mode(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
-#define SSL_CTX_get_session_cache_mode(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
-#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
-#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
-#define SSL_CTX_get_read_ahead(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
-#define SSL_CTX_set_read_ahead(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
-#define SSL_CTX_get_max_cert_list(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-#define SSL_CTX_set_max_cert_list(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-#define SSL_get_max_cert_list(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-#define SSL_set_max_cert_list(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-#define SSL_CTX_set_max_send_fragment(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
-#define SSL_set_max_send_fragment(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
-/* NB: the keylength is only applicable when is_export is true */
-void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
-    RSA *(*cb)(SSL *ssl, int is_export, int keylength));
-void SSL_set_tmp_rsa_callback(SSL *ssl,
-    RSA *(*cb)(SSL *ssl, int is_export, int keylength));
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-    DH *(*dh)(SSL *ssl, int is_export, int keylength));
-void SSL_set_tmp_dh_callback(SSL *ssl,
-    DH *(*dh)(SSL *ssl, int is_export, int keylength));
-void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
-    EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
-void SSL_set_tmp_ecdh_callback(SSL *ssl,
-    EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
-const void *SSL_get_current_compression(SSL *s);
-const void *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const void *comp);
-void *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, void *cm);
-/* TLS extensions functions */
-int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
-int SSL_set_session_ticket_ext_cb(SSL *s,
-    tls_session_ticket_ext_cb_fn cb, void *arg);
-/* Pre-shared secret session resumption functions */
-int SSL_set_session_secret_cb(SSL *s,
-    tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
-void SSL_set_debug(SSL *s, int debug);
-int SSL_cache_hit(SSL *s);
-/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-void ERR_load_SSL_strings(void);
-/* Error codes for the SSL functions. */
-/* Function codes. */
-#define SSL_F_CLIENT_CERTIFICATE                         100
-#define SSL_F_CLIENT_FINISHED                            167
-#define SSL_F_CLIENT_HELLO                               101
-#define SSL_F_CLIENT_MASTER_KEY                          102
-#define SSL_F_D2I_SSL_SESSION                            103
-#define SSL_F_DO_DTLS1_WRITE                             245
-#define SSL_F_DO_SSL3_WRITE                              104
-#define SSL_F_DTLS1_ACCEPT                               246
-#define SSL_F_DTLS1_ADD_CERT_TO_BUF                      295
-#define SSL_F_DTLS1_BUFFER_RECORD                        247
-#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM                    316
-#define SSL_F_DTLS1_CLIENT_HELLO                         248
-#define SSL_F_DTLS1_CONNECT                              249
-#define SSL_F_DTLS1_ENC                                  250
-#define SSL_F_DTLS1_GET_HELLO_VERIFY                     251
-#define SSL_F_DTLS1_GET_MESSAGE                          252
-#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT                 253
-#define SSL_F_DTLS1_GET_RECORD                           254
-#define SSL_F_DTLS1_HANDLE_TIMEOUT                       297
-#define SSL_F_DTLS1_HEARTBEAT                            305
-#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                    255
-#define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
-#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE           256
-#define SSL_F_DTLS1_PROCESS_RECORD                       257
-#define SSL_F_DTLS1_READ_BYTES                           258
-#define SSL_F_DTLS1_READ_FAILED                          259
-#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST             260
-#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE              261
-#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE             262
-#define SSL_F_DTLS1_SEND_CLIENT_VERIFY                   263
-#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST            264
-#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE              265
-#define SSL_F_DTLS1_SEND_SERVER_HELLO                    266
-#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE             267
-#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES                 268
-#define SSL_F_GET_CLIENT_FINISHED                        105
-#define SSL_F_GET_CLIENT_HELLO                           106
-#define SSL_F_GET_CLIENT_MASTER_KEY                      107
-#define SSL_F_GET_SERVER_FINISHED                        108
-#define SSL_F_GET_SERVER_HELLO                           109
-#define SSL_F_GET_SERVER_VERIFY                          110
-#define SSL_F_I2D_SSL_SESSION                            111
-#define SSL_F_READ_N                                     112
-#define SSL_F_REQUEST_CERTIFICATE                        113
-#define SSL_F_SERVER_FINISH                              239
-#define SSL_F_SERVER_HELLO                               114
-#define SSL_F_SERVER_VERIFY                              240
-#define SSL_F_SSL23_ACCEPT                               115
-#define SSL_F_SSL23_CLIENT_HELLO                         116
-#define SSL_F_SSL23_CONNECT                              117
-#define SSL_F_SSL23_GET_CLIENT_HELLO                     118
-#define SSL_F_SSL23_GET_SERVER_HELLO                     119
-#define SSL_F_SSL23_PEEK                                 237
-#define SSL_F_SSL23_READ                                 120
-#define SSL_F_SSL23_WRITE                                121
-#define SSL_F_SSL2_ACCEPT                                122
-#define SSL_F_SSL2_CONNECT                               123
-#define SSL_F_SSL2_ENC_INIT                              124
-#define SSL_F_SSL2_GENERATE_KEY_MATERIAL                 241
-#define SSL_F_SSL2_PEEK                                  234
-#define SSL_F_SSL2_READ                                  125
-#define SSL_F_SSL2_READ_INTERNAL                         236
-#define SSL_F_SSL2_SET_CERTIFICATE                       126
-#define SSL_F_SSL2_WRITE                                 127
-#define SSL_F_SSL3_ACCEPT                                128
-#define SSL_F_SSL3_ADD_CERT_TO_BUF                       296
-#define SSL_F_SSL3_CALLBACK_CTRL                         233
-#define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
-#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM              130
-#define SSL_F_SSL3_CHECK_CLIENT_HELLO                    304
-#define SSL_F_SSL3_CLIENT_HELLO                          131
-#define SSL_F_SSL3_CONNECT                               132
-#define SSL_F_SSL3_CTRL                                  213
-#define SSL_F_SSL3_CTX_CTRL                              133
-#define SSL_F_SSL3_DIGEST_CACHED_RECORDS                 293
-#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 292
-#define SSL_F_SSL3_ENC                                   134
-#define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
-#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
-#define SSL_F_SSL3_GET_CERT_STATUS                       289
-#define SSL_F_SSL3_GET_CERT_VERIFY                       136
-#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE                137
-#define SSL_F_SSL3_GET_CLIENT_HELLO                      138
-#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE               139
-#define SSL_F_SSL3_GET_FINISHED                          140
-#define SSL_F_SSL3_GET_KEY_EXCHANGE                      141
-#define SSL_F_SSL3_GET_MESSAGE                           142
-#define SSL_F_SSL3_GET_NEW_SESSION_TICKET                283
-#define SSL_F_SSL3_GET_NEXT_PROTO                        306
-#define SSL_F_SSL3_GET_RECORD                            143
-#define SSL_F_SSL3_GET_SERVER_CERTIFICATE                144
-#define SSL_F_SSL3_GET_SERVER_DONE                       145
-#define SSL_F_SSL3_GET_SERVER_HELLO                      146
-#define SSL_F_SSL3_HANDSHAKE_MAC                         285
-#define SSL_F_SSL3_NEW_SESSION_TICKET                    287
-#define SSL_F_SSL3_OUTPUT_CERT_CHAIN                     147
-#define SSL_F_SSL3_PEEK                                  235
-#define SSL_F_SSL3_READ_BYTES                            148
-#define SSL_F_SSL3_READ_N                                149
-#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST              150
-#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE               151
-#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE              152
-#define SSL_F_SSL3_SEND_CLIENT_VERIFY                    153
-#define SSL_F_SSL3_SEND_SERVER_CERTIFICATE               154
-#define SSL_F_SSL3_SEND_SERVER_HELLO                     242
-#define SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE              155
-#define SSL_F_SSL3_SETUP_KEY_BLOCK                       157
-#define SSL_F_SSL3_SETUP_READ_BUFFER                     156
-#define SSL_F_SSL3_SETUP_WRITE_BUFFER                    291
-#define SSL_F_SSL3_WRITE_BYTES                           158
-#define SSL_F_SSL3_WRITE_PENDING                         159
-#define SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT        298
-#define SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT                 277
-#define SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT           307
-#define SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK         215
-#define SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK        216
-#define SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT        299
-#define SSL_F_SSL_ADD_SERVERHELLO_TLSEXT                 278
-#define SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT           308
-#define SSL_F_SSL_BAD_METHOD                             160
-#define SSL_F_SSL_BYTES_TO_CIPHER_LIST                   161
-#define SSL_F_SSL_CERT_DUP                               221
-#define SSL_F_SSL_CERT_INST                              222
-#define SSL_F_SSL_CERT_INSTANTIATE                       214
-#define SSL_F_SSL_CERT_NEW                               162
-#define SSL_F_SSL_CHECK_PRIVATE_KEY                      163
-#define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT               280
-#define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG            279
-#define SSL_F_SSL_CIPHER_PROCESS_RULESTR                 230
-#define SSL_F_SSL_CIPHER_STRENGTH_SORT                   231
-#define SSL_F_SSL_CLEAR                                  164
-#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD            165
-#define SSL_F_SSL_CREATE_CIPHER_LIST                     166
-#define SSL_F_SSL_CTRL                                   232
-#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
-#define SSL_F_SSL_CTX_MAKE_PROFILES                      309
-#define SSL_F_SSL_CTX_NEW                                169
-#define SSL_F_SSL_CTX_SET_CIPHER_LIST                    269
-#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE             290
-#define SSL_F_SSL_CTX_SET_PURPOSE                        226
-#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT             219
-#define SSL_F_SSL_CTX_SET_SSL_VERSION                    170
-#define SSL_F_SSL_CTX_SET_TRUST                          229
-#define SSL_F_SSL_CTX_USE_CERTIFICATE                    171
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1               172
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE         220
-#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE               173
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY                     174
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1                175
-#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE                176
-#define SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT              272
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY                  177
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1             178
-#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE             179
-#define SSL_F_SSL_DO_HANDSHAKE                           180
-#define SSL_F_SSL_GET_NEW_SESSION                        181
-#define SSL_F_SSL_GET_PREV_SESSION                       217
-#define SSL_F_SSL_GET_SERVER_SEND_CERT                   182
-#define SSL_F_SSL_GET_SERVER_SEND_PKEY                   317
-#define SSL_F_SSL_GET_SIGN_PKEY                          183
-#define SSL_F_SSL_INIT_WBIO_BUFFER                       184
-#define SSL_F_SSL_LOAD_CLIENT_CA_FILE                    185
-#define SSL_F_SSL_NEW                                    186
-#define SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT      300
-#define SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT               302
-#define SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT         310
-#define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT      301
-#define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT               303
-#define SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT         311
-#define SSL_F_SSL_PEEK                                   270
-#define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT             281
-#define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT             282
-#define SSL_F_SSL_READ                                   223
-#define SSL_F_SSL_RSA_PRIVATE_DECRYPT                    187
-#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                     188
-#define SSL_F_SSL_SESSION_NEW                            189
-#define SSL_F_SSL_SESSION_PRINT_FP                       190
-#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT                312
-#define SSL_F_SSL_SESS_CERT_NEW                          225
-#define SSL_F_SSL_SET_CERT                               191
-#define SSL_F_SSL_SET_CIPHER_LIST                        271
-#define SSL_F_SSL_SET_FD                                 192
-#define SSL_F_SSL_SET_PKEY                               193
-#define SSL_F_SSL_SET_PURPOSE                            227
-#define SSL_F_SSL_SET_RFD                                194
-#define SSL_F_SSL_SET_SESSION                            195
-#define SSL_F_SSL_SET_SESSION_ID_CONTEXT                 218
-#define SSL_F_SSL_SET_SESSION_TICKET_EXT                 294
-#define SSL_F_SSL_SET_TRUST                              228
-#define SSL_F_SSL_SET_WFD                                196
-#define SSL_F_SSL_SHUTDOWN                               224
-#define SSL_F_SSL_SRP_CTX_INIT                           313
-#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION               243
-#define SSL_F_SSL_UNDEFINED_FUNCTION                     197
-#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION                244
-#define SSL_F_SSL_USE_CERTIFICATE                        198
-#define SSL_F_SSL_USE_CERTIFICATE_ASN1                   199
-#define SSL_F_SSL_USE_CERTIFICATE_FILE                   200
-#define SSL_F_SSL_USE_PRIVATEKEY                         201
-#define SSL_F_SSL_USE_PRIVATEKEY_ASN1                    202
-#define SSL_F_SSL_USE_PRIVATEKEY_FILE                    203
-#define SSL_F_SSL_USE_PSK_IDENTITY_HINT                  273
-#define SSL_F_SSL_USE_RSAPRIVATEKEY                      204
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1                 205
-#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE                 206
-#define SSL_F_SSL_VERIFY_CERT_CHAIN                      207
-#define SSL_F_SSL_WRITE                                  208
-#define SSL_F_TLS1_AEAD_CTX_INIT                         339
-#define SSL_F_TLS1_CERT_VERIFY_MAC                       286
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE                   209
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD              340
-#define SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER            338
-#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT              274
-#define SSL_F_TLS1_ENC                                   210
-#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL                314
-#define SSL_F_TLS1_HEARTBEAT                             315
-#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT            275
-#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT            276
-#define SSL_F_TLS1_PRF                                   284
-#define SSL_F_TLS1_SETUP_KEY_BLOCK                       211
-#define SSL_F_WRITE_PENDING                              212
-/* Reason codes. */
-#define SSL_R_APP_DATA_IN_HANDSHAKE                      100
-#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-#define SSL_R_BAD_ALERT_RECORD                           101
-#define SSL_R_BAD_AUTHENTICATION_TYPE                    102
-#define SSL_R_BAD_CHANGE_CIPHER_SPEC                     103
-#define SSL_R_BAD_CHECKSUM                               104
-#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
-#define SSL_R_BAD_DECOMPRESSION                          107
-#define SSL_R_BAD_DH_G_LENGTH                            108
-#define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
-#define SSL_R_BAD_DH_P_LENGTH                            110
-#define SSL_R_BAD_DIGEST_LENGTH                          111
-#define SSL_R_BAD_DSA_SIGNATURE                          112
-#define SSL_R_BAD_ECC_CERT                               304
-#define SSL_R_BAD_ECDSA_SIGNATURE                        305
-#define SSL_R_BAD_ECPOINT                                306
-#define SSL_R_BAD_HANDSHAKE_LENGTH                       332
-#define SSL_R_BAD_HELLO_REQUEST                          105
-#define SSL_R_BAD_LENGTH                                 271
-#define SSL_R_BAD_MAC_DECODE                             113
-#define SSL_R_BAD_MAC_LENGTH                             333
-#define SSL_R_BAD_MESSAGE_TYPE                           114
-#define SSL_R_BAD_PACKET_LENGTH                          115
-#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER                116
-#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH               316
-#define SSL_R_BAD_RESPONSE_ARGUMENT                      117
-#define SSL_R_BAD_RSA_DECRYPT                            118
-#define SSL_R_BAD_RSA_ENCRYPT                            119
-#define SSL_R_BAD_RSA_E_LENGTH                           120
-#define SSL_R_BAD_RSA_MODULUS_LENGTH                     121
-#define SSL_R_BAD_RSA_SIGNATURE                          122
-#define SSL_R_BAD_SIGNATURE                              123
-#define SSL_R_BAD_SRP_A_LENGTH                           347
-#define SSL_R_BAD_SRP_B_LENGTH                           348
-#define SSL_R_BAD_SRP_G_LENGTH                           349
-#define SSL_R_BAD_SRP_N_LENGTH                           350
-#define SSL_R_BAD_SRP_S_LENGTH                           351
-#define SSL_R_BAD_SRTP_MKI_VALUE                         352
-#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST           353
-#define SSL_R_BAD_SSL_FILETYPE                           124
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH                  125
-#define SSL_R_BAD_STATE                                  126
-#define SSL_R_BAD_WRITE_RETRY                            127
-#define SSL_R_BIO_NOT_SET                                128
-#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG                  129
-#define SSL_R_BN_LIB                                     130
-#define SSL_R_CA_DN_LENGTH_MISMATCH                      131
-#define SSL_R_CA_DN_TOO_LONG                             132
-#define SSL_R_CCS_RECEIVED_EARLY                         133
-#define SSL_R_CERTIFICATE_VERIFY_FAILED                  134
-#define SSL_R_CERT_LENGTH_MISMATCH                       135
-#define SSL_R_CHALLENGE_IS_DIFFERENT                     136
-#define SSL_R_CIPHER_CODE_WRONG_LENGTH                   137
-#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE             371
-#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                 138
-#define SSL_R_CIPHER_TABLE_SRC_ERROR                     139
-#define SSL_R_CLIENTHELLO_TLSEXT                         226
-#define SSL_R_COMPRESSED_LENGTH_TOO_LONG                 140
-#define SSL_R_COMPRESSION_DISABLED                       343
-#define SSL_R_COMPRESSION_FAILURE                        141
-#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE    307
-#define SSL_R_COMPRESSION_LIBRARY_ERROR                  142
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT                 143
-#define SSL_R_CONNECTION_TYPE_NOT_SET                    144
-#define SSL_R_COOKIE_MISMATCH                            308
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED              145
-#define SSL_R_DATA_LENGTH_TOO_LONG                       146
-#define SSL_R_DECRYPTION_FAILED                          147
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148
-#define SSL_R_DIGEST_CHECK_FAILED                        149
-#define SSL_R_DTLS_MESSAGE_TOO_BIG                       334
-#define SSL_R_DUPLICATE_COMPRESSION_ID                   309
-#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT             317
-#define SSL_R_ECC_CERT_NOT_FOR_SIGNING                   318
-#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE         322
-#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE        323
-#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER               310
-#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST         354
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG                  150
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY               282
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST              151
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE                     152
-#define SSL_R_EXTRA_DATA_IN_MESSAGE                      153
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS                     154
-#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS                355
-#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION           356
-#define SSL_R_HTTPS_PROXY_REQUEST                        155
-#define SSL_R_HTTP_REQUEST                               156
-#define SSL_R_ILLEGAL_PADDING                            283
-#define SSL_R_INAPPROPRIATE_FALLBACK                     373
-#define SSL_R_INCONSISTENT_COMPRESSION                   340
-#define SSL_R_INVALID_CHALLENGE_LENGTH                   158
-#define SSL_R_INVALID_COMMAND                            280
-#define SSL_R_INVALID_COMPRESSION_ALGORITHM              341
-#define SSL_R_INVALID_PURPOSE                            278
-#define SSL_R_INVALID_SRP_USERNAME                       357
-#define SSL_R_INVALID_STATUS_RESPONSE                    328
-#define SSL_R_INVALID_TICKET_KEYS_LENGTH                 325
-#define SSL_R_INVALID_TRUST                              279
-#define SSL_R_KEY_ARG_TOO_LONG                           284
-#define SSL_R_KRB5                                       285
-#define SSL_R_KRB5_C_CC_PRINC                            286
-#define SSL_R_KRB5_C_GET_CRED                            287
-#define SSL_R_KRB5_C_INIT                                288
-#define SSL_R_KRB5_C_MK_REQ                              289
-#define SSL_R_KRB5_S_BAD_TICKET                          290
-#define SSL_R_KRB5_S_INIT                                291
-#define SSL_R_KRB5_S_RD_REQ                              292
-#define SSL_R_KRB5_S_TKT_EXPIRED                         293
-#define SSL_R_KRB5_S_TKT_NYV                             294
-#define SSL_R_KRB5_S_TKT_SKEW                            295
-#define SSL_R_LENGTH_MISMATCH                            159
-#define SSL_R_LENGTH_TOO_SHORT                           160
-#define SSL_R_LIBRARY_BUG                                274
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS                     161
-#define SSL_R_MESSAGE_TOO_LONG                           296
-#define SSL_R_MISSING_DH_DSA_CERT                        162
-#define SSL_R_MISSING_DH_KEY                             163
-#define SSL_R_MISSING_DH_RSA_CERT                        164
-#define SSL_R_MISSING_DSA_SIGNING_CERT                   165
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY                  166
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY                 167
-#define SSL_R_MISSING_RSA_CERTIFICATE                    168
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT                169
-#define SSL_R_MISSING_RSA_SIGNING_CERT                   170
-#define SSL_R_MISSING_SRP_PARAM                          358
-#define SSL_R_MISSING_TMP_DH_KEY                         171
-#define SSL_R_MISSING_TMP_ECDH_KEY                       311
-#define SSL_R_MISSING_TMP_RSA_KEY                        172
-#define SSL_R_MISSING_TMP_RSA_PKEY                       173
-#define SSL_R_MISSING_VERIFY_MESSAGE                     174
-#define SSL_R_MULTIPLE_SGC_RESTARTS                      346
-#define SSL_R_NON_SSLV2_INITIAL_PACKET                   175
-#define SSL_R_NO_CERTIFICATES_RETURNED                   176
-#define SSL_R_NO_CERTIFICATE_ASSIGNED                    177
-#define SSL_R_NO_CERTIFICATE_RETURNED                    178
-#define SSL_R_NO_CERTIFICATE_SET                         179
-#define SSL_R_NO_CERTIFICATE_SPECIFIED                   180
-#define SSL_R_NO_CIPHERS_AVAILABLE                       181
-#define SSL_R_NO_CIPHERS_PASSED                          182
-#define SSL_R_NO_CIPHERS_SPECIFIED                       183
-#define SSL_R_NO_CIPHER_LIST                             184
-#define SSL_R_NO_CIPHER_MATCH                            185
-#define SSL_R_NO_CLIENT_CERT_METHOD                      331
-#define SSL_R_NO_CLIENT_CERT_RECEIVED                    186
-#define SSL_R_NO_COMPRESSION_SPECIFIED                   187
-#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER           330
-#define SSL_R_NO_METHOD_SPECIFIED                        188
-#define SSL_R_NO_PRIVATEKEY                              189
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED                    190
-#define SSL_R_NO_PROTOCOLS_AVAILABLE                     191
-#define SSL_R_NO_PUBLICKEY                               192
-#define SSL_R_NO_RENEGOTIATION                           339
-#define SSL_R_NO_REQUIRED_DIGEST                         324
-#define SSL_R_NO_SHARED_CIPHER                           193
-#define SSL_R_NO_SRTP_PROFILES                           359
-#define SSL_R_NO_VERIFY_CALLBACK                         194
-#define SSL_R_NULL_SSL_CTX                               195
-#define SSL_R_NULL_SSL_METHOD_PASSED                     196
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED            197
-#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 344
-#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE              297
-#define SSL_R_PACKET_LENGTH_TOO_LONG                     198
-#define SSL_R_PARSE_TLSEXT                               227
-#define SSL_R_PATH_TOO_LONG                              270
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE          199
-#define SSL_R_PEER_ERROR                                 200
-#define SSL_R_PEER_ERROR_CERTIFICATE                     201
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE                  202
-#define SSL_R_PEER_ERROR_NO_CIPHER                       203
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE    204
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG                    205
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS          206
-#define SSL_R_PROTOCOL_IS_SHUTDOWN                       207
-#define SSL_R_PSK_IDENTITY_NOT_FOUND                     223
-#define SSL_R_PSK_NO_CLIENT_CB                           224
-#define SSL_R_PSK_NO_SERVER_CB                           225
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR                   208
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA                      209
-#define SSL_R_PUBLIC_KEY_NOT_RSA                         210
-#define SSL_R_READ_BIO_NOT_SET                           211
-#define SSL_R_READ_TIMEOUT_EXPIRED                       312
-#define SSL_R_READ_WRONG_PACKET_TYPE                     212
-#define SSL_R_RECORD_LENGTH_MISMATCH                     213
-#define SSL_R_RECORD_TOO_LARGE                           214
-#define SSL_R_RECORD_TOO_SMALL                           298
-#define SSL_R_RENEGOTIATE_EXT_TOO_LONG                   335
-#define SSL_R_RENEGOTIATION_ENCODING_ERR                 336
-#define SSL_R_RENEGOTIATION_MISMATCH                     337
-#define SSL_R_REQUIRED_CIPHER_MISSING                    215
-#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING    342
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO                 216
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO                   217
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO                 218
-#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING           345
-#define SSL_R_SERVERHELLO_TLSEXT                         275
-#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED           277
-#define SSL_R_SHORT_READ                                 219
-#define SSL_R_SIGNATURE_ALGORITHMS_ERROR                 360
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
-#define SSL_R_SRP_A_CALC                                 361
-#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES           362
-#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG      363
-#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE            364
-#define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG                299
-#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT             321
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME                319
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE           320
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   300
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT                  222
-#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE                1042
-#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 1020
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED            1045
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED            1044
-#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN            1046
-#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE          1030
-#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE              1040
-#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER              1047
-#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE                 1041
-#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE             1010
-#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE        1043
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION         228
-#define SSL_R_SSL_HANDSHAKE_FAILURE                      229
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS                 230
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED             301
-#define SSL_R_SSL_SESSION_ID_CONFLICT                    302
-#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG            273
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH              303
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT                231
-#define SSL_R_TLSV1_ALERT_ACCESS_DENIED                  1049
-#define SSL_R_TLSV1_ALERT_DECODE_ERROR                   1050
-#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021
-#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                  1051
-#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION             1060
-#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK         1086
-#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
-#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
-#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               1100
-#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION               1070
-#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW                1022
-#define SSL_R_TLSV1_ALERT_UNKNOWN_CA                     1048
-#define SSL_R_TLSV1_ALERT_USER_CANCELLED                 1090
-#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE           1114
-#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE      1113
-#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE             1111
-#define SSL_R_TLSV1_UNRECOGNIZED_NAME                    1112
-#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION                1110
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER       232
-#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT           365
-#define SSL_R_TLS_HEARTBEAT_PENDING                      366
-#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
-#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS                  236
-#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS                313
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY               237
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS               238
-#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS             314
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS       239
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD                  240
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES           241
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES           242
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES          243
-#define SSL_R_UNEXPECTED_MESSAGE                         244
-#define SSL_R_UNEXPECTED_RECORD                          245
-#define SSL_R_UNINITIALIZED                              276
-#define SSL_R_UNKNOWN_ALERT_TYPE                         246
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE                   247
-#define SSL_R_UNKNOWN_CIPHER_RETURNED                    248
-#define SSL_R_UNKNOWN_CIPHER_TYPE                        249
-#define SSL_R_UNKNOWN_DIGEST                             368
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE                  250
-#define SSL_R_UNKNOWN_PKEY_TYPE                          251
-#define SSL_R_UNKNOWN_PROTOCOL                           252
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                  253
-#define SSL_R_UNKNOWN_SSL_VERSION                        254
-#define SSL_R_UNKNOWN_STATE                              255
-#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED       338
-#define SSL_R_UNSUPPORTED_CIPHER                         256
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM          257
-#define SSL_R_UNSUPPORTED_DIGEST_TYPE                    326
-#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE                 315
-#define SSL_R_UNSUPPORTED_PROTOCOL                       258
-#define SSL_R_UNSUPPORTED_SSL_VERSION                    259
-#define SSL_R_UNSUPPORTED_STATUS_TYPE                    329
-#define SSL_R_USE_SRTP_NOT_NEGOTIATED                    369
-#define SSL_R_WRITE_BIO_NOT_SET                          260
-#define SSL_R_WRONG_CIPHER_RETURNED                      261
-#define SSL_R_WRONG_CURVE                                378
-#define SSL_R_WRONG_MESSAGE_TYPE                         262
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS                   263
-#define SSL_R_WRONG_SIGNATURE_LENGTH                     264
-#define SSL_R_WRONG_SIGNATURE_SIZE                       265
-#define SSL_R_WRONG_SIGNATURE_TYPE                       370
-#define SSL_R_WRONG_SSL_VERSION                          266
-#define SSL_R_WRONG_VERSION_NUMBER                       267
-#define SSL_R_X509_LIB                                   268
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS           269
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl2.h b/src/lib/libssl/ssl2.h
deleted file mode 100644
index 3a8d300729..0000000000
--- a/src/lib/libssl/ssl2.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/* $OpenBSD: ssl2.h,v 1.12 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#ifndef HEADER_SSL2_H
-#define HEADER_SSL2_H
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* Protocol Version Codes */
-#define SSL2_VERSION            0x0002
-#define SSL2_VERSION_MAJOR      0x00
-#define SSL2_VERSION_MINOR      0x02
-/* #define SSL2_CLIENT_VERSION  0x0002 */
-/* #define SSL2_SERVER_VERSION  0x0002 */
-/* Protocol Message Codes */
-#define SSL2_MT_ERROR                   0
-#define SSL2_MT_CLIENT_HELLO            1
-#define SSL2_MT_CLIENT_MASTER_KEY       2
-#define SSL2_MT_CLIENT_FINISHED         3
-#define SSL2_MT_SERVER_HELLO            4
-#define SSL2_MT_SERVER_VERIFY           5
-#define SSL2_MT_SERVER_FINISHED         6
-#define SSL2_MT_REQUEST_CERTIFICATE     7
-#define SSL2_MT_CLIENT_CERTIFICATE      8
-/* Error Message Codes */
-#define SSL2_PE_UNDEFINED_ERROR         0x0000
-#define SSL2_PE_NO_CIPHER               0x0001
-#define SSL2_PE_NO_CERTIFICATE          0x0002
-#define SSL2_PE_BAD_CERTIFICATE         0x0004
-#define SSL2_PE_UNSUPPORTED_CERTIFICATE_TYPE 0x0006
-/* Cipher Kind Values */
-#define SSL2_CK_NULL_WITH_MD5                   0x02000000 /* v3 */
-#define SSL2_CK_RC4_128_WITH_MD5                0x02010080
-#define SSL2_CK_RC4_128_EXPORT40_WITH_MD5       0x02020080
-#define SSL2_CK_RC2_128_CBC_WITH_MD5            0x02030080
-#define SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5   0x02040080
-#define SSL2_CK_IDEA_128_CBC_WITH_MD5           0x02050080
-#define SSL2_CK_DES_64_CBC_WITH_MD5             0x02060040
-#define SSL2_CK_DES_64_CBC_WITH_SHA             0x02060140 /* v3 */
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_MD5       0x020700c0
-#define SSL2_CK_DES_192_EDE3_CBC_WITH_SHA       0x020701c0 /* v3 */
-#define SSL2_CK_RC4_64_WITH_MD5                 0x02080080 /* MS hack */
-#define SSL2_CK_DES_64_CFB64_WITH_MD5_1         0x02ff0800 /* SSLeay */
-#define SSL2_CK_NULL                            0x02ff0810 /* SSLeay */
-#define SSL2_TXT_DES_64_CFB64_WITH_MD5_1        "DES-CFB-M1"
-#define SSL2_TXT_NULL_WITH_MD5                  "NULL-MD5"
-#define SSL2_TXT_RC4_128_WITH_MD5               "RC4-MD5"
-#define SSL2_TXT_RC4_128_EXPORT40_WITH_MD5      "EXP-RC4-MD5"
-#define SSL2_TXT_RC2_128_CBC_WITH_MD5           "RC2-CBC-MD5"
-#define SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5  "EXP-RC2-CBC-MD5"
-#define SSL2_TXT_IDEA_128_CBC_WITH_MD5          "IDEA-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_MD5            "DES-CBC-MD5"
-#define SSL2_TXT_DES_64_CBC_WITH_SHA            "DES-CBC-SHA"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5      "DES-CBC3-MD5"
-#define SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA      "DES-CBC3-SHA"
-#define SSL2_TXT_RC4_64_WITH_MD5                "RC4-64-MD5"
-#define SSL2_TXT_NULL                           "NULL"
-/* Flags for the SSL_CIPHER.algorithm2 field */
-#define SSL2_CF_5_BYTE_ENC                      0x01
-#define SSL2_CF_8_BYTE_ENC                      0x02
-/* Certificate Type Codes */
-#define SSL2_CT_X509_CERTIFICATE                0x01
-/* Authentication Type Code */
-#define SSL2_AT_MD5_WITH_RSA_ENCRYPTION         0x01
-#define SSL2_MAX_SSL_SESSION_ID_LENGTH          32
-/* Upper/Lower Bounds */
-#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS      256
-#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER    32767u  /* 2^15-1 */
-#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER    16383   /* 2^14-1 */
-#define SSL2_CHALLENGE_LENGTH   16
-/*#define SSL2_CHALLENGE_LENGTH 32 */
-#define SSL2_MIN_CHALLENGE_LENGTH       16
-#define SSL2_MAX_CHALLENGE_LENGTH       32
-#define SSL2_CONNECTION_ID_LENGTH       16
-#define SSL2_MAX_CONNECTION_ID_LENGTH   16
-#define SSL2_SSL_SESSION_ID_LENGTH      16
-#define SSL2_MAX_CERT_CHALLENGE_LENGTH  32
-#define SSL2_MIN_CERT_CHALLENGE_LENGTH  16
-#define SSL2_MAX_KEY_MATERIAL_LENGTH    24
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl23.h b/src/lib/libssl/ssl23.h
deleted file mode 100644
index 570e4b0171..0000000000
--- a/src/lib/libssl/ssl23.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/* $OpenBSD: ssl23.h,v 1.4 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#ifndef HEADER_SSL23_H
-#define HEADER_SSL23_H
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/*client */
-/* write to server */
-#define SSL23_ST_CW_CLNT_HELLO_A        (0x210|SSL_ST_CONNECT)
-#define SSL23_ST_CW_CLNT_HELLO_B        (0x211|SSL_ST_CONNECT)
-/* read from server */
-#define SSL23_ST_CR_SRVR_HELLO_A        (0x220|SSL_ST_CONNECT)
-#define SSL23_ST_CR_SRVR_HELLO_B        (0x221|SSL_ST_CONNECT)
-/* server */
-/* read from client */
-#define SSL23_ST_SR_CLNT_HELLO_A        (0x210|SSL_ST_ACCEPT)
-#define SSL23_ST_SR_CLNT_HELLO_B        (0x211|SSL_ST_ACCEPT)
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
deleted file mode 100644
index 5ec2fe6f88..0000000000
--- a/src/lib/libssl/ssl3.h
+++ /dev/null
@@ -1,617 +0,0 @@
-/* $OpenBSD: ssl3.h,v 1.41 2015/07/19 06:23:51 doug Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-#ifndef HEADER_SSL3_H
-#define HEADER_SSL3_H
-#include <openssl/buffer.h>
-#include <openssl/evp.h>
-#include <openssl/ssl.h>
-#ifdef  __cplusplus
-extern "C" {
-#endif
-/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
-#define SSL3_CK_SCSV                            0x030000FF
-/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
-#define SSL3_CK_FALLBACK_SCSV                   0x03005600
-#define SSL3_CK_RSA_NULL_MD5                    0x03000001
-#define SSL3_CK_RSA_NULL_SHA                    0x03000002
-#define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
-#define SSL3_CK_RSA_RC4_128_MD5                 0x03000004
-#define SSL3_CK_RSA_RC4_128_SHA                 0x03000005
-#define SSL3_CK_RSA_RC2_40_MD5                  0x03000006
-#define SSL3_CK_RSA_IDEA_128_SHA                0x03000007
-#define SSL3_CK_RSA_DES_40_CBC_SHA              0x03000008
-#define SSL3_CK_RSA_DES_64_CBC_SHA              0x03000009
-#define SSL3_CK_RSA_DES_192_CBC3_SHA            0x0300000A
-#define SSL3_CK_DH_DSS_DES_40_CBC_SHA           0x0300000B
-#define SSL3_CK_DH_DSS_DES_64_CBC_SHA           0x0300000C
-#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA         0x0300000D
-#define SSL3_CK_DH_RSA_DES_40_CBC_SHA           0x0300000E
-#define SSL3_CK_DH_RSA_DES_64_CBC_SHA           0x0300000F
-#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA         0x03000010
-#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA          0x03000011
-#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA          0x03000012
-#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA        0x03000013
-#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA          0x03000014
-#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA          0x03000015
-#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA        0x03000016
-#define SSL3_CK_ADH_RC4_40_MD5                  0x03000017
-#define SSL3_CK_ADH_RC4_128_MD5                 0x03000018
-#define SSL3_CK_ADH_DES_40_CBC_SHA              0x03000019
-#define SSL3_CK_ADH_DES_64_CBC_SHA              0x0300001A
-#define SSL3_CK_ADH_DES_192_CBC_SHA             0x0300001B
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x0300001F
-#define SSL3_CK_KRB5_RC4_128_SHA                0x03000020
-#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
-#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
-#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
-#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
-#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
-#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
-#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
-#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
-#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
-#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
-#define SSL3_TXT_RSA_NULL_MD5                   "NULL-MD5"
-#define SSL3_TXT_RSA_NULL_SHA                   "NULL-SHA"
-#define SSL3_TXT_RSA_RC4_40_MD5                 "EXP-RC4-MD5"
-#define SSL3_TXT_RSA_RC4_128_MD5                "RC4-MD5"
-#define SSL3_TXT_RSA_RC4_128_SHA                "RC4-SHA"
-#define SSL3_TXT_RSA_RC2_40_MD5                 "EXP-RC2-CBC-MD5"
-#define SSL3_TXT_RSA_IDEA_128_SHA               "IDEA-CBC-SHA"
-#define SSL3_TXT_RSA_DES_40_CBC_SHA             "EXP-DES-CBC-SHA"
-#define SSL3_TXT_RSA_DES_64_CBC_SHA             "DES-CBC-SHA"
-#define SSL3_TXT_RSA_DES_192_CBC3_SHA           "DES-CBC3-SHA"
-#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA          "EXP-DH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA          "DH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA        "DH-DSS-DES-CBC3-SHA"
-#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA          "EXP-DH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA          "DH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA        "DH-RSA-DES-CBC3-SHA"
-#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA         "EXP-EDH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA         "EDH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA       "EDH-DSS-DES-CBC3-SHA"
-#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA         "EXP-EDH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA         "EDH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA       "EDH-RSA-DES-CBC3-SHA"
-#define SSL3_TXT_ADH_RC4_40_MD5                 "EXP-ADH-RC4-MD5"
-#define SSL3_TXT_ADH_RC4_128_MD5                "ADH-RC4-MD5"
-#define SSL3_TXT_ADH_DES_40_CBC_SHA             "EXP-ADH-DES-CBC-SHA"
-#define SSL3_TXT_ADH_DES_64_CBC_SHA             "ADH-DES-CBC-SHA"
-#define SSL3_TXT_ADH_DES_192_CBC_SHA            "ADH-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
-#define SSL3_TXT_KRB5_RC4_128_MD5               "KRB5-RC4-MD5"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
-#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
-#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
-#define SSL3_SSL_SESSION_ID_LENGTH              32
-#define SSL3_MAX_SSL_SESSION_ID_LENGTH          32
-#define SSL3_MASTER_SECRET_SIZE                 48
-#define SSL3_RANDOM_SIZE                        32
-#define SSL3_SEQUENCE_SIZE                      8
-#define SSL3_SESSION_ID_SIZE                    32
-#define SSL3_CIPHER_VALUE_SIZE                  2
-#define SSL3_RT_HEADER_LENGTH                   5
-#define SSL3_HM_HEADER_LENGTH                   4
-#define SSL3_ALIGN_PAYLOAD                      8
-/* This is the maximum MAC (digest) size used by the SSL library.
- * Currently maximum of 20 is used by SHA1, but we reserve for
- * future extension for 512-bit hashes.
- */
-#define SSL3_RT_MAX_MD_SIZE                     64
-/* Maximum block size used in all ciphersuites. Currently 16 for AES.
- */
-#define SSL_RT_MAX_CIPHER_BLOCK_SIZE            16
-#define SSL3_RT_MAX_EXTRA                       (16384)
-/* Maximum plaintext length: defined by SSL/TLS standards */
-#define SSL3_RT_MAX_PLAIN_LENGTH                16384
-/* Maximum compression overhead: defined by SSL/TLS standards */
-#define SSL3_RT_MAX_COMPRESSED_OVERHEAD         1024
-/* The standards give a maximum encryption overhead of 1024 bytes.
- * In practice the value is lower than this. The overhead is the maximum
- * number of padding bytes (256) plus the mac size.
- */
-#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD  (256 + SSL3_RT_MAX_MD_SIZE)
-/* OpenSSL currently only uses a padding length of at most one block so
- * the send overhead is smaller.
- */
-#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
-                        (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
-/* If compression isn't used don't include the compression overhead */
-#define SSL3_RT_MAX_COMPRESSED_LENGTH           SSL3_RT_MAX_PLAIN_LENGTH
-#define SSL3_RT_MAX_ENCRYPTED_LENGTH    \
-                (SSL3_RT_MAX_ENCRYPTED_OVERHEAD+SSL3_RT_MAX_COMPRESSED_LENGTH)
-#define SSL3_RT_MAX_PACKET_SIZE         \
-                (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
-#define SSL3_MD_CLIENT_FINISHED_CONST   "\x43\x4C\x4E\x54"
-#define SSL3_MD_SERVER_FINISHED_CONST   "\x53\x52\x56\x52"
-#define SSL3_VERSION                    0x0300
-#define SSL3_VERSION_MAJOR              0x03
-#define SSL3_VERSION_MINOR              0x00
-#define SSL3_RT_CHANGE_CIPHER_SPEC      20
-#define SSL3_RT_ALERT                   21
-#define SSL3_RT_HANDSHAKE               22
-#define SSL3_RT_APPLICATION_DATA        23
-#define TLS1_RT_HEARTBEAT               24
-#define SSL3_AL_WARNING                 1
-#define SSL3_AL_FATAL                   2
-#define SSL3_AD_CLOSE_NOTIFY             0
-#define SSL3_AD_UNEXPECTED_MESSAGE      10      /* fatal */
-#define SSL3_AD_BAD_RECORD_MAC          20      /* fatal */
-#define SSL3_AD_DECOMPRESSION_FAILURE   30      /* fatal */
-#define SSL3_AD_HANDSHAKE_FAILURE       40      /* fatal */
-#define SSL3_AD_NO_CERTIFICATE          41
-#define SSL3_AD_BAD_CERTIFICATE         42
-#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
-#define SSL3_AD_CERTIFICATE_REVOKED     44
-#define SSL3_AD_CERTIFICATE_EXPIRED     45
-#define SSL3_AD_CERTIFICATE_UNKNOWN     46
-#define SSL3_AD_ILLEGAL_PARAMETER       47      /* fatal */
-#define TLS1_HB_REQUEST         1
-#define TLS1_HB_RESPONSE        2
-#ifndef OPENSSL_NO_SSL_INTERN
-typedef struct ssl3_record_st {
-/*r */  int type;               /* type of record */
-/*rw*/  unsigned int length;    /* How many bytes available */
-/*r */  unsigned int off;       /* read/write offset into 'buf' */
-/*rw*/  unsigned char *data;    /* pointer to the record data */
-/*rw*/  unsigned char *input;   /* where the decode bytes are */
-/*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
-/*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-} SSL3_RECORD;
-typedef struct ssl3_buffer_st {
-        unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
-                                 * see ssl3_setup_buffers() */
-        size_t len;             /* buffer size */
-        int offset;             /* where to 'copy from' */
-        int left;               /* how many bytes left */
-} SSL3_BUFFER;
-#endif
-#define SSL3_CT_RSA_SIGN                        1
-#define SSL3_CT_DSS_SIGN                        2
-#define SSL3_CT_RSA_FIXED_DH                    3
-#define SSL3_CT_DSS_FIXED_DH                    4
-#define SSL3_CT_RSA_EPHEMERAL_DH                5
-#define SSL3_CT_DSS_EPHEMERAL_DH                6
-#define SSL3_CT_FORTEZZA_DMS                    20
-/* SSL3_CT_NUMBER is used to size arrays and it must be large
- * enough to contain all of the cert types defined either for
- * SSLv3 and TLSv1.
- */
-#define SSL3_CT_NUMBER                  11
-#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS       0x0001
-#define SSL3_FLAGS_DELAY_CLIENT_FINISHED        0x0002
-#define SSL3_FLAGS_POP_BUFFER                   0x0004
-#define TLS1_FLAGS_TLS_PADDING_BUG              0x0
-#define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
-#define TLS1_FLAGS_KEEP_HANDSHAKE               0x0020
-#define SSL3_FLAGS_CCS_OK                       0x0080
-#ifndef OPENSSL_NO_SSL_INTERN
-typedef struct ssl3_state_st {
-        long flags;
-        int delay_buf_pop_ret;
-        unsigned char read_sequence[SSL3_SEQUENCE_SIZE];
-        int read_mac_secret_size;
-        unsigned char read_mac_secret[EVP_MAX_MD_SIZE];
-        unsigned char write_sequence[SSL3_SEQUENCE_SIZE];
-        int write_mac_secret_size;
-        unsigned char write_mac_secret[EVP_MAX_MD_SIZE];
-        unsigned char server_random[SSL3_RANDOM_SIZE];
-        unsigned char client_random[SSL3_RANDOM_SIZE];
-        /* flags for countermeasure against known-IV weakness */
-        int need_empty_fragments;
-        int empty_fragment_done;
-        SSL3_BUFFER rbuf;       /* read IO goes into here */
-        SSL3_BUFFER wbuf;       /* write IO goes into here */
-        SSL3_RECORD rrec;       /* each decoded record goes in here */
-        SSL3_RECORD wrec;       /* goes out from here */
-        /* storage for Alert/Handshake protocol data received but not
-         * yet processed by ssl3_read_bytes: */
-        unsigned char alert_fragment[2];
-        unsigned int alert_fragment_len;
-        unsigned char handshake_fragment[4];
-        unsigned int handshake_fragment_len;
-        /* partial write - check the numbers match */
-        unsigned int wnum;      /* number of bytes sent so far */
-        int wpend_tot;          /* number bytes written */
-        int wpend_type;
-        int wpend_ret;          /* number of bytes submitted */
-        const unsigned char *wpend_buf;
-        /* used during startup, digest all incoming/outgoing packets */
-        BIO *handshake_buffer;
-        /* When set of handshake digests is determined, buffer is hashed
-         * and freed and MD_CTX-es for all required digests are stored in
-         * this array */
-        EVP_MD_CTX **handshake_dgst;
-        /* this is set whenerver we see a change_cipher_spec message
-         * come in when we are not looking for one */
-        int change_cipher_spec;
-        int warn_alert;
-        int fatal_alert;
-        /* we allow one fatal and one warning alert to be outstanding,
-         * send close alert via the warning alert */
-        int alert_dispatch;
-        unsigned char send_alert[2];
-        /* This flag is set when we should renegotiate ASAP, basically when
-         * there is no more data in the read or write buffers */
-        int renegotiate;
-        int total_renegotiations;
-        int num_renegotiations;
-        int in_read_app_data;
-        struct  {
-                /* actually only needs to be 16+20 */
-                unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
-                /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
-                unsigned char finish_md[EVP_MAX_MD_SIZE*2];
-                int finish_md_len;
-                unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
-                int peer_finish_md_len;
-                unsigned long message_size;
-                int message_type;
-                /* used to hold the new cipher we are going to use */
-                const SSL_CIPHER *new_cipher;
-                DH *dh;
-                EC_KEY *ecdh; /* holds short lived ECDH key */
-                /* used when SSL_ST_FLUSH_DATA is entered */
-                int next_state;
-                int reuse_message;
-                /* used for certificate requests */
-                int cert_req;
-                int ctype_num;
-                char ctype[SSL3_CT_NUMBER];
-                STACK_OF(X509_NAME) *ca_names;
-                int key_block_length;
-                unsigned char *key_block;
-                const EVP_CIPHER *new_sym_enc;
-                const EVP_AEAD *new_aead;
-                const EVP_MD *new_hash;
-                int new_mac_pkey_type;
-                int new_mac_secret_size;
-                int cert_request;
-        } tmp;
-        /* Connection binding to prevent renegotiation attacks */
-        unsigned char previous_client_finished[EVP_MAX_MD_SIZE];
-        unsigned char previous_client_finished_len;
-        unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
-        unsigned char previous_server_finished_len;
-        int send_connection_binding; /* TODOEKR */
-        /* Set if we saw the Next Protocol Negotiation extension from our peer.
-         */
-        int next_proto_neg_seen;
-        /*
-         * ALPN information
-         * (we are in the process of transitioning from NPN to ALPN).
-         */
-        /*
-         * In a server these point to the selected ALPN protocol after the
-         * ClientHello has been processed. In a client these contain the
-         * protocol that the server selected once the ServerHello has been
-         * processed.
-         */
-        unsigned char *alpn_selected;
-        unsigned int alpn_selected_len;
-} SSL3_STATE;
-#endif
-/* SSLv3 */
-/*client */
-/* extra state */
-#define SSL3_ST_CW_FLUSH                        (0x100|SSL_ST_CONNECT)
-/* write to server */
-#define SSL3_ST_CW_CLNT_HELLO_A                 (0x110|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CLNT_HELLO_B                 (0x111|SSL_ST_CONNECT)
-/* read from server */
-#define SSL3_ST_CR_SRVR_HELLO_A                 (0x120|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_HELLO_B                 (0x121|SSL_ST_CONNECT)
-#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A      (0x126|SSL_ST_CONNECT)
-#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B      (0x127|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_A                       (0x130|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_B                       (0x131|SSL_ST_CONNECT)
-#define SSL3_ST_CR_KEY_EXCH_A                   (0x140|SSL_ST_CONNECT)
-#define SSL3_ST_CR_KEY_EXCH_B                   (0x141|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_REQ_A                   (0x150|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_REQ_B                   (0x151|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_DONE_A                  (0x160|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_DONE_B                  (0x161|SSL_ST_CONNECT)
-/* write to server */
-#define SSL3_ST_CW_CERT_A                       (0x170|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_B                       (0x171|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_C                       (0x172|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_D                       (0x173|SSL_ST_CONNECT)
-#define SSL3_ST_CW_KEY_EXCH_A                   (0x180|SSL_ST_CONNECT)
-#define SSL3_ST_CW_KEY_EXCH_B                   (0x181|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_A                  (0x190|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_B                  (0x191|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANGE_A                     (0x1A0|SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANGE_B                     (0x1A1|SSL_ST_CONNECT)
-#define SSL3_ST_CW_NEXT_PROTO_A                 (0x200|SSL_ST_CONNECT)
-#define SSL3_ST_CW_NEXT_PROTO_B                 (0x201|SSL_ST_CONNECT)
-#define SSL3_ST_CW_FINISHED_A                   (0x1B0|SSL_ST_CONNECT)
-#define SSL3_ST_CW_FINISHED_B                   (0x1B1|SSL_ST_CONNECT)
-/* read from server */
-#define SSL3_ST_CR_CHANGE_A                     (0x1C0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CHANGE_B                     (0x1C1|SSL_ST_CONNECT)
-#define SSL3_ST_CR_FINISHED_A                   (0x1D0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_FINISHED_B                   (0x1D1|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SESSION_TICKET_A             (0x1E0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SESSION_TICKET_B             (0x1E1|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_STATUS_A                (0x1F0|SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_STATUS_B                (0x1F1|SSL_ST_CONNECT)
-/* server */
-/* extra state */
-#define SSL3_ST_SW_FLUSH                        (0x100|SSL_ST_ACCEPT)
-/* read from client */
-/* Do not change the number values, they do matter */
-#define SSL3_ST_SR_CLNT_HELLO_A                 (0x110|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_B                 (0x111|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_C                 (0x112|SSL_ST_ACCEPT)
-/* write to client */
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A      (0x113|SSL_ST_ACCEPT)
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B      (0x114|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_HELLO_REQ_A                  (0x120|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_HELLO_REQ_B                  (0x121|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_HELLO_REQ_C                  (0x122|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_HELLO_A                 (0x130|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_HELLO_B                 (0x131|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_A                       (0x140|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_B                       (0x141|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_A                   (0x150|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_B                   (0x151|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_REQ_A                   (0x160|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_REQ_B                   (0x161|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_DONE_A                  (0x170|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_DONE_B                  (0x171|SSL_ST_ACCEPT)
-/* read from client */
-#define SSL3_ST_SR_CERT_A                       (0x180|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_B                       (0x181|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_KEY_EXCH_A                   (0x190|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_KEY_EXCH_B                   (0x191|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_VRFY_A                  (0x1A0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_VRFY_B                  (0x1A1|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANGE_A                     (0x1B0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANGE_B                     (0x1B1|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_NEXT_PROTO_A                 (0x210|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_NEXT_PROTO_B                 (0x211|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_FINISHED_A                   (0x1C0|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_FINISHED_B                   (0x1C1|SSL_ST_ACCEPT)
-/* write to client */
-#define SSL3_ST_SW_CHANGE_A                     (0x1D0|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CHANGE_B                     (0x1D1|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_FINISHED_A                   (0x1E0|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_FINISHED_B                   (0x1E1|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SESSION_TICKET_A             (0x1F0|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SESSION_TICKET_B             (0x1F1|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_STATUS_A                (0x200|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_STATUS_B                (0x201|SSL_ST_ACCEPT)
-#define SSL3_MT_HELLO_REQUEST                   0
-#define SSL3_MT_CLIENT_HELLO                    1
-#define SSL3_MT_SERVER_HELLO                    2
-#define SSL3_MT_NEWSESSION_TICKET               4
-#define SSL3_MT_CERTIFICATE                     11
-#define SSL3_MT_SERVER_KEY_EXCHANGE             12
-#define SSL3_MT_CERTIFICATE_REQUEST             13
-#define SSL3_MT_SERVER_DONE                     14
-#define SSL3_MT_CERTIFICATE_VERIFY              15
-#define SSL3_MT_CLIENT_KEY_EXCHANGE             16
-#define SSL3_MT_FINISHED                        20
-#define SSL3_MT_CERTIFICATE_STATUS              22
-#define SSL3_MT_NEXT_PROTO                      67
-#define DTLS1_MT_HELLO_VERIFY_REQUEST           3
-#define SSL3_MT_CCS                             1
-/* These are used when changing over to a new cipher */
-#define SSL3_CC_READ            0x01
-#define SSL3_CC_WRITE           0x02
-#define SSL3_CC_CLIENT          0x10
-#define SSL3_CC_SERVER          0x20
-#define SSL3_CHANGE_CIPHER_CLIENT_WRITE         (SSL3_CC_CLIENT|SSL3_CC_WRITE)
-#define SSL3_CHANGE_CIPHER_SERVER_READ          (SSL3_CC_SERVER|SSL3_CC_READ)
-#define SSL3_CHANGE_CIPHER_CLIENT_READ          (SSL3_CC_CLIENT|SSL3_CC_READ)
-#define SSL3_CHANGE_CIPHER_SERVER_WRITE         (SSL3_CC_SERVER|SSL3_CC_WRITE)
-#ifdef  __cplusplus
-}
-#endif
-#endif
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
deleted file mode 100644
index 3010a735c9..0000000000
--- a/src/lib/libssl/ssl_algs.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* $OpenBSD: ssl_algs.c,v 1.22 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/lhash.h>
-#include <openssl/objects.h>
-#include "ssl_locl.h"
-int
-SSL_library_init(void)
-{
-#ifndef OPENSSL_NO_DES
-        EVP_add_cipher(EVP_des_cbc());
-        EVP_add_cipher(EVP_des_ede3_cbc());
-#endif
-#ifndef OPENSSL_NO_IDEA
-        EVP_add_cipher(EVP_idea_cbc());
-#endif
-#ifndef OPENSSL_NO_RC4
-        EVP_add_cipher(EVP_rc4());
-#if !defined(OPENSSL_NO_MD5) && (defined(__x86_64) || defined(__x86_64__))
-        EVP_add_cipher(EVP_rc4_hmac_md5());
-#endif
-#endif
-#ifndef OPENSSL_NO_RC2
-        EVP_add_cipher(EVP_rc2_cbc());
-        /* Not actually used for SSL/TLS but this makes PKCS#12 work
-         * if an application only calls SSL_library_init().
-         */
-        EVP_add_cipher(EVP_rc2_40_cbc());
-#endif
-        EVP_add_cipher(EVP_aes_128_cbc());
-        EVP_add_cipher(EVP_aes_192_cbc());
-        EVP_add_cipher(EVP_aes_256_cbc());
-        EVP_add_cipher(EVP_aes_128_gcm());
-        EVP_add_cipher(EVP_aes_256_gcm());
-        EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
-        EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
-#ifndef OPENSSL_NO_CAMELLIA
-        EVP_add_cipher(EVP_camellia_128_cbc());
-        EVP_add_cipher(EVP_camellia_256_cbc());
-#endif
-#ifndef OPENSSL_NO_GOST
-        EVP_add_cipher(EVP_gost2814789_cfb64());
-        EVP_add_cipher(EVP_gost2814789_cnt());
-#endif
-        EVP_add_digest(EVP_md5());
-        EVP_add_digest_alias(SN_md5, "ssl2-md5");
-        EVP_add_digest_alias(SN_md5, "ssl3-md5");
-        EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
-        EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
-        EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
-        EVP_add_digest(EVP_sha224());
-        EVP_add_digest(EVP_sha256());
-        EVP_add_digest(EVP_sha384());
-        EVP_add_digest(EVP_sha512());
-        EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
-        EVP_add_digest_alias(SN_dsaWithSHA1, SN_dsaWithSHA1_2);
-        EVP_add_digest_alias(SN_dsaWithSHA1, "DSS1");
-        EVP_add_digest_alias(SN_dsaWithSHA1, "dss1");
-        EVP_add_digest(EVP_ecdsa());
-#ifndef OPENSSL_NO_GOST
-        EVP_add_digest(EVP_gostr341194());
-        EVP_add_digest(EVP_gost2814789imit());
-        EVP_add_digest(EVP_streebog256());
-        EVP_add_digest(EVP_streebog512());
-#endif
-        /* initialize cipher/digest methods table */
-        ssl_load_ciphers();
-        return (1);
-}
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
deleted file mode 100644
index ee00cb286d..0000000000
--- a/src/lib/libssl/ssl_asn1.c
+++ /dev/null
@@ -1,691 +0,0 @@
-/* $OpenBSD: ssl_asn1.c,v 1.41 2016/03/11 07:08:45 mmcc Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include "ssl_locl.h"
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-/* XXX - these are here to avoid including asn1_mac.h */
-int asn1_GetSequence(ASN1_const_CTX *c, long *length);
-void asn1_add_error(const unsigned char *address, int offset);
-typedef struct ssl_session_asn1_st {
-        ASN1_INTEGER version;
-        ASN1_INTEGER ssl_version;
-        ASN1_OCTET_STRING cipher;
-        ASN1_OCTET_STRING master_key;
-        ASN1_OCTET_STRING session_id;
-        ASN1_OCTET_STRING session_id_context;
-        ASN1_INTEGER time;
-        ASN1_INTEGER timeout;
-        ASN1_INTEGER verify_result;
-        ASN1_OCTET_STRING tlsext_hostname;
-        ASN1_INTEGER tlsext_tick_lifetime;
-        ASN1_OCTET_STRING tlsext_tick;
-} SSL_SESSION_ASN1;
-int
-i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
-{
-#define LSIZE2 (sizeof(long)*2)
-        int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v6 = 0, v9 = 0, v10 = 0;
-        unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2];
-        unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2];
-        unsigned char ibuf6[LSIZE2];
-        SSL_SESSION_ASN1 a;
-        unsigned char *p;
-        int len = 0, ret;
-        long l;
-        if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0)))
-                return (0);
-        /*
-         * Note that I cheat in the following 2 assignments.
-         * I know that if the ASN1_INTEGER passed to ASN1_INTEGER_set
-         * is > sizeof(long)+1, the buffer will not be re-malloc()ed.
-         * This is a bit evil but makes things simple, no dynamic allocation
-         * to clean up :-)
-         */
-        a.version.length = LSIZE2;
-        a.version.type = V_ASN1_INTEGER;
-        a.version.data = ibuf1;
-        ASN1_INTEGER_set(&(a.version), SSL_SESSION_ASN1_VERSION);
-        len += i2d_ASN1_INTEGER(&(a.version), NULL);
-        a.ssl_version.length = LSIZE2;
-        a.ssl_version.type = V_ASN1_INTEGER;
-        a.ssl_version.data = ibuf2;
-        ASN1_INTEGER_set(&(a.ssl_version), in->ssl_version);
-        len += i2d_ASN1_INTEGER(&(a.ssl_version), NULL);
-        a.cipher.length = 2;
-        a.cipher.type = V_ASN1_OCTET_STRING;
-        l = (in->cipher == NULL) ? in->cipher_id : in->cipher->id;
-        buf[0] = ((unsigned char)(l >> 8L)) & 0xff;
-        buf[1] = ((unsigned char)(l)) & 0xff;
-        a.cipher.data = buf;
-        len += i2d_ASN1_OCTET_STRING(&(a.cipher), NULL);
-        a.master_key.length = in->master_key_length;
-        a.master_key.type = V_ASN1_OCTET_STRING;
-        a.master_key.data = in->master_key;
-        len += i2d_ASN1_OCTET_STRING(&(a.master_key), NULL);
-        a.session_id.length = in->session_id_length;
-        a.session_id.type = V_ASN1_OCTET_STRING;
-        a.session_id.data = in->session_id;
-        len += i2d_ASN1_OCTET_STRING(&(a.session_id), NULL);
-        if (in->time != 0L) {
-                a.time.length = LSIZE2;
-                a.time.type = V_ASN1_INTEGER;
-                a.time.data = ibuf3;
-                ASN1_INTEGER_set(&(a.time), in->time);  /* XXX 2038 */
-                v1 = i2d_ASN1_INTEGER(&(a.time), NULL);
-                len += ASN1_object_size(1, v1, 1);
-        }
-        if (in->timeout != 0L) {
-                a.timeout.length = LSIZE2;
-                a.timeout.type = V_ASN1_INTEGER;
-                a.timeout.data = ibuf4;
-                ASN1_INTEGER_set(&(a.timeout), in->timeout);
-                v2 = i2d_ASN1_INTEGER(&(a.timeout), NULL);
-                len += ASN1_object_size(1, v2, 2);
-        }
-        if (in->peer != NULL) {
-                v3 = i2d_X509(in->peer, NULL);
-                len += ASN1_object_size(1, v3, 3);
-        }
-        a.session_id_context.length = in->sid_ctx_length;
-        a.session_id_context.type = V_ASN1_OCTET_STRING;
-        a.session_id_context.data = in->sid_ctx;
-        v4 = i2d_ASN1_OCTET_STRING(&(a.session_id_context), NULL);
-        len += ASN1_object_size(1, v4, 4);
-        if (in->verify_result != X509_V_OK) {
-                a.verify_result.length = LSIZE2;
-                a.verify_result.type = V_ASN1_INTEGER;
-                a.verify_result.data = ibuf5;
-                ASN1_INTEGER_set(&a.verify_result, in->verify_result);
-                v5 = i2d_ASN1_INTEGER(&(a.verify_result), NULL);
-                len += ASN1_object_size(1, v5, 5);
-        }
-        if (in->tlsext_hostname) {
-                a.tlsext_hostname.length = strlen(in->tlsext_hostname);
-                a.tlsext_hostname.type = V_ASN1_OCTET_STRING;
-                a.tlsext_hostname.data = (unsigned char *)in->tlsext_hostname;
-                v6 = i2d_ASN1_OCTET_STRING(&(a.tlsext_hostname), NULL);
-                len += ASN1_object_size(1, v6, 6);
-        }
-        /* 7 - PSK identity hint. */
-        /* 8 - PSK identity. */
-        if (in->tlsext_tick_lifetime_hint > 0) {
-                a.tlsext_tick_lifetime.length = LSIZE2;
-                a.tlsext_tick_lifetime.type = V_ASN1_INTEGER;
-                a.tlsext_tick_lifetime.data = ibuf6;
-                ASN1_INTEGER_set(&a.tlsext_tick_lifetime,
-                    in->tlsext_tick_lifetime_hint);
-                v9 = i2d_ASN1_INTEGER(&(a.tlsext_tick_lifetime), NULL);
-                len += ASN1_object_size(1, v9, 9);
-        }
-        if (in->tlsext_tick) {
-                a.tlsext_tick.length = in->tlsext_ticklen;
-                a.tlsext_tick.type = V_ASN1_OCTET_STRING;
-                a.tlsext_tick.data = (unsigned char *)in->tlsext_tick;
-                v10 = i2d_ASN1_OCTET_STRING(&(a.tlsext_tick), NULL);
-                len += ASN1_object_size(1, v10, 10);
-        }
-        /* 11 - Compression method. */
-        /* 12 - SRP username. */
-        /* If given a NULL pointer, return the length only. */
-        ret = (ASN1_object_size(1, len, V_ASN1_SEQUENCE));
-        if (pp == NULL)
-                return (ret);
-        /* Burp out the ASN1. */
-        p = *pp;
-        ASN1_put_object(&p, 1, len, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-        i2d_ASN1_INTEGER(&(a.version), &p);
-        i2d_ASN1_INTEGER(&(a.ssl_version), &p);
-        i2d_ASN1_OCTET_STRING(&(a.cipher), &p);
-        i2d_ASN1_OCTET_STRING(&(a.session_id), &p);
-        i2d_ASN1_OCTET_STRING(&(a.master_key), &p);
-        if (in->time != 0L) {
-                ASN1_put_object(&p, 1, v1, 1, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_INTEGER(&(a.time), &p);
-        }
-        if (in->timeout != 0L) {
-                ASN1_put_object(&p, 1, v2, 2, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_INTEGER(&(a.timeout), &p);
-        }
-        if (in->peer != NULL) {
-                ASN1_put_object(&p, 1, v3, 3, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_X509(in->peer, &p);
-        }
-        ASN1_put_object(&p, 1, v4, 4, V_ASN1_CONTEXT_SPECIFIC);
-        i2d_ASN1_OCTET_STRING(&(a.session_id_context), &p);
-        if (in->verify_result != X509_V_OK) {
-                ASN1_put_object(&p, 1, v5, 5, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_INTEGER(&(a.verify_result), &p);
-        }
-        if (in->tlsext_hostname) {
-                ASN1_put_object(&p, 1, v6, 6, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_OCTET_STRING(&(a.tlsext_hostname), &p);
-        }
-        /* 7 - PSK identity hint. */
-        /* 8 - PSK identity. */
-        if (in->tlsext_tick_lifetime_hint > 0) {
-                ASN1_put_object(&p, 1, v9, 9, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_INTEGER(&(a.tlsext_tick_lifetime), &p);
-        }
-        if (in->tlsext_tick) {
-                ASN1_put_object(&p, 1, v10, 10, V_ASN1_CONTEXT_SPECIFIC);
-                i2d_ASN1_OCTET_STRING(&(a.tlsext_tick), &p);
-        }
-        /* 11 - Compression method. */
-        /* 12 - SRP username. */
-        *pp = p;
-        return (ret);
-}
-SSL_SESSION *
-d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
-{
-        SSL_SESSION *ret = NULL;
-        ASN1_const_CTX c;
-        ASN1_INTEGER ai, *aip;
-        ASN1_OCTET_STRING os, *osp;
-        int ssl_version = 0, i;
-        int Tinf, Ttag, Tclass;
-        long Tlen;
-        long id;
-        c.pp = pp;
-        c.p = *pp;
-        c.q = *pp;
-        c.max = (length == 0) ? 0 : (c.p + length);
-        c.slen = length;
-        if (a == NULL || *a == NULL) {
-                if ((ret = SSL_SESSION_new()) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-        } else
-                ret = *a;
-        aip = &ai;
-        osp = &os;
-        if (!asn1_GetSequence(&c, &length)) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        ai.data = NULL;
-        ai.length = 0;
-        c.q = c.p;
-        if (d2i_ASN1_INTEGER(&aip, &c.p, c.slen) == NULL) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        c.slen -= (c.p - c.q);
-        if (ai.data != NULL) {
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        }
-        /* we don't care about the version right now :-) */
-        c.q = c.p;
-        if (d2i_ASN1_INTEGER(&aip, &c.p, c.slen) == NULL) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        c.slen -= (c.p - c.q);
-        ssl_version = (int)ASN1_INTEGER_get(aip);
-        ret->ssl_version = ssl_version;
-        if (ai.data != NULL) {
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        }
-        os.data = NULL;
-        os.length = 0;
-        c.q = c.p;
-        if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        c.slen -= (c.p - c.q);
-        if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
-                if (os.length != 2) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            SSL_R_CIPHER_CODE_WRONG_LENGTH);
-                        goto err;
-                }
-                id = 0x03000000L | ((unsigned long)os.data[0]<<8L) |
-                    (unsigned long)os.data[1];
-        } else {
-                SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_UNKNOWN_SSL_VERSION);
-                goto err;
-        }
-        ret->cipher = NULL;
-        ret->cipher_id = id;
-        c.q = c.p;
-        if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        c.slen -= (c.p - c.q);
-        i = SSL3_MAX_SSL_SESSION_ID_LENGTH;
-        if (os.length > i)
-                os.length = i;
-        if (os.length > (int)sizeof(ret->session_id)) /* can't happen */
-                os.length = sizeof(ret->session_id);
-        ret->session_id_length = os.length;
-        OPENSSL_assert(os.length <= (int)sizeof(ret->session_id));
-        memcpy(ret->session_id, os.data, os.length);
-        c.q = c.p;
-        if (d2i_ASN1_OCTET_STRING(&osp, &c.p, c.slen) == NULL) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        c.slen -= (c.p - c.q);
-        if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
-                ret->master_key_length = SSL_MAX_MASTER_KEY_LENGTH;
-        else
-                ret->master_key_length = os.length;
-        memcpy(ret->master_key, os.data, ret->master_key_length);
-        os.length = 0;
-        /* 1 - Time (INTEGER). */
-        /* XXX 2038 */
-        ai.length = 0;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 1)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (ai.data != NULL) {
-                ret->time = ASN1_INTEGER_get(aip);
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        } else
-                ret->time = time(NULL);
-        /* 2 - Timeout (INTEGER). */
-        ai.length = 0;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 2)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (ai.data != NULL) {
-                ret->timeout = ASN1_INTEGER_get(aip);
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        } else
-                ret->timeout = 3;
-        /* 3 - Peer (X509). */
-        X509_free(ret->peer);
-        ret->peer = NULL;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 3)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_X509(&ret->peer, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        /* 4 - Session ID (OCTET STRING). */
-        os.length = 0;
-        free(os.data);
-        os.data = NULL;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 4)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (os.data != NULL) {
-                if (os.length > SSL_MAX_SID_CTX_LENGTH) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_BAD_LENGTH);
-                        goto err;
-                } else {
-                        ret->sid_ctx_length = os.length;
-                        memcpy(ret->sid_ctx, os.data, os.length);
-                }
-                free(os.data);
-                os.data = NULL;
-                os.length = 0;
-        } else
-                ret->sid_ctx_length = 0;
-        /* 5 - Verify_result. */
-        ai.length = 0;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 5)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (ai.data != NULL) {
-                ret->verify_result = ASN1_INTEGER_get(aip);
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        } else
-                ret->verify_result = X509_V_OK;
-        /* 6 - HostName (OCTET STRING). */
-        os.length = 0;
-        os.data = NULL;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 6)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (os.data) {
-                ret->tlsext_hostname = strndup((char *)os.data, os.length);
-                free(os.data);
-                os.data = NULL;
-                os.length = 0;
-        } else
-                ret->tlsext_hostname = NULL;
-        /* 7 - PSK identity hint (OCTET STRING). */
-        /* 8 - PSK identity (OCTET STRING). */
-        /* 9 - Ticket lifetime. */
-        ai.length = 0;
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 9)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_INTEGER(&aip, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (ai.data != NULL) {
-                ret->tlsext_tick_lifetime_hint = ASN1_INTEGER_get(aip);
-                free(ai.data);
-                ai.data = NULL;
-                ai.length = 0;
-        } else if (ret->tlsext_ticklen && ret->session_id_length)
-                ret->tlsext_tick_lifetime_hint = -1;
-        else
-                ret->tlsext_tick_lifetime_hint = 0;
-        os.length = 0;
-        os.data = NULL;
-        /* 10 - Ticket (OCTET STRING). */
-        if (c.slen != 0L &&
-            *c.p == (V_ASN1_CONSTRUCTED | V_ASN1_CONTEXT_SPECIFIC | 10)) {
-                c.q = c.p;
-                Tinf = ASN1_get_object(&c.p, &Tlen, &Ttag, &Tclass, c.slen);
-                if (Tinf & 0x80) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION,
-                            ERR_R_BAD_ASN1_OBJECT_HEADER);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1))
-                        Tlen = c.slen - (c.p - c.q) - 2;
-                if (d2i_ASN1_OCTET_STRING(&osp, &c.p, Tlen) == NULL) {
-                        SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                        goto err;
-                }
-                if (Tinf == (V_ASN1_CONSTRUCTED + 1)) {
-                        Tlen = c.slen - (c.p - c.q);
-                        if(!ASN1_const_check_infinite_end(&c.p, Tlen)) {
-                                SSLerr(SSL_F_D2I_SSL_SESSION,
-                                    ERR_R_MISSING_ASN1_EOS);
-                                goto err;
-                        }
-                }
-                c.slen -= (c.p - c.q);
-        }
-        if (os.data) {
-                ret->tlsext_tick = os.data;
-                ret->tlsext_ticklen = os.length;
-                os.data = NULL;
-                os.length = 0;
-        } else
-                ret->tlsext_tick = NULL;
-        /* 11 - Compression method (OCTET STRING). */
-        /* 12 - SRP username (OCTET STRING). */
-        if (!asn1_const_Finish(&c)) {
-                SSLerr(SSL_F_D2I_SSL_SESSION, ERR_R_NESTED_ASN1_ERROR);
-                goto err;
-        }
-        *pp = c.p;
-        if (a != NULL)
-                *a = ret;
-        return (ret);
-err:
-        ERR_asprintf_error_data("offset=%d", (int)(c.q - *pp));
-        if (ret != NULL && (a == NULL || *a != ret))
-                SSL_SESSION_free(ret);
-        return (NULL);
-}
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
deleted file mode 100644
index 7e92812e56..0000000000
--- a/src/lib/libssl/ssl_cert.c
+++ /dev/null
@@ -1,722 +0,0 @@
-/* $OpenBSD: ssl_cert.c,v 1.52 2016/03/11 07:08:45 mmcc Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-#include <sys/types.h>
-#include <dirent.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/objects.h>
-#include <openssl/opensslconf.h>
-#include <openssl/pem.h>
-#include <openssl/x509v3.h>
-#include "ssl_locl.h"
-int
-SSL_get_ex_data_X509_STORE_CTX_idx(void)
-{
-        static volatile int ssl_x509_store_ctx_idx = -1;
-        int got_write_lock = 0;
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-        if (ssl_x509_store_ctx_idx < 0) {
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                got_write_lock = 1;
-                if (ssl_x509_store_ctx_idx < 0) {
-                        ssl_x509_store_ctx_idx =
-                            X509_STORE_CTX_get_ex_new_index(
-                                0, "SSL for verify callback", NULL, NULL, NULL);
-                }
-        }
-        if (got_write_lock)
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        else
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-        return ssl_x509_store_ctx_idx;
-}
-static void
-ssl_cert_set_default_md(CERT *cert)
-{
-        /* Set digest values to defaults */
-        cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
-        cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
-        cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
-        cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
-#ifndef OPENSSL_NO_GOST
-        cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194();
-#endif
-}
-CERT *
-ssl_cert_new(void)
-{
-        CERT *ret;
-        ret = calloc(1, sizeof(CERT));
-        if (ret == NULL) {
-                SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
-                return (NULL);
-        }
-        ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]);
-        ret->references = 1;
-        ssl_cert_set_default_md(ret);
-        return (ret);
-}
-CERT *
-ssl_cert_dup(CERT *cert)
-{
-        CERT *ret;
-        int i;
-        ret = calloc(1, sizeof(CERT));
-        if (ret == NULL) {
-                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
-                return (NULL);
-        }
-        /*
-         * same as ret->key = ret->pkeys + (cert->key - cert->pkeys),
-         * if you find that more readable
-         */
-        ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
-        ret->valid = cert->valid;
-        ret->mask_k = cert->mask_k;
-        ret->mask_a = cert->mask_a;
-        if (cert->dh_tmp != NULL) {
-                ret->dh_tmp = DHparams_dup(cert->dh_tmp);
-                if (ret->dh_tmp == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
-                        goto err;
-                }
-                if (cert->dh_tmp->priv_key) {
-                        BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
-                        if (!b) {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
-                                goto err;
-                        }
-                        ret->dh_tmp->priv_key = b;
-                }
-                if (cert->dh_tmp->pub_key) {
-                        BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
-                        if (!b) {
-                                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
-                                goto err;
-                        }
-                        ret->dh_tmp->pub_key = b;
-                }
-        }
-        ret->dh_tmp_cb = cert->dh_tmp_cb;
-        ret->dh_tmp_auto = cert->dh_tmp_auto;
-        if (cert->ecdh_tmp) {
-                ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
-                if (ret->ecdh_tmp == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_EC_LIB);
-                        goto err;
-                }
-        }
-        ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
-        ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
-        for (i = 0; i < SSL_PKEY_NUM; i++) {
-                if (cert->pkeys[i].x509 != NULL) {
-                        ret->pkeys[i].x509 = cert->pkeys[i].x509;
-                        CRYPTO_add(&ret->pkeys[i].x509->references, 1,
-                        CRYPTO_LOCK_X509);
-                }
-                if (cert->pkeys[i].privatekey != NULL) {
-                        ret->pkeys[i].privatekey = cert->pkeys[i].privatekey;
-                        CRYPTO_add(&ret->pkeys[i].privatekey->references, 1,
-                        CRYPTO_LOCK_EVP_PKEY);
-                        switch (i) {
-                                /*
-                                 * If there was anything special to do for
-                                 * certain types of keys, we'd do it here.
-                                 * (Nothing at the moment, I think.)
-                                 */
-                        case SSL_PKEY_RSA_ENC:
-                        case SSL_PKEY_RSA_SIGN:
-                                /* We have an RSA key. */
-                                break;
-                        case SSL_PKEY_DSA_SIGN:
-                                /* We have a DSA key. */
-                                break;
-                        case SSL_PKEY_DH_RSA:
-                        case SSL_PKEY_DH_DSA:
-                                /* We have a DH key. */
-                                break;
-                        case SSL_PKEY_ECC:
-                                /* We have an ECC key */
-                                break;
-                        default:
-                                /* Can't happen. */
-                                SSLerr(SSL_F_SSL_CERT_DUP, SSL_R_LIBRARY_BUG);
-                        }
-                }
-        }
-        /*
-         * ret->extra_certs *should* exist, but currently the own certificate
-         * chain is held inside SSL_CTX
-         */
-        ret->references = 1;
-        /*
-         * Set digests to defaults. NB: we don't copy existing values
-         * as they will be set during handshake.
-         */
-        ssl_cert_set_default_md(ret);
-        return (ret);
-err:
-        DH_free(ret->dh_tmp);
-        EC_KEY_free(ret->ecdh_tmp);
-        for (i = 0; i < SSL_PKEY_NUM; i++) {
-                X509_free(ret->pkeys[i].x509);
-                EVP_PKEY_free(ret->pkeys[i].privatekey);
-        }
-        free (ret);
-        return NULL;
-}
-void
-ssl_cert_free(CERT *c)
-{
-        int i;
-        if (c == NULL)
-                return;
-        i = CRYPTO_add(&c->references, -1, CRYPTO_LOCK_SSL_CERT);
-        if (i > 0)
-                return;
-        DH_free(c->dh_tmp);
-        EC_KEY_free(c->ecdh_tmp);
-        for (i = 0; i < SSL_PKEY_NUM; i++) {
-                X509_free(c->pkeys[i].x509);
-                EVP_PKEY_free(c->pkeys[i].privatekey);
-        }
-        free(c);
-}
-int
-ssl_cert_inst(CERT **o)
-{
-        /*
-         * Create a CERT if there isn't already one
-         * (which cannot really happen, as it is initially created in
-         * SSL_CTX_new; but the earlier code usually allows for that one
-         * being non-existant, so we follow that behaviour, as it might
-         * turn out that there actually is a reason for it -- but I'm
-         * not sure that *all* of the existing code could cope with
-         * s->cert being NULL, otherwise we could do without the
-         * initialization in SSL_CTX_new).
-         */
-        if (o == NULL) {
-                SSLerr(SSL_F_SSL_CERT_INST, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (*o == NULL) {
-                if ((*o = ssl_cert_new()) == NULL) {
-                        SSLerr(SSL_F_SSL_CERT_INST, ERR_R_MALLOC_FAILURE);
-                        return (0);
-                }
-        }
-        return (1);
-}
-SESS_CERT *
-ssl_sess_cert_new(void)
-{
-        SESS_CERT *ret;
-        ret = calloc(1, sizeof *ret);
-        if (ret == NULL) {
-                SSLerr(SSL_F_SSL_SESS_CERT_NEW, ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
-        ret->references = 1;
-        return ret;
-}
-void
-ssl_sess_cert_free(SESS_CERT *sc)
-{
-        int i;
-        if (sc == NULL)
-                return;
-        i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-        if (i > 0)
-                return;
-        /* i == 0 */
-        if (sc->cert_chain != NULL)
-                sk_X509_pop_free(sc->cert_chain, X509_free);
-        for (i = 0; i < SSL_PKEY_NUM; i++)
-                X509_free(sc->peer_pkeys[i].x509);
-        DH_free(sc->peer_dh_tmp);
-        EC_KEY_free(sc->peer_ecdh_tmp);
-        free(sc);
-}
-int
-ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
-{
-        X509_STORE_CTX ctx;
-        X509 *x;
-        int ret;
-        if ((sk == NULL) || (sk_X509_num(sk) == 0))
-                return (0);
-        x = sk_X509_value(sk, 0);
-        if (!X509_STORE_CTX_init(&ctx, s->ctx->cert_store, x, sk)) {
-                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
-                return (0);
-        }
-        X509_STORE_CTX_set_ex_data(&ctx,
-            SSL_get_ex_data_X509_STORE_CTX_idx(), s);
-        /*
-         * We need to inherit the verify parameters. These can be
-         * determined by the context: if its a server it will verify
-         * SSL client certificates or vice versa.
-         */
-        X509_STORE_CTX_set_default(&ctx,
-            s->server ? "ssl_client" : "ssl_server");
-        /*
-         * Anything non-default in "param" should overwrite anything
-         * in the ctx.
-         */
-        X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(&ctx), s->param);
-        if (s->verify_callback)
-                X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
-        if (s->ctx->app_verify_callback != NULL)
-                ret = s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
-        else
-                ret = X509_verify_cert(&ctx);
-        s->verify_result = ctx.error;
-        X509_STORE_CTX_cleanup(&ctx);
-        return (ret);
-}
-static void
-set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
-    STACK_OF(X509_NAME) *name_list)
-{
-        if (*ca_list != NULL)
-                sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
-        *ca_list = name_list;
-}
-STACK_OF(X509_NAME) *
-SSL_dup_CA_list(STACK_OF(X509_NAME) *sk)
-{
-        int i;
-        STACK_OF(X509_NAME) *ret;
-        X509_NAME *name;
-        ret = sk_X509_NAME_new_null();
-        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
-                name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
-                if ((name == NULL) || !sk_X509_NAME_push(ret, name)) {
-                        sk_X509_NAME_pop_free(ret, X509_NAME_free);
-                        return (NULL);
-                }
-        }
-        return (ret);
-}
-void
-SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
-{
-        set_client_CA_list(&(s->client_CA), name_list);
-}
-void
-SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
-{
-        set_client_CA_list(&(ctx->client_CA), name_list);
-}
-STACK_OF(X509_NAME) *
-SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
-{
-        return (ctx->client_CA);
-}
-STACK_OF(X509_NAME) *
-SSL_get_client_CA_list(const SSL *s)
-{
-        if (s->type == SSL_ST_CONNECT) {
-                /* We are in the client. */
-                if (((s->version >> 8) == SSL3_VERSION_MAJOR) &&
-                    (s->s3 != NULL))
-                        return (s->s3->tmp.ca_names);
-                else
-                        return (NULL);
-        } else {
-                if (s->client_CA != NULL)
-                        return (s->client_CA);
-                else
-                        return (s->ctx->client_CA);
-        }
-}
-static int
-add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x)
-{
-        X509_NAME *name;
-        if (x == NULL)
-                return (0);
-        if ((*sk == NULL) && ((*sk = sk_X509_NAME_new_null()) == NULL))
-                return (0);
-        if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
-                return (0);
-        if (!sk_X509_NAME_push(*sk, name)) {
-                X509_NAME_free(name);
-                return (0);
-        }
-        return (1);
-}
-int
-SSL_add_client_CA(SSL *ssl, X509 *x)
-{
-        return (add_client_CA(&(ssl->client_CA), x));
-}
-int
-SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
-{
-        return (add_client_CA(&(ctx->client_CA), x));
-}
-static int
-xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
-{
-        return (X509_NAME_cmp(*a, *b));
-}
-/*!
- * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
- * it doesn't really have anything to do with clients (except that a common use
- * for a stack of CAs is to send it to the client). Actually, it doesn't have
- * much to do with CAs, either, since it will load any old cert.
- * \param file the file containing one or more certs.
- * \return a ::STACK containing the certs.
- */
-STACK_OF(X509_NAME) *
-SSL_load_client_CA_file(const char *file)
-{
-        BIO *in;
-        X509 *x = NULL;
-        X509_NAME *xn = NULL;
-        STACK_OF(X509_NAME) *ret = NULL, *sk;
-        sk = sk_X509_NAME_new(xname_cmp);
-        in = BIO_new(BIO_s_file_internal());
-        if ((sk == NULL) || (in == NULL)) {
-                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!BIO_read_filename(in, file))
-                goto err;
-        for (;;) {
-                if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
-                        break;
-                if (ret == NULL) {
-                        ret = sk_X509_NAME_new_null();
-                        if (ret == NULL) {
-                                SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-                if ((xn = X509_get_subject_name(x)) == NULL) goto err;
-                        /* check for duplicates */
-                xn = X509_NAME_dup(xn);
-                if (xn == NULL)
-                        goto err;
-                if (sk_X509_NAME_find(sk, xn) >= 0)
-                        X509_NAME_free(xn);
-                else {
-                        sk_X509_NAME_push(sk, xn);
-                        sk_X509_NAME_push(ret, xn);
-                }
-        }
-        if (0) {
-err:
-                if (ret != NULL)
-                        sk_X509_NAME_pop_free(ret, X509_NAME_free);
-                ret = NULL;
-        }
-        if (sk != NULL)
-                sk_X509_NAME_free(sk);
-        BIO_free(in);
-        X509_free(x);
-        if (ret != NULL)
-                ERR_clear_error();
-        return (ret);
-}
-/*!
- * Add a file of certs to a stack.
- * \param stack the stack to add to.
- * \param file the file to add from. All certs in this file that are not
- * already in the stack will be added.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-int
-SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
-    const char *file)
-{
-        BIO *in;
-        X509 *x = NULL;
-        X509_NAME *xn = NULL;
-        int ret = 1;
-        int (*oldcmp)(const X509_NAME * const *a, const X509_NAME * const *b);
-        oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_cmp);
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK,
-                    ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if (!BIO_read_filename(in, file))
-                goto err;
-        for (;;) {
-                if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
-                        break;
-                if ((xn = X509_get_subject_name(x)) == NULL) goto err;
-                        xn = X509_NAME_dup(xn);
-                if (xn == NULL)
-                        goto err;
-                if (sk_X509_NAME_find(stack, xn) >= 0)
-                        X509_NAME_free(xn);
-                else
-                        sk_X509_NAME_push(stack, xn);
-        }
-        ERR_clear_error();
-        if (0) {
-err:
-                ret = 0;
-        }
-        BIO_free(in);
-        X509_free(x);
-        (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
-        return ret;
-}
-/*!
- * Add a directory of certs to a stack.
- * \param stack the stack to append to.
- * \param dir the directory to append from. All files in this directory will be
- * examined as potential certs. Any that are acceptable to
- * SSL_add_dir_cert_subjects_to_stack() that are not already in the stack will
- * be included.
- * \return 1 for success, 0 for failure. Note that in the case of failure some
- * certs may have been added to \c stack.
- */
-int
-SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir)
-{
-        DIR *dirp = NULL;
-        char *path = NULL;
-        int ret = 0;
-        dirp = opendir(dir);
-        if (dirp) {
-                struct dirent *dp;
-                while ((dp = readdir(dirp)) != NULL) {
-                        if (asprintf(&path, "%s/%s", dir, dp->d_name) != -1) {
-                                ret = SSL_add_file_cert_subjects_to_stack(
-                                    stack, path);
-                                free(path);
-                        }
-                        if (!ret)
-                                break;
-                }
-                (void) closedir(dirp);
-        }
-        if (!ret) {
-                SYSerr(SYS_F_OPENDIR, errno);
-                ERR_asprintf_error_data("opendir ('%s')", dir);
-                SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
-        }
-        return ret;
-}
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
deleted file mode 100644
index 526d98e293..0000000000
--- a/src/lib/libssl/ssl_ciph.c
+++ /dev/null
@@ -1,1798 +0,0 @@
-/* $OpenBSD: ssl_ciph.c,v 1.86 2016/04/28 16:39:45 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <stdio.h>
-#include <openssl/objects.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include "ssl_locl.h"
-#define SSL_ENC_DES_IDX         0
-#define SSL_ENC_3DES_IDX        1
-#define SSL_ENC_RC4_IDX         2
-#define SSL_ENC_IDEA_IDX        3
-#define SSL_ENC_NULL_IDX        4
-#define SSL_ENC_AES128_IDX      5
-#define SSL_ENC_AES256_IDX      6
-#define SSL_ENC_CAMELLIA128_IDX 7
-#define SSL_ENC_CAMELLIA256_IDX 8
-#define SSL_ENC_GOST89_IDX      9
-#define SSL_ENC_AES128GCM_IDX   10
-#define SSL_ENC_AES256GCM_IDX   11
-#define SSL_ENC_NUM_IDX         12
-static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-};
-#define SSL_MD_MD5_IDX  0
-#define SSL_MD_SHA1_IDX 1
-#define SSL_MD_GOST94_IDX 2
-#define SSL_MD_GOST89MAC_IDX 3
-#define SSL_MD_SHA256_IDX 4
-#define SSL_MD_SHA384_IDX 5
-#define SSL_MD_STREEBOG256_IDX 6
-#define SSL_MD_STREEBOG512_IDX 7
-/*Constant SSL_MAX_DIGEST equal to size of digests array should be
- * defined in the
- * ssl_locl.h */
-#define SSL_MD_NUM_IDX  SSL_MAX_DIGEST
-static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
-        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-};
-static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
-        EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
-};
-static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
-        0, 0, 0, 0, 0, 0, 0, 0
-};
-static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = {
-        SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA,
-        SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
-        SSL_HANDSHAKE_MAC_SHA384, SSL_HANDSHAKE_MAC_STREEBOG256,
-        SSL_HANDSHAKE_MAC_STREEBOG512
-};
-#define CIPHER_ADD      1
-#define CIPHER_KILL     2
-#define CIPHER_DEL      3
-#define CIPHER_ORD      4
-#define CIPHER_SPECIAL  5
-typedef struct cipher_order_st {
-        const SSL_CIPHER *cipher;
-        int active;
-        int dead;
-        struct cipher_order_st *next, *prev;
-} CIPHER_ORDER;
-static const SSL_CIPHER cipher_aliases[] = {
-        /* "ALL" doesn't include eNULL (must be specifically enabled) */
-        {
-                .name = SSL_TXT_ALL,
-                .algorithm_enc = ~SSL_eNULL,
-        },
-        /* "COMPLEMENTOFALL" */
-        {
-                .name = SSL_TXT_CMPALL,
-                .algorithm_enc = SSL_eNULL,
-        },
-        /*
-         * "COMPLEMENTOFDEFAULT"
-         * (does *not* include ciphersuites not found in ALL!)
-         */
-        {
-                .name = SSL_TXT_CMPDEF,
-                .algorithm_mkey = SSL_kDHE|SSL_kECDHE,
-                .algorithm_auth = SSL_aNULL,
-                .algorithm_enc = ~SSL_eNULL,
-        },
-        /*
-         * key exchange aliases
-         * (some of those using only a single bit here combine multiple key
-         * exchange algs according to the RFCs, e.g. kEDH combines DHE_DSS
-         * and DHE_RSA)
-         */
-        {
-                .name = SSL_TXT_kRSA,
-                .algorithm_mkey = SSL_kRSA,
-        },
-        {
-                .name = SSL_TXT_kEDH,
-                .algorithm_mkey = SSL_kDHE,
-        },
-        {
-                .name = SSL_TXT_DH,
-                .algorithm_mkey = SSL_kDHE,
-        },
-        {
-                .name = SSL_TXT_kECDHr,
-                .algorithm_mkey = SSL_kECDHr,
-        },
-        {
-                .name = SSL_TXT_kECDHe,
-                .algorithm_mkey = SSL_kECDHe,
-        },
-        {
-                .name = SSL_TXT_kECDH,
-                .algorithm_mkey = SSL_kECDHr|SSL_kECDHe,
-        },
-        {
-                .name = SSL_TXT_kEECDH,
-                .algorithm_mkey = SSL_kECDHE,
-        },
-        {
-                .name = SSL_TXT_ECDH,
-                .algorithm_mkey = SSL_kECDHr|SSL_kECDHe|SSL_kECDHE,
-        },
-        {
-                .name = SSL_TXT_kGOST,
-                .algorithm_mkey = SSL_kGOST,
-        },
-        /* server authentication aliases */
-        {
-                .name = SSL_TXT_aRSA,
-                .algorithm_auth = SSL_aRSA,
-        },
-        {
-                .name = SSL_TXT_aDSS,
-                .algorithm_auth = SSL_aDSS,
-        },
-        {
-                .name = SSL_TXT_DSS,
-                .algorithm_auth = SSL_aDSS,
-        },
-        {
-                .name = SSL_TXT_aNULL,
-                .algorithm_auth = SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_aECDH,
-                .algorithm_auth = SSL_aECDH,
-        },
-        {
-                .name = SSL_TXT_aECDSA,
-                .algorithm_auth = SSL_aECDSA,
-        },
-        {
-                .name = SSL_TXT_ECDSA,
-                .algorithm_auth = SSL_aECDSA,
-        },
-        {
-                .name = SSL_TXT_aGOST01,
-                .algorithm_auth = SSL_aGOST01,
-        },
-        {
-                .name = SSL_TXT_aGOST,
-                .algorithm_auth = SSL_aGOST01,
-        },
-        /* aliases combining key exchange and server authentication */
-        {
-                .name = SSL_TXT_DHE,
-                .algorithm_mkey = SSL_kDHE,
-                .algorithm_auth = ~SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_EDH,
-                .algorithm_mkey = SSL_kDHE,
-                .algorithm_auth = ~SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_ECDHE,
-                .algorithm_mkey = SSL_kECDHE,
-                .algorithm_auth = ~SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_EECDH,
-                .algorithm_mkey = SSL_kECDHE,
-                .algorithm_auth = ~SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_NULL,
-                .algorithm_enc = SSL_eNULL,
-        },
-        {
-                .name = SSL_TXT_RSA,
-                .algorithm_mkey = SSL_kRSA,
-                .algorithm_auth = SSL_aRSA,
-        },
-        {
-                .name = SSL_TXT_ADH,
-                .algorithm_mkey = SSL_kDHE,
-                .algorithm_auth = SSL_aNULL,
-        },
-        {
-                .name = SSL_TXT_AECDH,
-                .algorithm_mkey = SSL_kECDHE,
-                .algorithm_auth = SSL_aNULL,
-        },
-        /* symmetric encryption aliases */
-        {
-                .name = SSL_TXT_DES,
-                .algorithm_enc = SSL_DES,
-        },
-        {
-                .name = SSL_TXT_3DES,
-                .algorithm_enc = SSL_3DES,
-        },
-        {
-                .name = SSL_TXT_RC4,
-                .algorithm_enc = SSL_RC4,
-        },
-        {
-                .name = SSL_TXT_IDEA,
-                .algorithm_enc = SSL_IDEA,
-        },
-        {
-                .name = SSL_TXT_eNULL,
-                .algorithm_enc = SSL_eNULL,
-        },
-        {
-                .name = SSL_TXT_AES128,
-                .algorithm_enc = SSL_AES128|SSL_AES128GCM,
-        },
-        {
-                .name = SSL_TXT_AES256,
-                .algorithm_enc = SSL_AES256|SSL_AES256GCM,
-        },
-        {
-                .name = SSL_TXT_AES,
-                .algorithm_enc = SSL_AES,
-        },
-        {
-                .name = SSL_TXT_AES_GCM,
-                .algorithm_enc = SSL_AES128GCM|SSL_AES256GCM,
-        },
-        {
-                .name = SSL_TXT_CAMELLIA128,
-                .algorithm_enc = SSL_CAMELLIA128,
-        },
-        {
-                .name = SSL_TXT_CAMELLIA256,
-                .algorithm_enc = SSL_CAMELLIA256,
-        },
-        {
-                .name = SSL_TXT_CAMELLIA,
-                .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
-        },
-        {
-                .name = SSL_TXT_CHACHA20,
-                .algorithm_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD,
-        },
-        /* MAC aliases */
-        {
-                .name = SSL_TXT_AEAD,
-                .algorithm_mac = SSL_AEAD,
-        },
-        {
-                .name = SSL_TXT_MD5,
-                .algorithm_mac = SSL_MD5,
-        },
-        {
-                .name = SSL_TXT_SHA1,
-                .algorithm_mac = SSL_SHA1,
-        },
-        {
-                .name = SSL_TXT_SHA,
-                .algorithm_mac = SSL_SHA1,
-        },
-        {
-                .name = SSL_TXT_GOST94,
-                .algorithm_mac = SSL_GOST94,
-        },
-        {
-                .name = SSL_TXT_GOST89MAC,
-                .algorithm_mac = SSL_GOST89MAC,
-        },
-        {
-                .name = SSL_TXT_SHA256,
-                .algorithm_mac = SSL_SHA256,
-        },
-        {
-                .name = SSL_TXT_SHA384,
-                .algorithm_mac = SSL_SHA384,
-        },
-        {
-                .name = SSL_TXT_STREEBOG256,
-                .algorithm_mac = SSL_STREEBOG256,
-        },
-        {
-                .name = SSL_TXT_STREEBOG512,
-                .algorithm_mac = SSL_STREEBOG512,
-        },
-        /* protocol version aliases */
-        {
-                .name = SSL_TXT_SSLV3,
-                .algorithm_ssl = SSL_SSLV3,
-        },
-        {
-                .name = SSL_TXT_TLSV1,
-                .algorithm_ssl = SSL_TLSV1,
-        },
-        {
-                .name = SSL_TXT_TLSV1_2,
-                .algorithm_ssl = SSL_TLSV1_2,
-        },
-        /* strength classes */
-        {
-                .name = SSL_TXT_LOW,
-                .algo_strength = SSL_LOW,
-        },
-        {
-                .name = SSL_TXT_MEDIUM,
-                .algo_strength = SSL_MEDIUM,
-        },
-        {
-                .name = SSL_TXT_HIGH,
-                .algo_strength = SSL_HIGH,
-        },
-};
-void
-ssl_load_ciphers(void)
-{
-        ssl_cipher_methods[SSL_ENC_DES_IDX] =
-            EVP_get_cipherbyname(SN_des_cbc);
-        ssl_cipher_methods[SSL_ENC_3DES_IDX] =
-            EVP_get_cipherbyname(SN_des_ede3_cbc);
-        ssl_cipher_methods[SSL_ENC_RC4_IDX] =
-            EVP_get_cipherbyname(SN_rc4);
-#ifndef OPENSSL_NO_IDEA
-        ssl_cipher_methods[SSL_ENC_IDEA_IDX] =
-            EVP_get_cipherbyname(SN_idea_cbc);
-#else
-        ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL;
-#endif
-        ssl_cipher_methods[SSL_ENC_AES128_IDX] =
-            EVP_get_cipherbyname(SN_aes_128_cbc);
-        ssl_cipher_methods[SSL_ENC_AES256_IDX] =
-            EVP_get_cipherbyname(SN_aes_256_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
-            EVP_get_cipherbyname(SN_camellia_128_cbc);
-        ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
-            EVP_get_cipherbyname(SN_camellia_256_cbc);
-        ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
-            EVP_get_cipherbyname(SN_gost89_cnt);
-        ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] =
-            EVP_get_cipherbyname(SN_aes_128_gcm);
-        ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
-            EVP_get_cipherbyname(SN_aes_256_gcm);
-        ssl_digest_methods[SSL_MD_MD5_IDX] =
-            EVP_get_digestbyname(SN_md5);
-        ssl_mac_secret_size[SSL_MD_MD5_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_SHA1_IDX] =
-            EVP_get_digestbyname(SN_sha1);
-        ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
-        OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
-        ssl_digest_methods[SSL_MD_GOST94_IDX] =
-            EVP_get_digestbyname(SN_id_GostR3411_94);
-        if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
-                    EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
-                OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
-        }
-        ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
-            EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
-        if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
-                ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
-        }
-        ssl_digest_methods[SSL_MD_SHA256_IDX] =
-            EVP_get_digestbyname(SN_sha256);
-        ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
-        ssl_digest_methods[SSL_MD_SHA384_IDX] =
-            EVP_get_digestbyname(SN_sha384);
-        ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
-        ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
-            EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
-        ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
-        ssl_digest_methods[SSL_MD_STREEBOG512_IDX] =
-            EVP_get_digestbyname(SN_id_tc26_gost3411_2012_512);
-        ssl_mac_secret_size[SSL_MD_STREEBOG512_IDX] =
-            EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG512_IDX]);
-}
-int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
-{
-        const SSL_CIPHER *c;
-        int i;
-        c = s->cipher;
-        if (c == NULL)
-                return (0);
-        /*
-         * This function does not handle EVP_AEAD.
-         * See ssl_cipher_get_aead_evp instead.
-         */
-        if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)
-                return(0);
-        if ((enc == NULL) || (md == NULL))
-                return (0);
-        switch (c->algorithm_enc) {
-        case SSL_DES:
-                i = SSL_ENC_DES_IDX;
-                break;
-        case SSL_3DES:
-                i = SSL_ENC_3DES_IDX;
-                break;
-        case SSL_RC4:
-                i = SSL_ENC_RC4_IDX;
-                break;
-        case SSL_IDEA:
-                i = SSL_ENC_IDEA_IDX;
-                break;
-        case SSL_eNULL:
-                i = SSL_ENC_NULL_IDX;
-                break;
-        case SSL_AES128:
-                i = SSL_ENC_AES128_IDX;
-                break;
-        case SSL_AES256:
-                i = SSL_ENC_AES256_IDX;
-                break;
-        case SSL_CAMELLIA128:
-                i = SSL_ENC_CAMELLIA128_IDX;
-                break;
-        case SSL_CAMELLIA256:
-                i = SSL_ENC_CAMELLIA256_IDX;
-                break;
-        case SSL_eGOST2814789CNT:
-                i = SSL_ENC_GOST89_IDX;
-                break;
-        case SSL_AES128GCM:
-                i = SSL_ENC_AES128GCM_IDX;
-                break;
-        case SSL_AES256GCM:
-                i = SSL_ENC_AES256GCM_IDX;
-                break;
-        default:
-                i = -1;
-                break;
-        }
-        if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
-                *enc = NULL;
-        else {
-                if (i == SSL_ENC_NULL_IDX)
-                        *enc = EVP_enc_null();
-                else
-                        *enc = ssl_cipher_methods[i];
-        }
-        switch (c->algorithm_mac) {
-        case SSL_MD5:
-                i = SSL_MD_MD5_IDX;
-                break;
-        case SSL_SHA1:
-                i = SSL_MD_SHA1_IDX;
-                break;
-        case SSL_SHA256:
-                i = SSL_MD_SHA256_IDX;
-                break;
-        case SSL_SHA384:
-                i = SSL_MD_SHA384_IDX;
-                break;
-        case SSL_GOST94:
-                i = SSL_MD_GOST94_IDX;
-                break;
-        case SSL_GOST89MAC:
-                i = SSL_MD_GOST89MAC_IDX;
-                break;
-        case SSL_STREEBOG256:
-                i = SSL_MD_STREEBOG256_IDX;
-                break;
-        case SSL_STREEBOG512:
-                i = SSL_MD_STREEBOG512_IDX;
-                break;
-        default:
-                i = -1;
-                break;
-        }
-        if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
-                *md = NULL;
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = NID_undef;
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = 0;
-                if (c->algorithm_mac == SSL_AEAD)
-                        mac_pkey_type = NULL;
-        } else {
-                *md = ssl_digest_methods[i];
-                if (mac_pkey_type != NULL)
-                        *mac_pkey_type = ssl_mac_pkey_id[i];
-                if (mac_secret_size != NULL)
-                        *mac_secret_size = ssl_mac_secret_size[i];
-        }
-        if ((*enc != NULL) &&
-            (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
-            (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
-                const EVP_CIPHER *evp;
-                if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR ||
-                    s->ssl_version < TLS1_VERSION)
-                        return 1;
-                if (c->algorithm_enc == SSL_RC4 &&
-                    c->algorithm_mac == SSL_MD5 &&
-                    (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
-                        *enc = evp, *md = NULL;
-                else if (c->algorithm_enc == SSL_AES128 &&
-                    c->algorithm_mac == SSL_SHA1 &&
-                    (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
-                        *enc = evp, *md = NULL;
-                else if (c->algorithm_enc == SSL_AES256 &&
-                    c->algorithm_mac == SSL_SHA1 &&
-                    (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
-                        *enc = evp, *md = NULL;
-                return (1);
-        } else
-                return (0);
-}
-/*
- * ssl_cipher_get_evp_aead sets aead to point to the correct EVP_AEAD object
- * for s->cipher. It returns 1 on success and 0 on error.
- */
-int
-ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
-{
-        const SSL_CIPHER *c = s->cipher;
-        *aead = NULL;
-        if (c == NULL)
-                return 0;
-        if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0)
-                return 0;
-        switch (c->algorithm_enc) {
-#ifndef OPENSSL_NO_AES
-        case SSL_AES128GCM:
-                *aead = EVP_aead_aes_128_gcm();
-                return 1;
-        case SSL_AES256GCM:
-                *aead = EVP_aead_aes_256_gcm();
-                return 1;
-#endif
-#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-        case SSL_CHACHA20POLY1305:
-                *aead = EVP_aead_chacha20_poly1305();
-                return 1;
-        case SSL_CHACHA20POLY1305_OLD:
-                *aead = EVP_aead_chacha20_poly1305_old();
-                return 1;
-#endif
-        default:
-                break;
-        }
-        return 0;
-}
-int
-ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
-{
-        if (idx < 0 || idx >= SSL_MD_NUM_IDX) {
-                return 0;
-        }
-        *mask = ssl_handshake_digest_flag[idx];
-        if (*mask)
-                *md = ssl_digest_methods[idx];
-        else
-                *md = NULL;
-        return 1;
-}
-#define ITEM_SEP(a) \
-        (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
-static void
-ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
-    CIPHER_ORDER **tail)
-{
-        if (curr == *tail)
-                return;
-        if (curr == *head)
-                *head = curr->next;
-        if (curr->prev != NULL)
-                curr->prev->next = curr->next;
-        if (curr->next != NULL)
-                curr->next->prev = curr->prev;
-        (*tail)->next = curr;
-        curr->prev= *tail;
-        curr->next = NULL;
-        *tail = curr;
-}
-static void
-ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
-    CIPHER_ORDER **tail)
-{
-        if (curr == *head)
-                return;
-        if (curr == *tail)
-                *tail = curr->prev;
-        if (curr->next != NULL)
-                curr->next->prev = curr->prev;
-        if (curr->prev != NULL)
-                curr->prev->next = curr->next;
-        (*head)->prev = curr;
-        curr->next= *head;
-        curr->prev = NULL;
-        *head = curr;
-}
-static void
-ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
-    unsigned long *enc, unsigned long *mac, unsigned long *ssl)
-{
-        *mkey = 0;
-        *auth = 0;
-        *enc = 0;
-        *mac = 0;
-        *ssl = 0;
-        /*
-         * Check for the availability of GOST 34.10 public/private key
-         * algorithms. If they are not available disable the associated
-         * authentication and key exchange algorithms.
-         */
-        if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) {
-                *auth |= SSL_aGOST01;
-                *mkey |= SSL_kGOST;
-        }
-#ifdef SSL_FORBID_ENULL
-        *enc |= SSL_eNULL;
-#endif
-        *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
-        *mac |= (ssl_digest_methods[SSL_MD_STREEBOG512_IDX] == NULL) ? SSL_STREEBOG512 : 0;
-}
-static void
-ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers,
-    unsigned long disabled_mkey, unsigned long disabled_auth,
-    unsigned long disabled_enc, unsigned long disabled_mac,
-    unsigned long disabled_ssl, CIPHER_ORDER *co_list,
-    CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
-{
-        int i, co_list_num;
-        const SSL_CIPHER *c;
-        /*
-         * We have num_of_ciphers descriptions compiled in, depending on the
-         * method selected (SSLv3, TLSv1, etc). These will later be sorted in
-         * a linked list with at most num entries.
-         */
-        /* Get the initial list of ciphers */
-        co_list_num = 0;        /* actual count of ciphers */
-        for (i = 0; i < num_of_ciphers; i++) {
-                c = ssl_method->get_cipher(i);
-                /* drop those that use any of that is not available */
-                if ((c != NULL) && c->valid &&
-                    !(c->algorithm_mkey & disabled_mkey) &&
-                    !(c->algorithm_auth & disabled_auth) &&
-                    !(c->algorithm_enc & disabled_enc) &&
-                    !(c->algorithm_mac & disabled_mac) &&
-                    !(c->algorithm_ssl & disabled_ssl)) {
-                        co_list[co_list_num].cipher = c;
-                        co_list[co_list_num].next = NULL;
-                        co_list[co_list_num].prev = NULL;
-                        co_list[co_list_num].active = 0;
-                        co_list_num++;
-                        /*
-                        if (!sk_push(ca_list,(char *)c)) goto err;
-                        */
-                }
-        }
-        /*
-         * Prepare linked list from list entries
-         */
-        if (co_list_num > 0) {
-                co_list[0].prev = NULL;
-                if (co_list_num > 1) {
-                        co_list[0].next = &co_list[1];
-                        for (i = 1; i < co_list_num - 1; i++) {
-                                co_list[i].prev = &co_list[i - 1];
-                                co_list[i].next = &co_list[i + 1];
-                        }
-                        co_list[co_list_num - 1].prev =
-                            &co_list[co_list_num - 2];
-                }
-                co_list[co_list_num - 1].next = NULL;
-                *head_p = &co_list[0];
-                *tail_p = &co_list[co_list_num - 1];
-        }
-}
-static void
-ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases,
-    unsigned long disabled_mkey, unsigned long disabled_auth,
-    unsigned long disabled_enc, unsigned long disabled_mac,
-    unsigned long disabled_ssl, CIPHER_ORDER *head)
-{
-        CIPHER_ORDER *ciph_curr;
-        const SSL_CIPHER **ca_curr;
-        int i;
-        unsigned long mask_mkey = ~disabled_mkey;
-        unsigned long mask_auth = ~disabled_auth;
-        unsigned long mask_enc = ~disabled_enc;
-        unsigned long mask_mac = ~disabled_mac;
-        unsigned long mask_ssl = ~disabled_ssl;
-        /*
-         * First, add the real ciphers as already collected
-         */
-        ciph_curr = head;
-        ca_curr = ca_list;
-        while (ciph_curr != NULL) {
-                *ca_curr = ciph_curr->cipher;
-                ca_curr++;
-                ciph_curr = ciph_curr->next;
-        }
-        /*
-         * Now we add the available ones from the cipher_aliases[] table.
-         * They represent either one or more algorithms, some of which
-         * in any affected category must be supported (set in enabled_mask),
-         * or represent a cipher strength value (will be added in any case because algorithms=0).
-         */
-        for (i = 0; i < num_of_group_aliases; i++) {
-                unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
-                unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
-                unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
-                unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
-                unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
-                if (algorithm_mkey)
-                        if ((algorithm_mkey & mask_mkey) == 0)
-                                continue;
-                if (algorithm_auth)
-                        if ((algorithm_auth & mask_auth) == 0)
-                                continue;
-                if (algorithm_enc)
-                        if ((algorithm_enc & mask_enc) == 0)
-                                continue;
-                if (algorithm_mac)
-                        if ((algorithm_mac & mask_mac) == 0)
-                                continue;
-                if (algorithm_ssl)
-                        if ((algorithm_ssl & mask_ssl) == 0)
-                                continue;
-                *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
-                ca_curr++;
-        }
-        *ca_curr = NULL;        /* end of list */
-}
-static void
-ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
-    unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,
-    unsigned long alg_ssl, unsigned long algo_strength,
-    int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
-{
-        CIPHER_ORDER *head, *tail, *curr, *next, *last;
-        const SSL_CIPHER *cp;
-        int reverse = 0;
-        if (rule == CIPHER_DEL)
-                reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
-        head = *head_p;
-        tail = *tail_p;
-        if (reverse) {
-                next = tail;
-                last = head;
-        } else {
-                next = head;
-                last = tail;
-        }
-        curr = NULL;
-        for (;;) {
-                if (curr == last)
-                        break;
-                curr = next;
-                next = reverse ? curr->prev : curr->next;
-                cp = curr->cipher;
-                /*
-                 * Selection criteria is either the value of strength_bits
-                 * or the algorithms used.
-                 */
-                if (strength_bits >= 0) {
-                        if (strength_bits != cp->strength_bits)
-                                continue;
-                } else {
-                        if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
-                                continue;
-                        if (alg_auth && !(alg_auth & cp->algorithm_auth))
-                                continue;
-                        if (alg_enc && !(alg_enc & cp->algorithm_enc))
-                                continue;
-                        if (alg_mac && !(alg_mac & cp->algorithm_mac))
-                                continue;
-                        if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
-                                continue;
-                        if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
-                                continue;
-                }
-                /* add the cipher if it has not been added yet. */
-                if (rule == CIPHER_ADD) {
-                        /* reverse == 0 */
-                        if (!curr->active) {
-                                ll_append_tail(&head, curr, &tail);
-                                curr->active = 1;
-                        }
-                }
-                /* Move the added cipher to this location */
-                else if (rule == CIPHER_ORD) {
-                        /* reverse == 0 */
-                        if (curr->active) {
-                                ll_append_tail(&head, curr, &tail);
-                        }
-                } else if (rule == CIPHER_DEL) {
-                        /* reverse == 1 */
-                        if (curr->active) {
-                                /* most recently deleted ciphersuites get best positions
-                                 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
-                                 * works in reverse to maintain the order) */
-                                ll_append_head(&head, curr, &tail);
-                                curr->active = 0;
-                        }
-                } else if (rule == CIPHER_KILL) {
-                        /* reverse == 0 */
-                        if (head == curr)
-                                head = curr->next;
-                        else
-                                curr->prev->next = curr->next;
-                        if (tail == curr)
-                                tail = curr->prev;
-                        curr->active = 0;
-                        if (curr->next != NULL)
-                                curr->next->prev = curr->prev;
-                        if (curr->prev != NULL)
-                                curr->prev->next = curr->next;
-                        curr->next = NULL;
-                        curr->prev = NULL;
-                }
-        }
-        *head_p = head;
-        *tail_p = tail;
-}
-static int
-ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
-{
-        int max_strength_bits, i, *number_uses;
-        CIPHER_ORDER *curr;
-        /*
-         * This routine sorts the ciphers with descending strength. The sorting
-         * must keep the pre-sorted sequence, so we apply the normal sorting
-         * routine as '+' movement to the end of the list.
-         */
-        max_strength_bits = 0;
-        curr = *head_p;
-        while (curr != NULL) {
-                if (curr->active &&
-                    (curr->cipher->strength_bits > max_strength_bits))
-                        max_strength_bits = curr->cipher->strength_bits;
-                curr = curr->next;
-        }
-        number_uses = calloc((max_strength_bits + 1), sizeof(int));
-        if (!number_uses) {
-                SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        /*
-         * Now find the strength_bits values actually used
-         */
-        curr = *head_p;
-        while (curr != NULL) {
-                if (curr->active)
-                        number_uses[curr->cipher->strength_bits]++;
-                curr = curr->next;
-        }
-        /*
-         * Go through the list of used strength_bits values in descending
-         * order.
-         */
-        for (i = max_strength_bits; i >= 0; i--)
-                if (number_uses[i] > 0)
-                        ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
-        free(number_uses);
-        return (1);
-}
-static int
-ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
-    CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list)
-{
-        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
-        unsigned long algo_strength;
-        int j, multi, found, rule, retval, ok, buflen;
-        unsigned long cipher_id = 0;
-        const char *l, *buf;
-        char ch;
-        retval = 1;
-        l = rule_str;
-        for (;;) {
-                ch = *l;
-                if (ch == '\0')
-                        break;
-                if (ch == '-') {
-                        rule = CIPHER_DEL;
-                        l++;
-                } else if (ch == '+') {
-                        rule = CIPHER_ORD;
-                        l++;
-                } else if (ch == '!') {
-                        rule = CIPHER_KILL;
-                        l++;
-                } else if (ch == '@') {
-                        rule = CIPHER_SPECIAL;
-                        l++;
-                } else {
-                        rule = CIPHER_ADD;
-                }
-                if (ITEM_SEP(ch)) {
-                        l++;
-                        continue;
-                }
-                alg_mkey = 0;
-                alg_auth = 0;
-                alg_enc = 0;
-                alg_mac = 0;
-                alg_ssl = 0;
-                algo_strength = 0;
-                for (;;) {
-                        ch = *l;
-                        buf = l;
-                        buflen = 0;
-                        while (((ch >= 'A') && (ch <= 'Z')) ||
-                            ((ch >= '0') && (ch <= '9')) ||
-                            ((ch >= 'a') && (ch <= 'z')) ||
-                            (ch == '-') || (ch == '.')) {
-                                ch = *(++l);
-                                buflen++;
-                        }
-                        if (buflen == 0) {
-                                /*
-                                 * We hit something we cannot deal with,
-                                 * it is no command or separator nor
-                                 * alphanumeric, so we call this an error.
-                                 */
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                                    SSL_R_INVALID_COMMAND);
-                                retval = found = 0;
-                                l++;
-                                break;
-                        }
-                        if (rule == CIPHER_SPECIAL) {
-                                 /* unused -- avoid compiler warning */
-                                found = 0;
-                                /* special treatment */
-                                break;
-                        }
-                        /* check for multi-part specification */
-                        if (ch == '+') {
-                                multi = 1;
-                                l++;
-                        } else
-                                multi = 0;
-                        /*
-                         * Now search for the cipher alias in the ca_list.
-                         * Be careful with the strncmp, because the "buflen"
-                         * limitation will make the rule "ADH:SOME" and the
-                         * cipher "ADH-MY-CIPHER" look like a match for
-                         * buflen=3. So additionally check whether the cipher
-                         * name found has the correct length. We can save a
-                         * strlen() call: just checking for the '\0' at the
-                         * right place is sufficient, we have to strncmp()
-                         * anyway (we cannot use strcmp(), because buf is not
-                         * '\0' terminated.)
-                         */
-                        j = found = 0;
-                        cipher_id = 0;
-                        while (ca_list[j]) {
-                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
-                                    (ca_list[j]->name[buflen] == '\0')) {
-                                        found = 1;
-                                        break;
-                                } else
-                                        j++;
-                        }
-                        if (!found)
-                                break;  /* ignore this entry */
-                        if (ca_list[j]->algorithm_mkey) {
-                                if (alg_mkey) {
-                                        alg_mkey &= ca_list[j]->algorithm_mkey;
-                                        if (!alg_mkey) {
-                                                found = 0;
-                                                break;
-                                        }
-                                } else
-                                        alg_mkey = ca_list[j]->algorithm_mkey;
-                        }
-                        if (ca_list[j]->algorithm_auth) {
-                                if (alg_auth) {
-                                        alg_auth &= ca_list[j]->algorithm_auth;
-                                        if (!alg_auth) {
-                                                found = 0;
-                                                break;
-                                        }
-                                } else
-                                        alg_auth = ca_list[j]->algorithm_auth;
-                        }
-                        if (ca_list[j]->algorithm_enc) {
-                                if (alg_enc) {
-                                        alg_enc &= ca_list[j]->algorithm_enc;
-                                        if (!alg_enc) {
-                                                found = 0;
-                                                break;
-                                        }
-                                } else
-                                        alg_enc = ca_list[j]->algorithm_enc;
-                        }
-                        if (ca_list[j]->algorithm_mac) {
-                                if (alg_mac) {
-                                        alg_mac &= ca_list[j]->algorithm_mac;
-                                        if (!alg_mac) {
-                                                found = 0;
-                                                break;
-                                        }
-                                } else
-                                        alg_mac = ca_list[j]->algorithm_mac;
-                        }
-                        if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
-                                if (algo_strength & SSL_STRONG_MASK) {
-                                        algo_strength &=
-                                            (ca_list[j]->algo_strength &
-                                            SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
-                                        if (!(algo_strength &
-                                            SSL_STRONG_MASK)) {
-                                                found = 0;
-                                                break;
-                                        }
-                                } else
-                                        algo_strength |=
-                                            ca_list[j]->algo_strength &
-                                            SSL_STRONG_MASK;
-                        }
-                        if (ca_list[j]->valid) {
-                                /*
-                                 * explicit ciphersuite found; its protocol
-                                 * version does not become part of the search
-                                 * pattern!
-                                 */
-                                cipher_id = ca_list[j]->id;
-                        } else {
-                                /*
-                                 * not an explicit ciphersuite; only in this
-                                 * case, the protocol version is considered
-                                 * part of the search pattern
-                                 */
-                                if (ca_list[j]->algorithm_ssl) {
-                                        if (alg_ssl) {
-                                                alg_ssl &=
-                                                    ca_list[j]->algorithm_ssl;
-                                                if (!alg_ssl) {
-                                                        found = 0;
-                                                        break;
-                                                }
-                                        } else
-                                                alg_ssl =
-                                                    ca_list[j]->algorithm_ssl;
-                                }
-                        }
-                        if (!multi)
-                                break;
-                }
-                /*
-                 * Ok, we have the rule, now apply it
-                 */
-                if (rule == CIPHER_SPECIAL) {
-                        /* special command */
-                        ok = 0;
-                        if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
-                                ok = ssl_cipher_strength_sort(head_p, tail_p);
-                        else
-                                SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
-                                    SSL_R_INVALID_COMMAND);
-                        if (ok == 0)
-                                retval = 0;
-                        /*
-                         * We do not support any "multi" options
-                         * together with "@", so throw away the
-                         * rest of the command, if any left, until
-                         * end or ':' is found.
-                         */
-                        while ((*l != '\0') && !ITEM_SEP(*l))
-                                l++;
-                } else if (found) {
-                        ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth,
-                            alg_enc, alg_mac, alg_ssl, algo_strength, rule,
-                            -1, head_p, tail_p);
-                } else {
-                        while ((*l != '\0') && !ITEM_SEP(*l))
-                                l++;
-                }
-                if (*l == '\0')
-                        break; /* done */
-        }
-        return (retval);
-}
-static inline int
-ssl_aes_is_accelerated(void)
-{
-#if defined(__i386__) || defined(__x86_64__)
-        return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0);
-#else
-        return (0);
-#endif
-}
-STACK_OF(SSL_CIPHER) *
-ssl_create_cipher_list(const SSL_METHOD *ssl_method,
-    STACK_OF(SSL_CIPHER) **cipher_list,
-    STACK_OF(SSL_CIPHER) **cipher_list_by_id,
-    const char *rule_str)
-{
-        int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
-        unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
-        STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
-        const char *rule_p;
-        CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
-        const SSL_CIPHER **ca_list = NULL;
-        /*
-         * Return with error if nothing to do.
-         */
-        if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
-                return NULL;
-        /*
-         * To reduce the work to do we only want to process the compiled
-         * in algorithms, so we first get the mask of disabled ciphers.
-         */
-        ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
-        /*
-         * Now we have to collect the available ciphers from the compiled
-         * in ciphers. We cannot get more than the number compiled in, so
-         * it is used for allocation.
-         */
-        num_of_ciphers = ssl_method->num_ciphers();
-        co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER));
-        if (co_list == NULL) {
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-                return(NULL);   /* Failure */
-        }
-        ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
-        disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
-        co_list, &head, &tail);
-        /* Now arrange all ciphers by preference: */
-        /* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
-        ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-        ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
-        if (ssl_aes_is_accelerated() == 1) {
-                /*
-                 * We have hardware assisted AES - prefer AES as a symmetric
-                 * cipher, with CHACHA20 second.
-                 */
-                ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
-                    CIPHER_ADD, -1, &head, &tail);
-                ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
-                    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-                ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
-                    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-        } else {
-                /*
-                 * CHACHA20 is fast and safe on all hardware and is thus our
-                 * preferred symmetric cipher, with AES second.
-                 */
-                ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
-                    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-                ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305_OLD,
-                    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-                ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
-                    CIPHER_ADD, -1, &head, &tail);
-        }
-        /* Temporarily enable everything else for sorting */
-        ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
-        /* Low priority for MD5 */
-        ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        /* Move anonymous ciphers to the end.  Usually, these will remain disabled.
-         * (For applications that allow them, they aren't too bad, but we prefer
-         * authenticated ciphers.) */
-        ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        /* Move ciphers without forward secrecy to the end */
-        ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        /* RC4 is sort of broken - move it to the end */
-        ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
-        /* Now sort by symmetric encryption strength.  The above ordering remains
-         * in force within each class */
-        if (!ssl_cipher_strength_sort(&head, &tail)) {
-                free(co_list);
-                return NULL;
-        }
-        /* Now disable everything (maintaining the ordering!) */
-        ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
-        /*
-         * We also need cipher aliases for selecting based on the rule_str.
-         * There might be two types of entries in the rule_str: 1) names
-         * of ciphers themselves 2) aliases for groups of ciphers.
-         * For 1) we need the available ciphers and for 2) the cipher
-         * groups of cipher_aliases added together in one list (otherwise
-         * we would be happy with just the cipher_aliases table).
-         */
-        num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
-        num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
-        ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *));
-        if (ca_list == NULL) {
-                free(co_list);
-                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-                return(NULL);   /* Failure */
-        }
-        ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
-        disabled_mkey, disabled_auth, disabled_enc,
-        disabled_mac, disabled_ssl, head);
-        /*
-         * If the rule_string begins with DEFAULT, apply the default rule
-         * before using the (possibly available) additional rules.
-         */
-        ok = 1;
-        rule_p = rule_str;
-        if (strncmp(rule_str, "DEFAULT", 7) == 0) {
-                ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-                &head, &tail, ca_list);
-                rule_p += 7;
-                if (*rule_p == ':')
-                        rule_p++;
-        }
-        if (ok && (strlen(rule_p) > 0))
-                ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
-        free((void *)ca_list);  /* Not needed anymore */
-        if (!ok) {
-                /* Rule processing failure */
-                free(co_list);
-                return (NULL);
-        }
-        /*
-         * Allocate new "cipherstack" for the result, return with error
-         * if we cannot get one.
-         */
-        if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
-                free(co_list);
-                return (NULL);
-        }
-        /*
-         * The cipher selection for the list is done. The ciphers are added
-         * to the resulting precedence to the STACK_OF(SSL_CIPHER).
-         */
-        for (curr = head; curr != NULL; curr = curr->next) {
-                if (curr->active) {
-                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
-                }
-        }
-        free(co_list);  /* Not needed any longer */
-        tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
-        if (tmp_cipher_list == NULL) {
-                sk_SSL_CIPHER_free(cipherstack);
-                return NULL;
-        }
-        if (*cipher_list != NULL)
-                sk_SSL_CIPHER_free(*cipher_list);
-        *cipher_list = cipherstack;
-        if (*cipher_list_by_id != NULL)
-                sk_SSL_CIPHER_free(*cipher_list_by_id);
-        *cipher_list_by_id = tmp_cipher_list;
-        (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,
-            ssl_cipher_ptr_id_cmp);
-        sk_SSL_CIPHER_sort(*cipher_list_by_id);
-        return (cipherstack);
-}
-const SSL_CIPHER *
-SSL_CIPHER_get_by_id(unsigned int id)
-{
-        return ssl3_get_cipher_by_id(id);
-}
-const SSL_CIPHER *
-SSL_CIPHER_get_by_value(uint16_t value)
-{
-        return ssl3_get_cipher_by_value(value);
-}
-char *
-SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
-{
-        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2;
-        const char *ver, *kx, *au, *enc, *mac;
-        char *ret;
-        int l;
-        alg_mkey = cipher->algorithm_mkey;
-        alg_auth = cipher->algorithm_auth;
-        alg_enc = cipher->algorithm_enc;
-        alg_mac = cipher->algorithm_mac;
-        alg_ssl = cipher->algorithm_ssl;
-        alg2 = cipher->algorithm2;
-        if (alg_ssl & SSL_SSLV3)
-                ver = "SSLv3";
-        else if (alg_ssl & SSL_TLSV1_2)
-                ver = "TLSv1.2";
-        else
-                ver = "unknown";
-        switch (alg_mkey) {
-        case SSL_kRSA:
-                kx = "RSA";
-                break;
-        case SSL_kDHE:
-                kx = "DH";
-                break;
-        case SSL_kECDHr:
-                kx = "ECDH/RSA";
-                break;
-        case SSL_kECDHe:
-                kx = "ECDH/ECDSA";
-                break;
-        case SSL_kECDHE:
-                kx = "ECDH";
-                break;
-        case SSL_kGOST:
-                kx = "GOST";
-                break;
-        default:
-                kx = "unknown";
-        }
-        switch (alg_auth) {
-        case SSL_aRSA:
-                au = "RSA";
-                break;
-        case SSL_aDSS:
-                au = "DSS";
-                break;
-        case SSL_aECDH:
-                au = "ECDH";
-                break;
-        case SSL_aNULL:
-                au = "None";
-                break;
-        case SSL_aECDSA:
-                au = "ECDSA";
-                break;
-        case SSL_aGOST01:
-                au = "GOST01";
-                break;
-        default:
-                au = "unknown";
-                break;
-        }
-        switch (alg_enc) {
-        case SSL_DES:
-                enc = "DES(56)";
-                break;
-        case SSL_3DES:
-                enc = "3DES(168)";
-                break;
-        case SSL_RC4:
-                enc = alg2 & SSL2_CF_8_BYTE_ENC ? "RC4(64)" : "RC4(128)";
-                break;
-        case SSL_IDEA:
-                enc = "IDEA(128)";
-                break;
-        case SSL_eNULL:
-                enc = "None";
-                break;
-        case SSL_AES128:
-                enc = "AES(128)";
-                break;
-        case SSL_AES256:
-                enc = "AES(256)";
-                break;
-        case SSL_AES128GCM:
-                enc = "AESGCM(128)";
-                break;
-        case SSL_AES256GCM:
-                enc = "AESGCM(256)";
-                break;
-        case SSL_CAMELLIA128:
-                enc = "Camellia(128)";
-                break;
-        case SSL_CAMELLIA256:
-                enc = "Camellia(256)";
-                break;
-        case SSL_CHACHA20POLY1305:
-                enc = "ChaCha20-Poly1305";
-                break;
-        case SSL_CHACHA20POLY1305_OLD:
-                enc = "ChaCha20-Poly1305-Old";
-                break;
-        case SSL_eGOST2814789CNT:
-                enc = "GOST-28178-89-CNT";
-                break;
-        default:
-                enc = "unknown";
-                break;
-        }
-        switch (alg_mac) {
-        case SSL_MD5:
-                mac = "MD5";
-                break;
-        case SSL_SHA1:
-                mac = "SHA1";
-                break;
-        case SSL_SHA256:
-                mac = "SHA256";
-                break;
-        case SSL_SHA384:
-                mac = "SHA384";
-                break;
-        case SSL_AEAD:
-                mac = "AEAD";
-                break;
-        case SSL_GOST94:
-                mac = "GOST94";
-                break;
-        case SSL_GOST89MAC:
-                mac = "GOST89IMIT";
-                break;
-        case SSL_STREEBOG256:
-                mac = "STREEBOG256";
-                break;
-        case SSL_STREEBOG512:
-                mac = "STREEBOG512";
-                break;
-        default:
-                mac = "unknown";
-                break;
-        }
-        if (asprintf(&ret, "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
-            cipher->name, ver, kx, au, enc, mac) == -1)
-                return "OPENSSL_malloc Error";
-        if (buf != NULL) {
-                l = strlcpy(buf, ret, len);
-                free(ret);
-                ret = buf;
-                if (l >= len)
-                        ret = "Buffer too small";
-        }
-        return (ret);
-}
-char *
-SSL_CIPHER_get_version(const SSL_CIPHER *c)
-{
-        if (c == NULL)
-                return("(NONE)");
-        if ((c->id >> 24) == 3)
-                return("TLSv1/SSLv3");
-        else
-                return("unknown");
-}
-/* return the actual cipher being used */
-const char *
-SSL_CIPHER_get_name(const SSL_CIPHER *c)
-{
-        if (c != NULL)
-                return (c->name);
-        return("(NONE)");
-}
-/* number of bits for symmetric cipher */
-int
-SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
-{
-        int ret = 0;
-        if (c != NULL) {
-                if (alg_bits != NULL)
-                        *alg_bits = c->alg_bits;
-                ret = c->strength_bits;
-        }
-        return (ret);
-}
-unsigned long
-SSL_CIPHER_get_id(const SSL_CIPHER *c)
-{
-        return c->id;
-}
-uint16_t
-SSL_CIPHER_get_value(const SSL_CIPHER *c)
-{
-        return ssl3_cipher_get_value(c);
-}
-void *
-SSL_COMP_get_compression_methods(void)
-{
-        return NULL;
-}
-int
-SSL_COMP_add_compression_method(int id, void *cm)
-{
-        return 1;
-}
-const char *
-SSL_COMP_get_name(const void *comp)
-{
-        return NULL;
-}
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
deleted file mode 100644
index 04742b60ca..0000000000
--- a/src/lib/libssl/ssl_err.c
+++ /dev/null
@@ -1,615 +0,0 @@
-/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */
-/* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
- */
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-/* BEGIN ERROR CODES */
-#ifndef OPENSSL_NO_ERR
-#define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0)
-#define ERR_REASON(reason) ERR_PACK(ERR_LIB_SSL,0,reason)
-static ERR_STRING_DATA SSL_str_functs[]= {
-        {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),    "CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_CLIENT_FINISHED),       "CLIENT_FINISHED"},
-        {ERR_FUNC(SSL_F_CLIENT_HELLO),  "CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),     "CLIENT_MASTER_KEY"},
-        {ERR_FUNC(SSL_F_D2I_SSL_SESSION),       "d2i_SSL_SESSION"},
-        {ERR_FUNC(SSL_F_DO_DTLS1_WRITE),        "DO_DTLS1_WRITE"},
-        {ERR_FUNC(SSL_F_DO_SSL3_WRITE), "DO_SSL3_WRITE"},
-        {ERR_FUNC(SSL_F_DTLS1_ACCEPT),  "DTLS1_ACCEPT"},
-        {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"},
-        {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD),   "DTLS1_BUFFER_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM),       "DTLS1_CHECK_TIMEOUT_NUM"},
-        {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO),    "DTLS1_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"},
-        {ERR_FUNC(SSL_F_DTLS1_ENC),     "DTLS1_ENC"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY),        "DTLS1_GET_HELLO_VERIFY"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE),     "DTLS1_GET_MESSAGE"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),    "DTLS1_GET_MESSAGE_FRAGMENT"},
-        {ERR_FUNC(SSL_F_DTLS1_GET_RECORD),      "DTLS1_GET_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_HANDLE_TIMEOUT),  "DTLS1_HANDLE_TIMEOUT"},
-        {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT),       "DTLS1_HEARTBEAT"},
-        {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN),       "DTLS1_OUTPUT_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT),     "DTLS1_PREPROCESS_FRAGMENT"},
-        {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),      "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
-        {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD),  "DTLS1_PROCESS_RECORD"},
-        {ERR_FUNC(SSL_F_DTLS1_READ_BYTES),      "DTLS1_READ_BYTES"},
-        {ERR_FUNC(SSL_F_DTLS1_READ_FAILED),     "DTLS1_READ_FAILED"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),        "DTLS1_SEND_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE), "DTLS1_SEND_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),        "DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY),      "DTLS1_SEND_CLIENT_VERIFY"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST),       "DTLS1_SEND_HELLO_VERIFY_REQUEST"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE), "DTLS1_SEND_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO),       "DTLS1_SEND_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),        "DTLS1_SEND_SERVER_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),    "DTLS1_WRITE_APP_DATA_BYTES"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),   "GET_CLIENT_FINISHED"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_HELLO),      "GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY), "GET_CLIENT_MASTER_KEY"},
-        {ERR_FUNC(SSL_F_GET_SERVER_FINISHED),   "GET_SERVER_FINISHED"},
-        {ERR_FUNC(SSL_F_GET_SERVER_HELLO),      "GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_GET_SERVER_VERIFY),     "GET_SERVER_VERIFY"},
-        {ERR_FUNC(SSL_F_I2D_SSL_SESSION),       "i2d_SSL_SESSION"},
-        {ERR_FUNC(SSL_F_READ_N),        "READ_N"},
-        {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),   "REQUEST_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"},
-        {ERR_FUNC(SSL_F_SERVER_HELLO),  "SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SERVER_VERIFY), "SERVER_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL23_ACCEPT),  "SSL23_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL23_CLIENT_HELLO),    "SSL23_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_CONNECT), "SSL23_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL23_GET_CLIENT_HELLO),        "SSL23_GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_GET_SERVER_HELLO),        "SSL23_GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL23_PEEK),    "SSL23_PEEK"},
-        {ERR_FUNC(SSL_F_SSL23_READ),    "SSL23_READ"},
-        {ERR_FUNC(SSL_F_SSL23_WRITE),   "SSL23_WRITE"},
-        {ERR_FUNC(SSL_F_SSL2_ACCEPT),   "SSL2_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL2_CONNECT),  "SSL2_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL2_ENC_INIT), "SSL2_ENC_INIT"},
-        {ERR_FUNC(SSL_F_SSL2_GENERATE_KEY_MATERIAL),    "SSL2_GENERATE_KEY_MATERIAL"},
-        {ERR_FUNC(SSL_F_SSL2_PEEK),     "SSL2_PEEK"},
-        {ERR_FUNC(SSL_F_SSL2_READ),     "SSL2_READ"},
-        {ERR_FUNC(SSL_F_SSL2_READ_INTERNAL),    "SSL2_READ_INTERNAL"},
-        {ERR_FUNC(SSL_F_SSL2_SET_CERTIFICATE),  "SSL2_SET_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL2_WRITE),    "SSL2_WRITE"},
-        {ERR_FUNC(SSL_F_SSL3_ACCEPT),   "SSL3_ACCEPT"},
-        {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF),  "SSL3_ADD_CERT_TO_BUF"},
-        {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),    "SSL3_CALLBACK_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),      "SSL3_CHANGE_CIPHER_STATE"},
-        {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
-        {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),       "SSL3_CHECK_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),     "SSL3_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
-        {ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"},
-        {ERR_FUNC(SSL_F_SSL3_DIGEST_CACHED_RECORDS),    "SSL3_DIGEST_CACHED_RECORDS"},
-        {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),    "SSL3_DO_CHANGE_CIPHER_SPEC"},
-        {ERR_FUNC(SSL_F_SSL3_ENC),      "SSL3_ENC"},
-        {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),       "SSL3_GENERATE_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),  "SSL3_GET_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS),  "SSL3_GET_CERT_STATUS"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),  "SSL3_GET_CERT_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),   "SSL3_GET_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),  "SSL3_GET_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_FINISHED),     "SSL3_GET_FINISHED"},
-        {ERR_FUNC(SSL_F_SSL3_GET_KEY_EXCHANGE), "SSL3_GET_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_MESSAGE),      "SSL3_GET_MESSAGE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_NEW_SESSION_TICKET),   "SSL3_GET_NEW_SESSION_TICKET"},
-        {ERR_FUNC(SSL_F_SSL3_GET_NEXT_PROTO),   "SSL3_GET_NEXT_PROTO"},
-        {ERR_FUNC(SSL_F_SSL3_GET_RECORD),       "SSL3_GET_RECORD"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_CERTIFICATE),   "SSL3_GET_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_DONE),  "SSL3_GET_SERVER_DONE"},
-        {ERR_FUNC(SSL_F_SSL3_GET_SERVER_HELLO), "SSL3_GET_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_HANDSHAKE_MAC),    "ssl3_handshake_mac"},
-        {ERR_FUNC(SSL_F_SSL3_NEW_SESSION_TICKET),       "SSL3_NEW_SESSION_TICKET"},
-        {ERR_FUNC(SSL_F_SSL3_OUTPUT_CERT_CHAIN),        "SSL3_OUTPUT_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_SSL3_PEEK),     "SSL3_PEEK"},
-        {ERR_FUNC(SSL_F_SSL3_READ_BYTES),       "SSL3_READ_BYTES"},
-        {ERR_FUNC(SSL_F_SSL3_READ_N),   "SSL3_READ_N"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),  "SSL3_SEND_CLIENT_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),       "SSL3_SEND_CLIENT_VERIFY"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_CERTIFICATE),  "SSL3_SEND_SERVER_CERTIFICATE"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_HELLO),        "SSL3_SEND_SERVER_HELLO"},
-        {ERR_FUNC(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE), "SSL3_SEND_SERVER_KEY_EXCHANGE"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK),  "SSL3_SETUP_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER),        "SSL3_SETUP_READ_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER),       "SSL3_SETUP_WRITE_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES),      "SSL3_WRITE_BYTES"},
-        {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING),    "SSL3_WRITE_PENDING"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT),   "SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT),    "SSL_ADD_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT),      "SSL_ADD_CLIENTHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK),    "SSL_add_dir_cert_subjects_to_stack"},
-        {ERR_FUNC(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK),   "SSL_add_file_cert_subjects_to_stack"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT),   "SSL_ADD_SERVERHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT),    "SSL_ADD_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT),      "SSL_ADD_SERVERHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_BAD_METHOD),        "SSL_BAD_METHOD"},
-        {ERR_FUNC(SSL_F_SSL_BYTES_TO_CIPHER_LIST),      "SSL_BYTES_TO_CIPHER_LIST"},
-        {ERR_FUNC(SSL_F_SSL_CERT_DUP),  "SSL_CERT_DUP"},
-        {ERR_FUNC(SSL_F_SSL_CERT_INST), "SSL_CERT_INST"},
-        {ERR_FUNC(SSL_F_SSL_CERT_INSTANTIATE),  "SSL_CERT_INSTANTIATE"},
-        {ERR_FUNC(SSL_F_SSL_CERT_NEW),  "SSL_CERT_NEW"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_PRIVATE_KEY), "SSL_check_private_key"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT),  "SSL_CHECK_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),       "SSL_CHECK_SRVR_ECC_CERT_AND_ALG"},
-        {ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),    "SSL_CIPHER_PROCESS_RULESTR"},
-        {ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT),      "SSL_CIPHER_STRENGTH_SORT"},
-        {ERR_FUNC(SSL_F_SSL_CLEAR),     "SSL_clear"},
-        {ERR_FUNC(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD),       "SSL_COMP_add_compression_method"},
-        {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST),        "SSL_CREATE_CIPHER_LIST"},
-        {ERR_FUNC(SSL_F_SSL_CTRL),      "SSL_ctrl"},
-        {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),     "SSL_CTX_check_private_key"},
-        {ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "SSL_CTX_MAKE_PROFILES"},
-        {ERR_FUNC(SSL_F_SSL_CTX_NEW),   "SSL_CTX_new"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),       "SSL_CTX_set_cipher_list"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE),        "SSL_CTX_set_client_cert_engine"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),   "SSL_CTX_set_purpose"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),        "SSL_CTX_set_session_id_context"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),       "SSL_CTX_set_ssl_version"},
-        {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),     "SSL_CTX_set_trust"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),       "SSL_CTX_use_certificate"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),  "SSL_CTX_use_certificate_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),    "SSL_CTX_use_certificate_chain_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE),  "SSL_CTX_use_certificate_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY),        "SSL_CTX_use_PrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1),   "SSL_CTX_use_PrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE),   "SSL_CTX_use_PrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT), "SSL_CTX_use_psk_identity_hint"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY),     "SSL_CTX_use_RSAPrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),        "SSL_CTX_use_RSAPrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),        "SSL_CTX_use_RSAPrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE),      "SSL_do_handshake"},
-        {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION),   "SSL_GET_NEW_SESSION"},
-        {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION),  "SSL_GET_PREV_SESSION"},
-        {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT),      "SSL_GET_SERVER_SEND_CERT"},
-        {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY),      "SSL_GET_SERVER_SEND_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY),     "SSL_GET_SIGN_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER),  "SSL_INIT_WBIO_BUFFER"},
-        {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE),       "SSL_load_client_CA_file"},
-        {ERR_FUNC(SSL_F_SSL_NEW),       "SSL_new"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT), "SSL_PARSE_CLIENTHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT),  "SSL_PARSE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT),    "SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT), "SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT),  "SSL_PARSE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT),    "SSL_PARSE_SERVERHELLO_USE_SRTP_EXT"},
-        {ERR_FUNC(SSL_F_SSL_PEEK),      "SSL_peek"},
-        {ERR_FUNC(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT),        "SSL_PREPARE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT),        "SSL_PREPARE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_SSL_READ),      "SSL_read"},
-        {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT),       "SSL_RSA_PRIVATE_DECRYPT"},
-        {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT),        "SSL_RSA_PUBLIC_ENCRYPT"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_NEW),       "SSL_SESSION_new"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),  "SSL_SESSION_print_fp"},
-        {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT),   "SSL_SESSION_set1_id_context"},
-        {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),     "SSL_SESS_CERT_NEW"},
-        {ERR_FUNC(SSL_F_SSL_SET_CERT),  "SSL_SET_CERT"},
-        {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),   "SSL_set_cipher_list"},
-        {ERR_FUNC(SSL_F_SSL_SET_FD),    "SSL_set_fd"},
-        {ERR_FUNC(SSL_F_SSL_SET_PKEY),  "SSL_SET_PKEY"},
-        {ERR_FUNC(SSL_F_SSL_SET_PURPOSE),       "SSL_set_purpose"},
-        {ERR_FUNC(SSL_F_SSL_SET_RFD),   "SSL_set_rfd"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION),       "SSL_set_session"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION_ID_CONTEXT),    "SSL_set_session_id_context"},
-        {ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT),    "SSL_set_session_ticket_ext"},
-        {ERR_FUNC(SSL_F_SSL_SET_TRUST), "SSL_set_trust"},
-        {ERR_FUNC(SSL_F_SSL_SET_WFD),   "SSL_set_wfd"},
-        {ERR_FUNC(SSL_F_SSL_SHUTDOWN),  "SSL_shutdown"},
-        {ERR_FUNC(SSL_F_SSL_SRP_CTX_INIT),      "SSL_SRP_CTX_init"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),  "SSL_UNDEFINED_CONST_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),        "SSL_UNDEFINED_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION),   "SSL_UNDEFINED_VOID_FUNCTION"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),   "SSL_use_certificate"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),      "SSL_use_certificate_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),      "SSL_use_certificate_file"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY),    "SSL_use_PrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1),       "SSL_use_PrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE),       "SSL_use_PrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT),     "SSL_use_psk_identity_hint"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1),    "SSL_use_RSAPrivateKey_ASN1"},
-        {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE),    "SSL_use_RSAPrivateKey_file"},
-        {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
-        {ERR_FUNC(SSL_F_SSL_WRITE),     "SSL_write"},
-        {ERR_FUNC(SSL_F_TLS1_AEAD_CTX_INIT), "TLS1_AEAD_CTX_INIT"},
-        {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC),  "tls1_cert_verify_mac"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD), "TLS1_CHANGE_CIPHER_STATE_AEAD"},
-        {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER), "TLS1_CHANGE_CIPHER_STATE_CIPHER"},
-        {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_ENC),      "TLS1_ENC"},
-        {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),   "TLS1_EXPORT_KEYING_MATERIAL"},
-        {ERR_FUNC(SSL_F_TLS1_HEARTBEAT),        "SSL_F_TLS1_HEARTBEAT"},
-        {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),       "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),       "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
-        {ERR_FUNC(SSL_F_TLS1_PRF),      "tls1_prf"},
-        {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),  "TLS1_SETUP_KEY_BLOCK"},
-        {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
-        {0, NULL}
-};
-static ERR_STRING_DATA SSL_str_reasons[]= {
-        {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) , "app data in handshake"},
-        {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "attempt to reuse session in different context"},
-        {ERR_REASON(SSL_R_BAD_ALERT_RECORD)      , "bad alert record"},
-        {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE), "bad authentication type"},
-        {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC), "bad change cipher spec"},
-        {ERR_REASON(SSL_R_BAD_CHECKSUM)          , "bad checksum"},
-        {ERR_REASON(SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), "bad data returned by callback"},
-        {ERR_REASON(SSL_R_BAD_DECOMPRESSION)     , "bad decompression"},
-        {ERR_REASON(SSL_R_BAD_DH_G_LENGTH)       , "bad dh g length"},
-        {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH) , "bad dh pub key length"},
-        {ERR_REASON(SSL_R_BAD_DH_P_LENGTH)       , "bad dh p length"},
-        {ERR_REASON(SSL_R_BAD_DIGEST_LENGTH)     , "bad digest length"},
-        {ERR_REASON(SSL_R_BAD_DSA_SIGNATURE)     , "bad dsa signature"},
-        {ERR_REASON(SSL_R_BAD_ECC_CERT)          , "bad ecc cert"},
-        {ERR_REASON(SSL_R_BAD_ECDSA_SIGNATURE)   , "bad ecdsa signature"},
-        {ERR_REASON(SSL_R_BAD_ECPOINT)           , "bad ecpoint"},
-        {ERR_REASON(SSL_R_BAD_HANDSHAKE_LENGTH)  , "bad handshake length"},
-        {ERR_REASON(SSL_R_BAD_HELLO_REQUEST)     , "bad hello request"},
-        {ERR_REASON(SSL_R_BAD_LENGTH)            , "bad length"},
-        {ERR_REASON(SSL_R_BAD_MAC_DECODE)        , "bad mac decode"},
-        {ERR_REASON(SSL_R_BAD_MAC_LENGTH)        , "bad mac length"},
-        {ERR_REASON(SSL_R_BAD_MESSAGE_TYPE)      , "bad message type"},
-        {ERR_REASON(SSL_R_BAD_PACKET_LENGTH)     , "bad packet length"},
-        {ERR_REASON(SSL_R_BAD_PROTOCOL_VERSION_NUMBER), "bad protocol version number"},
-        {ERR_REASON(SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH), "bad psk identity hint length"},
-        {ERR_REASON(SSL_R_BAD_RESPONSE_ARGUMENT) , "bad response argument"},
-        {ERR_REASON(SSL_R_BAD_RSA_DECRYPT)       , "bad rsa decrypt"},
-        {ERR_REASON(SSL_R_BAD_RSA_ENCRYPT)       , "bad rsa encrypt"},
-        {ERR_REASON(SSL_R_BAD_RSA_E_LENGTH)      , "bad rsa e length"},
-        {ERR_REASON(SSL_R_BAD_RSA_MODULUS_LENGTH), "bad rsa modulus length"},
-        {ERR_REASON(SSL_R_BAD_RSA_SIGNATURE)     , "bad rsa signature"},
-        {ERR_REASON(SSL_R_BAD_SIGNATURE)         , "bad signature"},
-        {ERR_REASON(SSL_R_BAD_SRP_A_LENGTH)      , "bad srp a length"},
-        {ERR_REASON(SSL_R_BAD_SRP_B_LENGTH)      , "bad srp b length"},
-        {ERR_REASON(SSL_R_BAD_SRP_G_LENGTH)      , "bad srp g length"},
-        {ERR_REASON(SSL_R_BAD_SRP_N_LENGTH)      , "bad srp n length"},
-        {ERR_REASON(SSL_R_BAD_SRP_S_LENGTH)      , "bad srp s length"},
-        {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE)    , "bad srtp mki value"},
-        {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), "bad srtp protection profile list"},
-        {ERR_REASON(SSL_R_BAD_SSL_FILETYPE)      , "bad ssl filetype"},
-        {ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH), "bad ssl session id length"},
-        {ERR_REASON(SSL_R_BAD_STATE)             , "bad state"},
-        {ERR_REASON(SSL_R_BAD_WRITE_RETRY)       , "bad write retry"},
-        {ERR_REASON(SSL_R_BIO_NOT_SET)           , "bio not set"},
-        {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "block cipher pad is wrong"},
-        {ERR_REASON(SSL_R_BN_LIB)                , "bn lib"},
-        {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) , "ca dn length mismatch"},
-        {ERR_REASON(SSL_R_CA_DN_TOO_LONG)        , "ca dn too long"},
-        {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY)    , "ccs received early"},
-        {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"},
-        {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  , "cert length mismatch"},
-        {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
-        {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
-        {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
-        {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
-        {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
-        {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    , "clienthello tlsext"},
-        {ERR_REASON(SSL_R_COMPRESSED_LENGTH_TOO_LONG), "compressed length too long"},
-        {ERR_REASON(SSL_R_COMPRESSION_DISABLED)  , "compression disabled"},
-        {ERR_REASON(SSL_R_COMPRESSION_FAILURE)   , "compression failure"},
-        {ERR_REASON(SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "compression id not within private range"},
-        {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR), "compression library error"},
-        {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT), "connection id is different"},
-        {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET), "connection type not set"},
-        {ERR_REASON(SSL_R_COOKIE_MISMATCH)       , "cookie mismatch"},
-        {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), "data between ccs and finished"},
-        {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  , "data length too long"},
-        {ERR_REASON(SSL_R_DECRYPTION_FAILED)     , "decryption failed"},
-        {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "decryption failed or bad record mac"},
-        {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "dh public value length is wrong"},
-        {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED)   , "digest check failed"},
-        {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG)  , "dtls message too big"},
-        {ERR_REASON(SSL_R_DUPLICATE_COMPRESSION_ID), "duplicate compression id"},
-        {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT), "ecc cert not for key agreement"},
-        {ERR_REASON(SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ecc cert not for signing"},
-        {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ecc cert should have rsa signature"},
-        {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ecc cert should have sha1 signature"},
-        {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ecgroup too large for cipher"},
-        {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "empty srtp protection profile list"},
-        {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"},
-        {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "error generating tmp rsa key"},
-        {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "error in received cipher list"},
-        {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE), "excessive message size"},
-        {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) , "extra data in message"},
-        {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"},
-        {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS), "got next proto before a ccs"},
-        {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION), "got next proto without seeing extension"},
-        {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   , "https proxy request"},
-        {ERR_REASON(SSL_R_HTTP_REQUEST)          , "http request"},
-        {ERR_REASON(SSL_R_ILLEGAL_PADDING)       , "illegal padding"},
-        {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
-        {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
-        {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
-        {ERR_REASON(SSL_R_INVALID_COMMAND)       , "invalid command"},
-        {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM), "invalid compression algorithm"},
-        {ERR_REASON(SSL_R_INVALID_PURPOSE)       , "invalid purpose"},
-        {ERR_REASON(SSL_R_INVALID_SRP_USERNAME)  , "invalid srp username"},
-        {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE), "invalid status response"},
-        {ERR_REASON(SSL_R_INVALID_TICKET_KEYS_LENGTH), "invalid ticket keys length"},
-        {ERR_REASON(SSL_R_INVALID_TRUST)         , "invalid trust"},
-        {ERR_REASON(SSL_R_KEY_ARG_TOO_LONG)      , "key arg too long"},
-        {ERR_REASON(SSL_R_KRB5)                  , "krb5"},
-        {ERR_REASON(SSL_R_KRB5_C_CC_PRINC)       , "krb5 client cc principal (no tkt?)"},
-        {ERR_REASON(SSL_R_KRB5_C_GET_CRED)       , "krb5 client get cred"},
-        {ERR_REASON(SSL_R_KRB5_C_INIT)           , "krb5 client init"},
-        {ERR_REASON(SSL_R_KRB5_C_MK_REQ)         , "krb5 client mk_req (expired tkt?)"},
-        {ERR_REASON(SSL_R_KRB5_S_BAD_TICKET)     , "krb5 server bad ticket"},
-        {ERR_REASON(SSL_R_KRB5_S_INIT)           , "krb5 server init"},
-        {ERR_REASON(SSL_R_KRB5_S_RD_REQ)         , "krb5 server rd_req (keytab perms?)"},
-        {ERR_REASON(SSL_R_KRB5_S_TKT_EXPIRED)    , "krb5 server tkt expired"},
-        {ERR_REASON(SSL_R_KRB5_S_TKT_NYV)        , "krb5 server tkt not yet valid"},
-        {ERR_REASON(SSL_R_KRB5_S_TKT_SKEW)       , "krb5 server tkt skew"},
-        {ERR_REASON(SSL_R_LENGTH_MISMATCH)       , "length mismatch"},
-        {ERR_REASON(SSL_R_LENGTH_TOO_SHORT)      , "length too short"},
-        {ERR_REASON(SSL_R_LIBRARY_BUG)           , "library bug"},
-        {ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS), "library has no ciphers"},
-        {ERR_REASON(SSL_R_MESSAGE_TOO_LONG)      , "message too long"},
-        {ERR_REASON(SSL_R_MISSING_DH_DSA_CERT)   , "missing dh dsa cert"},
-        {ERR_REASON(SSL_R_MISSING_DH_KEY)        , "missing dh key"},
-        {ERR_REASON(SSL_R_MISSING_DH_RSA_CERT)   , "missing dh rsa cert"},
-        {ERR_REASON(SSL_R_MISSING_DSA_SIGNING_CERT), "missing dsa signing cert"},
-        {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_DH_KEY), "missing export tmp dh key"},
-        {ERR_REASON(SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "missing export tmp rsa key"},
-        {ERR_REASON(SSL_R_MISSING_RSA_CERTIFICATE), "missing rsa certificate"},
-        {ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT), "missing rsa encrypting cert"},
-        {ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT), "missing rsa signing cert"},
-        {ERR_REASON(SSL_R_MISSING_SRP_PARAM)     , "can't find SRP server param"},
-        {ERR_REASON(SSL_R_MISSING_TMP_DH_KEY)    , "missing tmp dh key"},
-        {ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY)  , "missing tmp ecdh key"},
-        {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   , "missing tmp rsa key"},
-        {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  , "missing tmp rsa pkey"},
-        {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE), "missing verify message"},
-        {ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) , "multiple sgc restarts"},
-        {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET), "non sslv2 initial packet"},
-        {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED), "no certificates returned"},
-        {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED), "no certificate assigned"},
-        {ERR_REASON(SSL_R_NO_CERTIFICATE_RETURNED), "no certificate returned"},
-        {ERR_REASON(SSL_R_NO_CERTIFICATE_SET)    , "no certificate set"},
-        {ERR_REASON(SSL_R_NO_CERTIFICATE_SPECIFIED), "no certificate specified"},
-        {ERR_REASON(SSL_R_NO_CIPHERS_AVAILABLE)  , "no ciphers available"},
-        {ERR_REASON(SSL_R_NO_CIPHERS_PASSED)     , "no ciphers passed"},
-        {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  , "no ciphers specified"},
-        {ERR_REASON(SSL_R_NO_CIPHER_LIST)        , "no cipher list"},
-        {ERR_REASON(SSL_R_NO_CIPHER_MATCH)       , "no cipher match"},
-        {ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) , "no client cert method"},
-        {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED), "no client cert received"},
-        {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"},
-        {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"},
-        {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   , "no method specified"},
-        {ERR_REASON(SSL_R_NO_PRIVATEKEY)         , "no privatekey"},
-        {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED), "no private key assigned"},
-        {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE), "no protocols available"},
-        {ERR_REASON(SSL_R_NO_PUBLICKEY)          , "no publickey"},
-        {ERR_REASON(SSL_R_NO_RENEGOTIATION)      , "no renegotiation"},
-        {ERR_REASON(SSL_R_NO_REQUIRED_DIGEST)    , "digest requred for handshake isn't computed"},
-        {ERR_REASON(SSL_R_NO_SHARED_CIPHER)      , "no shared cipher"},
-        {ERR_REASON(SSL_R_NO_SRTP_PROFILES)      , "no srtp profiles"},
-        {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK)    , "no verify callback"},
-        {ERR_REASON(SSL_R_NULL_SSL_CTX)          , "null ssl ctx"},
-        {ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED), "null ssl method passed"},
-        {ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "old session cipher not returned"},
-        {ERR_REASON(SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "old session compression algorithm not returned"},
-        {ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "only tls allowed in fips mode"},
-        {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"},
-        {ERR_REASON(SSL_R_PARSE_TLSEXT)          , "parse tlsext"},
-        {ERR_REASON(SSL_R_PATH_TOO_LONG)         , "path too long"},
-        {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "peer did not return a certificate"},
-        {ERR_REASON(SSL_R_PEER_ERROR)            , "peer error"},
-        {ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE), "peer error certificate"},
-        {ERR_REASON(SSL_R_PEER_ERROR_NO_CERTIFICATE), "peer error no certificate"},
-        {ERR_REASON(SSL_R_PEER_ERROR_NO_CIPHER)  , "peer error no cipher"},
-        {ERR_REASON(SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE), "peer error unsupported certificate type"},
-        {ERR_REASON(SSL_R_PRE_MAC_LENGTH_TOO_LONG), "pre mac length too long"},
-        {ERR_REASON(SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS), "problems mapping cipher functions"},
-        {ERR_REASON(SSL_R_PROTOCOL_IS_SHUTDOWN)  , "protocol is shutdown"},
-        {ERR_REASON(SSL_R_PSK_IDENTITY_NOT_FOUND), "psk identity not found"},
-        {ERR_REASON(SSL_R_PSK_NO_CLIENT_CB)      , "psk no client cb"},
-        {ERR_REASON(SSL_R_PSK_NO_SERVER_CB)      , "psk no server cb"},
-        {ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "public key encrypt error"},
-        {ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) , "public key is not rsa"},
-        {ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    , "public key not rsa"},
-        {ERR_REASON(SSL_R_READ_BIO_NOT_SET)      , "read bio not set"},
-        {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED)  , "read timeout expired"},
-        {ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE), "read wrong packet type"},
-        {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH), "record length mismatch"},
-        {ERR_REASON(SSL_R_RECORD_TOO_LARGE)      , "record too large"},
-        {ERR_REASON(SSL_R_RECORD_TOO_SMALL)      , "record too small"},
-        {ERR_REASON(SSL_R_RENEGOTIATE_EXT_TOO_LONG), "renegotiate ext too long"},
-        {ERR_REASON(SSL_R_RENEGOTIATION_ENCODING_ERR), "renegotiation encoding err"},
-        {ERR_REASON(SSL_R_RENEGOTIATION_MISMATCH), "renegotiation mismatch"},
-        {ERR_REASON(SSL_R_REQUIRED_CIPHER_MISSING), "required cipher missing"},
-        {ERR_REASON(SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), "required compresssion algorithm missing"},
-        {ERR_REASON(SSL_R_REUSE_CERT_LENGTH_NOT_ZERO), "reuse cert length not zero"},
-        {ERR_REASON(SSL_R_REUSE_CERT_TYPE_NOT_ZERO), "reuse cert type not zero"},
-        {ERR_REASON(SSL_R_REUSE_CIPHER_LIST_NOT_ZERO), "reuse cipher list not zero"},
-        {ERR_REASON(SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "scsv received when renegotiating"},
-        {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT)    , "serverhello tlsext"},
-        {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "session id context uninitialized"},
-        {ERR_REASON(SSL_R_SHORT_READ)            , "short read"},
-        {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), "signature algorithms error"},
-        {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "signature for non signing certificate"},
-        {ERR_REASON(SSL_R_SRP_A_CALC)            , "error with the srp params"},
-        {ERR_REASON(SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), "srtp could not allocate profiles"},
-        {ERR_REASON(SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), "srtp protection profile list too long"},
-        {ERR_REASON(SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "srtp unknown protection profile"},
-        {ERR_REASON(SSL_R_SSL23_DOING_SESSION_ID_REUSE), "ssl23 doing session id reuse"},
-        {ERR_REASON(SSL_R_SSL2_CONNECTION_ID_TOO_LONG), "ssl2 connection id too long"},
-        {ERR_REASON(SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT), "ssl3 ext invalid ecpointformat"},
-        {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME), "ssl3 ext invalid servername"},
-        {ERR_REASON(SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "ssl3 ext invalid servername type"},
-        {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_LONG), "ssl3 session id too long"},
-        {ERR_REASON(SSL_R_SSL3_SESSION_ID_TOO_SHORT), "ssl3 session id too short"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "sslv3 alert bad certificate"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), "sslv3 alert bad record mac"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), "sslv3 alert certificate expired"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), "sslv3 alert certificate revoked"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), "sslv3 alert certificate unknown"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), "sslv3 alert decompression failure"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), "sslv3 alert handshake failure"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), "sslv3 alert illegal parameter"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE), "sslv3 alert no certificate"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), "sslv3 alert unexpected message"},
-        {ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), "sslv3 alert unsupported certificate"},
-        {ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), "ssl ctx has no default ssl version"},
-        {ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) , "ssl handshake failure"},
-        {ERR_REASON(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), "ssl library has no ciphers"},
-        {ERR_REASON(SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), "ssl session id callback failed"},
-        {ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
-        {ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "ssl session id context too long"},
-        {ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "ssl session id has bad length"},
-        {ERR_REASON(SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "ssl session id is different"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED), "tlsv1 alert access denied"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_DECODE_ERROR), "tlsv1 alert decode error"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "tlsv1 alert protocol version"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "tlsv1 alert record overflow"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA), "tlsv1 alert unknown ca"},
-        {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED), "tlsv1 alert user cancelled"},
-        {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "tlsv1 bad certificate hash value"},
-        {ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "tlsv1 bad certificate status response"},
-        {ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), "tlsv1 certificate unobtainable"},
-        {ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME), "tlsv1 unrecognized name"},
-        {ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "tlsv1 unsupported extension"},
-        {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER), "tls client cert req with anon cipher"},
-        {ERR_REASON(SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT), "peer does not accept heartbeats"},
-        {ERR_REASON(SSL_R_TLS_HEARTBEAT_PENDING) , "heartbeat request already pending"},
-        {ERR_REASON(SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "tls illegal exporter label"},
-        {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), "tls invalid ecpointformat list"},
-        {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST), "tls peer did not respond with certificate list"},
-        {ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG), "tls rsa encrypted value length is wrong"},
-        {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "tried to use unsupported cipher"},
-        {ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
-        {ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "unable to decode ecdh certs"},
-        {ERR_REASON(SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY), "unable to extract public key"},
-        {ERR_REASON(SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), "unable to find dh parameters"},
-        {ERR_REASON(SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), "unable to find ecdh parameters"},
-        {ERR_REASON(SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "unable to find public key parameters"},
-        {ERR_REASON(SSL_R_UNABLE_TO_FIND_SSL_METHOD), "unable to find ssl method"},
-        {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES), "unable to load ssl2 md5 routines"},
-        {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "unable to load ssl3 md5 routines"},
-        {ERR_REASON(SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), "unable to load ssl3 sha1 routines"},
-        {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE)    , "unexpected message"},
-        {ERR_REASON(SSL_R_UNEXPECTED_RECORD)     , "unexpected record"},
-        {ERR_REASON(SSL_R_UNINITIALIZED)         , "uninitialized"},
-        {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    , "unknown alert type"},
-        {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE), "unknown certificate type"},
-        {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"},
-        {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   , "unknown cipher type"},
-        {ERR_REASON(SSL_R_UNKNOWN_DIGEST)        , "unknown digest"},
-        {ERR_REASON(SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "unknown key exchange type"},
-        {ERR_REASON(SSL_R_UNKNOWN_PKEY_TYPE)     , "unknown pkey type"},
-        {ERR_REASON(SSL_R_UNKNOWN_PROTOCOL)      , "unknown protocol"},
-        {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "unknown remote error type"},
-        {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   , "unknown ssl version"},
-        {ERR_REASON(SSL_R_UNKNOWN_STATE)         , "unknown state"},
-        {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), "unsafe legacy renegotiation disabled"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    , "unsupported cipher"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "unsupported compression algorithm"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_DIGEST_TYPE), "unsupported digest type"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), "unsupported elliptic curve"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL)  , "unsupported protocol"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION), "unsupported ssl version"},
-        {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE), "unsupported status type"},
-        {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED), "use srtp not negotiated"},
-        {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET)     , "write bio not set"},
-        {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) , "wrong cipher returned"},
-        {ERR_REASON(SSL_R_WRONG_CURVE)           , "wrong curve"},
-        {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE)    , "wrong message type"},
-        {ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS), "wrong number of key bits"},
-        {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"},
-        {ERR_REASON(SSL_R_WRONG_SIGNATURE_SIZE)  , "wrong signature size"},
-        {ERR_REASON(SSL_R_WRONG_SIGNATURE_TYPE)  , "wrong signature type"},
-        {ERR_REASON(SSL_R_WRONG_SSL_VERSION)     , "wrong ssl version"},
-        {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  , "wrong version number"},
-        {ERR_REASON(SSL_R_X509_LIB)              , "x509 lib"},
-        {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"},
-        {0, NULL}
-};
-#endif
-void
-ERR_load_SSL_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-        if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, SSL_str_functs);
-                ERR_load_strings(0, SSL_str_reasons);
-        }
-#endif
-}
diff --git a/src/lib/libssl/ssl_err2.c b/src/lib/libssl/ssl_err2.c
deleted file mode 100644
index 9aad13cdc5..0000000000
--- a/src/lib/libssl/ssl_err2.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $OpenBSD: ssl_err2.c,v 1.7 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-void
-SSL_load_error_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-        ERR_load_crypto_strings();
-        ERR_load_SSL_strings();
-#endif
-}
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
deleted file mode 100644
index 5b9b952e72..0000000000
--- a/src/lib/libssl/ssl_lib.c
+++ /dev/null
@@ -1,3062 +0,0 @@
-/* $OpenBSD: ssl_lib.c,v 1.116 2015/10/25 15:52:49 doug Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/lhash.h>
-#include <openssl/objects.h>
-#include <openssl/ocsp.h>
-#include <openssl/x509v3.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include "bytestring.h"
-const char *SSL_version_str = OPENSSL_VERSION_TEXT;
-SSL3_ENC_METHOD ssl3_undef_enc_method = {
-        /*
-         * Evil casts, but these functions are only called if there's a
-         * library bug.
-         */
-        .enc = (int (*)(SSL *, int))ssl_undefined_function,
-        .mac = (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
-        .setup_key_block = ssl_undefined_function,
-        .generate_master_secret = (int (*)(SSL *, unsigned char *,
-            unsigned char *, int))ssl_undefined_function,
-        .change_cipher_state = (int (*)(SSL*, int))ssl_undefined_function,
-        .final_finish_mac = (int (*)(SSL *,  const char*, int,
-            unsigned char *))ssl_undefined_function,
-        .finish_mac_length = 0,
-        .cert_verify_mac = (int (*)(SSL *, int,
-            unsigned char *))ssl_undefined_function,
-        .client_finished_label = NULL,
-        .client_finished_label_len = 0,
-        .server_finished_label = NULL,
-        .server_finished_label_len = 0,
-        .alert_value = (int (*)(int))ssl_undefined_function,
-        .export_keying_material = (int (*)(SSL *, unsigned char *, size_t,
-            const char *, size_t, const unsigned char *, size_t,
-            int use_context))ssl_undefined_function,
-        .enc_flags = 0,
-};
-int
-SSL_clear(SSL *s)
-{
-        if (s->method == NULL) {
-                SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED);
-                return (0);
-        }
-        if (ssl_clear_bad_session(s)) {
-                SSL_SESSION_free(s->session);
-                s->session = NULL;
-        }
-        s->error = 0;
-        s->hit = 0;
-        s->shutdown = 0;
-        if (s->renegotiate) {
-                SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
-                return (0);
-        }
-        s->type = 0;
-        s->state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT);
-        s->version = s->method->version;
-        s->client_version = s->version;
-        s->rwstate = SSL_NOTHING;
-        s->rstate = SSL_ST_READ_HEADER;
-        BUF_MEM_free(s->init_buf);
-        s->init_buf = NULL;
-        ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->read_hash);
-        ssl_clear_hash_ctx(&s->write_hash);
-        s->first_packet = 0;
-        /*
-         * Check to see if we were changed into a different method, if
-         * so, revert back if we are not doing session-id reuse.
-         */
-        if (!s->in_handshake && (s->session == NULL) &&
-            (s->method != s->ctx->method)) {
-                s->method->ssl_free(s);
-                s->method = s->ctx->method;
-                if (!s->method->ssl_new(s))
-                        return (0);
-        } else
-                s->method->ssl_clear(s);
-        return (1);
-}
-/* Used to change an SSL_CTXs default SSL method type */
-int
-SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
-{
-        STACK_OF(SSL_CIPHER)    *sk;
-        ctx->method = meth;
-        sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
-            &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST);
-        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
-                SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION,
-                    SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
-                return (0);
-        }
-        return (1);
-}
-SSL *
-SSL_new(SSL_CTX *ctx)
-{
-        SSL     *s;
-        if (ctx == NULL) {
-                SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX);
-                return (NULL);
-        }
-        if (ctx->method == NULL) {
-                SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION);
-                return (NULL);
-        }
-        s = calloc(1, sizeof(SSL));
-        if (s == NULL)
-                goto err;
-        s->options = ctx->options;
-        s->mode = ctx->mode;
-        s->max_cert_list = ctx->max_cert_list;
-        if (ctx->cert != NULL) {
-                /*
-                 * Earlier library versions used to copy the pointer to
-                 * the CERT, not its contents; only when setting new
-                 * parameters for the per-SSL copy, ssl_cert_new would be
-                 * called (and the direct reference to the per-SSL_CTX
-                 * settings would be lost, but those still were indirectly
-                 * accessed for various purposes, and for that reason they
-                 * used to be known as s->ctx->default_cert).
-                 * Now we don't look at the SSL_CTX's CERT after having
-                 * duplicated it once.
-                */
-                s->cert = ssl_cert_dup(ctx->cert);
-                if (s->cert == NULL)
-                        goto err;
-        } else
-                s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
-        s->read_ahead = ctx->read_ahead;
-        s->msg_callback = ctx->msg_callback;
-        s->msg_callback_arg = ctx->msg_callback_arg;
-        s->verify_mode = ctx->verify_mode;
-        s->sid_ctx_length = ctx->sid_ctx_length;
-        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
-        memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
-        s->verify_callback = ctx->default_verify_callback;
-        s->generate_session_id = ctx->generate_session_id;
-        s->param = X509_VERIFY_PARAM_new();
-        if (!s->param)
-                goto err;
-        X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-        s->quiet_shutdown = ctx->quiet_shutdown;
-        s->max_send_fragment = ctx->max_send_fragment;
-        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
-        s->ctx = ctx;
-        s->tlsext_debug_cb = 0;
-        s->tlsext_debug_arg = NULL;
-        s->tlsext_ticket_expected = 0;
-        s->tlsext_status_type = -1;
-        s->tlsext_status_expected = 0;
-        s->tlsext_ocsp_ids = NULL;
-        s->tlsext_ocsp_exts = NULL;
-        s->tlsext_ocsp_resp = NULL;
-        s->tlsext_ocsp_resplen = -1;
-        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
-        s->initial_ctx = ctx;
-        s->next_proto_negotiated = NULL;
-        if (s->ctx->alpn_client_proto_list != NULL) {
-                s->alpn_client_proto_list =
-                    malloc(s->ctx->alpn_client_proto_list_len);
-                if (s->alpn_client_proto_list == NULL)
-                        goto err;
-                memcpy(s->alpn_client_proto_list,
-                    s->ctx->alpn_client_proto_list,
-                    s->ctx->alpn_client_proto_list_len);
-                s->alpn_client_proto_list_len =
-                    s->ctx->alpn_client_proto_list_len;
-        }
-        s->verify_result = X509_V_OK;
-        s->method = ctx->method;
-        if (!s->method->ssl_new(s))
-                goto err;
-        s->references = 1;
-        s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
-        SSL_clear(s);
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-        return (s);
-err:
-        SSL_free(s);
-        SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
-        return (NULL);
-}
-int
-SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
-    unsigned int sid_ctx_len)
-{
-        if (sid_ctx_len > sizeof ctx->sid_ctx) {
-                SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                return (0);
-        }
-        ctx->sid_ctx_length = sid_ctx_len;
-        memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len);
-        return (1);
-}
-int
-SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
-    unsigned int sid_ctx_len)
-{
-        if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT,
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                return (0);
-        }
-        ssl->sid_ctx_length = sid_ctx_len;
-        memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len);
-        return (1);
-}
-int
-SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
-{
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        ctx->generate_session_id = cb;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        return (1);
-}
-int
-SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
-{
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-        ssl->generate_session_id = cb;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-        return (1);
-}
-int
-SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
-    unsigned int id_len)
-{
-        /*
-         * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp
-         * shows how we can "construct" a session to give us the desired
-         * check - ie. to find if there's a session in the hash table
-         * that would conflict with any new session built out of this
-         * id/id_len and the ssl_version in use by this SSL.
-         */
-        SSL_SESSION r, *p;
-        if (id_len > sizeof r.session_id)
-                return (0);
-        r.ssl_version = ssl->version;
-        r.session_id_length = id_len;
-        memcpy(r.session_id, id, id_len);
-        CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-        p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r);
-        CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-        return (p != NULL);
-}
-int
-SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
-{
-        return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
-}
-int
-SSL_set_purpose(SSL *s, int purpose)
-{
-        return (X509_VERIFY_PARAM_set_purpose(s->param, purpose));
-}
-int
-SSL_CTX_set_trust(SSL_CTX *s, int trust)
-{
-        return (X509_VERIFY_PARAM_set_trust(s->param, trust));
-}
-int
-SSL_set_trust(SSL *s, int trust)
-{
-        return (X509_VERIFY_PARAM_set_trust(s->param, trust));
-}
-int
-SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
-{
-        return (X509_VERIFY_PARAM_set1(ctx->param, vpm));
-}
-int
-SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
-{
-        return (X509_VERIFY_PARAM_set1(ssl->param, vpm));
-}
-void
-SSL_free(SSL *s)
-{
-        int     i;
-        if (s == NULL)
-                return;
-        i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
-        if (i > 0)
-                return;
-        if (s->param)
-                X509_VERIFY_PARAM_free(s->param);
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
-        if (s->bbio != NULL) {
-                /* If the buffering BIO is in place, pop it off */
-                if (s->bbio == s->wbio) {
-                        s->wbio = BIO_pop(s->wbio);
-                }
-                BIO_free(s->bbio);
-                s->bbio = NULL;
-        }
-        if (s->rbio != s->wbio)
-                BIO_free_all(s->rbio);
-        BIO_free_all(s->wbio);
-        if (s->init_buf != NULL)
-                BUF_MEM_free(s->init_buf);
-        /* add extra stuff */
-        if (s->cipher_list != NULL)
-                sk_SSL_CIPHER_free(s->cipher_list);
-        if (s->cipher_list_by_id != NULL)
-                sk_SSL_CIPHER_free(s->cipher_list_by_id);
-        /* Make the next call work :-) */
-        if (s->session != NULL) {
-                ssl_clear_bad_session(s);
-                SSL_SESSION_free(s->session);
-        }
-        ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->read_hash);
-        ssl_clear_hash_ctx(&s->write_hash);
-        if (s->cert != NULL)
-                ssl_cert_free(s->cert);
-        /* Free up if allocated */
-        free(s->tlsext_hostname);
-        SSL_CTX_free(s->initial_ctx);
-        free(s->tlsext_ecpointformatlist);
-        free(s->tlsext_ellipticcurvelist);
-        if (s->tlsext_ocsp_exts)
-                sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
-                    X509_EXTENSION_free);
-        if (s->tlsext_ocsp_ids)
-                sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
-        free(s->tlsext_ocsp_resp);
-        if (s->client_CA != NULL)
-                sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
-        if (s->method != NULL)
-                s->method->ssl_free(s);
-        SSL_CTX_free(s->ctx);
-        free(s->next_proto_negotiated);
-        free(s->alpn_client_proto_list);
-#ifndef OPENSSL_NO_SRTP
-        if (s->srtp_profiles)
-                sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
-#endif
-        free(s);
-}
-void
-SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio)
-{
-        /* If the output buffering BIO is still in place, remove it */
-        if (s->bbio != NULL) {
-                if (s->wbio == s->bbio) {
-                        s->wbio = s->wbio->next_bio;
-                        s->bbio->next_bio = NULL;
-                }
-        }
-        if (s->rbio != rbio && s->rbio != s->wbio)
-                BIO_free_all(s->rbio);
-        if (s->wbio != wbio)
-                BIO_free_all(s->wbio);
-        s->rbio = rbio;
-        s->wbio = wbio;
-}
-BIO *
-SSL_get_rbio(const SSL *s)
-{
-        return (s->rbio);
-}
-BIO *
-SSL_get_wbio(const SSL *s)
-{
-        return (s->wbio);
-}
-int
-SSL_get_fd(const SSL *s)
-{
-        return (SSL_get_rfd(s));
-}
-int
-SSL_get_rfd(const SSL *s)
-{
-        int      ret = -1;
-        BIO     *b, *r;
-        b = SSL_get_rbio(s);
-        r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
-        if (r != NULL)
-                BIO_get_fd(r, &ret);
-        return (ret);
-}
-int
-SSL_get_wfd(const SSL *s)
-{
-        int      ret = -1;
-        BIO     *b, *r;
-        b = SSL_get_wbio(s);
-        r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR);
-        if (r != NULL)
-                BIO_get_fd(r, &ret);
-        return (ret);
-}
-int
-SSL_set_fd(SSL *s, int fd)
-{
-        int      ret = 0;
-        BIO     *bio = NULL;
-        bio = BIO_new(BIO_s_socket());
-        if (bio == NULL) {
-                SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
-                goto err;
-        }
-        BIO_set_fd(bio, fd, BIO_NOCLOSE);
-        SSL_set_bio(s, bio, bio);
-        ret = 1;
-err:
-        return (ret);
-}
-int
-SSL_set_wfd(SSL *s, int fd)
-{
-        int      ret = 0;
-        BIO     *bio = NULL;
-        if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET)
-            || ((int)BIO_get_fd(s->rbio, NULL) != fd)) {
-                bio = BIO_new(BIO_s_socket());
-                if (bio == NULL) {
-                        SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB);
-                        goto err;
-                }
-                BIO_set_fd(bio, fd, BIO_NOCLOSE);
-                SSL_set_bio(s, SSL_get_rbio(s), bio);
-        } else
-                SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s));
-        ret = 1;
-err:
-        return (ret);
-}
-int
-SSL_set_rfd(SSL *s, int fd)
-{
-        int      ret = 0;
-        BIO     *bio = NULL;
-        if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET)
-            || ((int)BIO_get_fd(s->wbio, NULL) != fd)) {
-                bio = BIO_new(BIO_s_socket());
-                if (bio == NULL) {
-                        SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB);
-                        goto err;
-                }
-                BIO_set_fd(bio, fd, BIO_NOCLOSE);
-                SSL_set_bio(s, bio, SSL_get_wbio(s));
-        } else
-                SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s));
-        ret = 1;
-err:
-        return (ret);
-}
-/* return length of latest Finished message we sent, copy to 'buf' */
-size_t
-SSL_get_finished(const SSL *s, void *buf, size_t count)
-{
-        size_t  ret = 0;
-        if (s->s3 != NULL) {
-                ret = s->s3->tmp.finish_md_len;
-                if (count > ret)
-                        count = ret;
-                memcpy(buf, s->s3->tmp.finish_md, count);
-        }
-        return (ret);
-}
-/* return length of latest Finished message we expected, copy to 'buf' */
-size_t
-SSL_get_peer_finished(const SSL *s, void *buf, size_t count)
-{
-        size_t  ret = 0;
-        if (s->s3 != NULL) {
-                ret = s->s3->tmp.peer_finish_md_len;
-                if (count > ret)
-                        count = ret;
-                memcpy(buf, s->s3->tmp.peer_finish_md, count);
-        }
-        return (ret);
-}
-int
-SSL_get_verify_mode(const SSL *s)
-{
-        return (s->verify_mode);
-}
-int
-SSL_get_verify_depth(const SSL *s)
-{
-        return (X509_VERIFY_PARAM_get_depth(s->param));
-}
-int
-(*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *)
-{
-        return (s->verify_callback);
-}
-int
-SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
-{
-        return (ctx->verify_mode);
-}
-int
-SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
-{
-        return (X509_VERIFY_PARAM_get_depth(ctx->param));
-}
-int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *)
-{
-        return (ctx->default_verify_callback);
-}
-void
-SSL_set_verify(SSL *s, int mode,
-    int (*callback)(int ok, X509_STORE_CTX *ctx))
-{
-        s->verify_mode = mode;
-        if (callback != NULL)
-                s->verify_callback = callback;
-}
-void
-SSL_set_verify_depth(SSL *s, int depth)
-{
-        X509_VERIFY_PARAM_set_depth(s->param, depth);
-}
-void
-SSL_set_read_ahead(SSL *s, int yes)
-{
-        s->read_ahead = yes;
-}
-int
-SSL_get_read_ahead(const SSL *s)
-{
-        return (s->read_ahead);
-}
-int
-SSL_pending(const SSL *s)
-{
-        /*
-         * SSL_pending cannot work properly if read-ahead is enabled
-         * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
-         * and it is impossible to fix since SSL_pending cannot report
-         * errors that may be observed while scanning the new data.
-         * (Note that SSL_pending() is often used as a boolean value,
-         * so we'd better not return -1.)
-         */
-        return (s->method->ssl_pending(s));
-}
-X509 *
-SSL_get_peer_certificate(const SSL *s)
-{
-        X509    *r;
-        if ((s == NULL) || (s->session == NULL))
-                r = NULL;
-        else
-                r = s->session->peer;
-        if (r == NULL)
-                return (r);
-        CRYPTO_add(&r->references, 1, CRYPTO_LOCK_X509);
-        return (r);
-}
-STACK_OF(X509) *
-SSL_get_peer_cert_chain(const SSL *s)
-{
-        STACK_OF(X509)  *r;
-        if ((s == NULL) || (s->session == NULL) ||
-            (s->session->sess_cert == NULL))
-                r = NULL;
-        else
-                r = s->session->sess_cert->cert_chain;
-        /*
-         * If we are a client, cert_chain includes the peer's own
-         * certificate;
-         * if we are a server, it does not.
-         */
-        return (r);
-}
-/*
- * Now in theory, since the calling process own 't' it should be safe to
- * modify.  We need to be able to read f without being hassled
- */
-void
-SSL_copy_session_id(SSL *t, const SSL *f)
-{
-        CERT    *tmp;
-        /* Do we need to to SSL locking? */
-        SSL_set_session(t, SSL_get_session(f));
-        /*
-         * What if we are setup as SSLv2 but want to talk SSLv3 or
-         * vice-versa.
-         */
-        if (t->method != f->method) {
-                t->method->ssl_free(t); /* cleanup current */
-                t->method=f->method;    /* change method */
-                t->method->ssl_new(t);  /* setup new */
-        }
-        tmp = t->cert;
-        if (f->cert != NULL) {
-                CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
-                t->cert = f->cert;
-        } else
-                t->cert = NULL;
-        if (tmp != NULL)
-                ssl_cert_free(tmp);
-        SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length);
-}
-/* Fix this so it checks all the valid key/cert options */
-int
-SSL_CTX_check_private_key(const SSL_CTX *ctx)
-{
-        if ((ctx == NULL) || (ctx->cert == NULL) ||
-            (ctx->cert->key->x509 == NULL)) {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return (0);
-        }
-        if (ctx->cert->key->privatekey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
-                    SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                return (0);
-        }
-        return (X509_check_private_key(ctx->cert->key->x509,
-            ctx->cert->key->privatekey));
-}
-/* Fix this function so that it takes an optional type parameter */
-int
-SSL_check_private_key(const SSL *ssl)
-{
-        if (ssl == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
-                    ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (ssl->cert == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return (0);
-        }
-        if (ssl->cert->key->x509 == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
-                    SSL_R_NO_CERTIFICATE_ASSIGNED);
-                return (0);
-        }
-        if (ssl->cert->key->privatekey == NULL) {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,
-                    SSL_R_NO_PRIVATE_KEY_ASSIGNED);
-                return (0);
-        }
-        return (X509_check_private_key(ssl->cert->key->x509,
-            ssl->cert->key->privatekey));
-}
-int
-SSL_accept(SSL *s)
-{
-        if (s->handshake_func == NULL)
-                SSL_set_accept_state(s); /* Not properly initialized yet */
-        return (s->method->ssl_accept(s));
-}
-int
-SSL_connect(SSL *s)
-{
-        if (s->handshake_func == NULL)
-                SSL_set_connect_state(s); /* Not properly initialized yet */
-        return (s->method->ssl_connect(s));
-}
-long
-SSL_get_default_timeout(const SSL *s)
-{
-        return (s->method->get_timeout());
-}
-int
-SSL_read(SSL *s, void *buf, int num)
-{
-        if (s->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
-                return (-1);
-        }
-        if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
-                s->rwstate = SSL_NOTHING;
-                return (0);
-        }
-        return (s->method->ssl_read(s, buf, num));
-}
-int
-SSL_peek(SSL *s, void *buf, int num)
-{
-        if (s->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED);
-                return (-1);
-        }
-        if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
-                return (0);
-        }
-        return (s->method->ssl_peek(s, buf, num));
-}
-int
-SSL_write(SSL *s, const void *buf, int num)
-{
-        if (s->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED);
-                return (-1);
-        }
-        if (s->shutdown & SSL_SENT_SHUTDOWN) {
-                s->rwstate = SSL_NOTHING;
-                SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN);
-                return (-1);
-        }
-        return (s->method->ssl_write(s, buf, num));
-}
-int
-SSL_shutdown(SSL *s)
-{
-        /*
-         * Note that this function behaves differently from what one might
-         * expect.  Return values are 0 for no success (yet),
-         * 1 for success; but calling it once is usually not enough,
-         * even if blocking I/O is used (see ssl3_shutdown).
-         */
-        if (s->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED);
-                return (-1);
-        }
-        if ((s != NULL) && !SSL_in_init(s))
-                return (s->method->ssl_shutdown(s));
-        else
-                return (1);
-}
-int
-SSL_renegotiate(SSL *s)
-{
-        if (s->renegotiate == 0)
-                s->renegotiate = 1;
-        s->new_session = 1;
-        return (s->method->ssl_renegotiate(s));
-}
-int
-SSL_renegotiate_abbreviated(SSL *s)
-{
-        if (s->renegotiate == 0)
-                s->renegotiate = 1;
-        s->new_session = 0;
-        return (s->method->ssl_renegotiate(s));
-}
-int
-SSL_renegotiate_pending(SSL *s)
-{
-        /*
-         * Becomes true when negotiation is requested;
-         * false again once a handshake has finished.
-         */
-        return (s->renegotiate != 0);
-}
-long
-SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
-{
-        long    l;
-        switch (cmd) {
-        case SSL_CTRL_GET_READ_AHEAD:
-                return (s->read_ahead);
-        case SSL_CTRL_SET_READ_AHEAD:
-                l = s->read_ahead;
-                s->read_ahead = larg;
-                return (l);
-        case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-                s->msg_callback_arg = parg;
-                return (1);
-        case SSL_CTRL_OPTIONS:
-                return (s->options|=larg);
-        case SSL_CTRL_CLEAR_OPTIONS:
-                return (s->options&=~larg);
-        case SSL_CTRL_MODE:
-                return (s->mode|=larg);
-        case SSL_CTRL_CLEAR_MODE:
-                return (s->mode &=~larg);
-        case SSL_CTRL_GET_MAX_CERT_LIST:
-                return (s->max_cert_list);
-        case SSL_CTRL_SET_MAX_CERT_LIST:
-                l = s->max_cert_list;
-                s->max_cert_list = larg;
-                return (l);
-        case SSL_CTRL_SET_MTU:
-#ifndef OPENSSL_NO_DTLS1
-                if (larg < (long)dtls1_min_mtu())
-                        return (0);
-#endif
-                if (SSL_IS_DTLS(s)) {
-                        s->d1->mtu = larg;
-                        return (larg);
-                }
-                return (0);
-        case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
-                if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
-                        return (0);
-                s->max_send_fragment = larg;
-                return (1);
-        case SSL_CTRL_GET_RI_SUPPORT:
-                if (s->s3)
-                        return (s->s3->send_connection_binding);
-                else return (0);
-        default:
-                return (s->method->ssl_ctrl(s, cmd, larg, parg));
-        }
-}
-long
-SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
-{
-        switch (cmd) {
-        case SSL_CTRL_SET_MSG_CALLBACK:
-                s->msg_callback = (void (*)(int write_p, int version,
-                    int content_type, const void *buf, size_t len,
-                    SSL *ssl, void *arg))(fp);
-                return (1);
-        default:
-                return (s->method->ssl_callback_ctrl(s, cmd, fp));
-        }
-}
-LHASH_OF(SSL_SESSION) *
-SSL_CTX_sessions(SSL_CTX *ctx)
-{
-        return (ctx->sessions);
-}
-long
-SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
-{
-        long    l;
-        switch (cmd) {
-        case SSL_CTRL_GET_READ_AHEAD:
-                return (ctx->read_ahead);
-        case SSL_CTRL_SET_READ_AHEAD:
-                l = ctx->read_ahead;
-                ctx->read_ahead = larg;
-                return (l);
-        case SSL_CTRL_SET_MSG_CALLBACK_ARG:
-                ctx->msg_callback_arg = parg;
-                return (1);
-        case SSL_CTRL_GET_MAX_CERT_LIST:
-                return (ctx->max_cert_list);
-        case SSL_CTRL_SET_MAX_CERT_LIST:
-                l = ctx->max_cert_list;
-                ctx->max_cert_list = larg;
-                return (l);
-        case SSL_CTRL_SET_SESS_CACHE_SIZE:
-                l = ctx->session_cache_size;
-                ctx->session_cache_size = larg;
-                return (l);
-        case SSL_CTRL_GET_SESS_CACHE_SIZE:
-                return (ctx->session_cache_size);
-        case SSL_CTRL_SET_SESS_CACHE_MODE:
-                l = ctx->session_cache_mode;
-                ctx->session_cache_mode = larg;
-                return (l);
-        case SSL_CTRL_GET_SESS_CACHE_MODE:
-                return (ctx->session_cache_mode);
-        case SSL_CTRL_SESS_NUMBER:
-                return (lh_SSL_SESSION_num_items(ctx->sessions));
-        case SSL_CTRL_SESS_CONNECT:
-                return (ctx->stats.sess_connect);
-        case SSL_CTRL_SESS_CONNECT_GOOD:
-                return (ctx->stats.sess_connect_good);
-        case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
-                return (ctx->stats.sess_connect_renegotiate);
-        case SSL_CTRL_SESS_ACCEPT:
-                return (ctx->stats.sess_accept);
-        case SSL_CTRL_SESS_ACCEPT_GOOD:
-                return (ctx->stats.sess_accept_good);
-        case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
-                return (ctx->stats.sess_accept_renegotiate);
-        case SSL_CTRL_SESS_HIT:
-                return (ctx->stats.sess_hit);
-        case SSL_CTRL_SESS_CB_HIT:
-                return (ctx->stats.sess_cb_hit);
-        case SSL_CTRL_SESS_MISSES:
-                return (ctx->stats.sess_miss);
-        case SSL_CTRL_SESS_TIMEOUTS:
-                return (ctx->stats.sess_timeout);
-        case SSL_CTRL_SESS_CACHE_FULL:
-                return (ctx->stats.sess_cache_full);
-        case SSL_CTRL_OPTIONS:
-                return (ctx->options|=larg);
-        case SSL_CTRL_CLEAR_OPTIONS:
-                return (ctx->options&=~larg);
-        case SSL_CTRL_MODE:
-                return (ctx->mode|=larg);
-        case SSL_CTRL_CLEAR_MODE:
-                return (ctx->mode&=~larg);
-        case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
-                if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH)
-                        return (0);
-                ctx->max_send_fragment = larg;
-                return (1);
-        default:
-                return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg));
-        }
-}
-long
-SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
-{
-        switch (cmd) {
-        case SSL_CTRL_SET_MSG_CALLBACK:
-                ctx->msg_callback = (void (*)(int write_p, int version,
-                    int content_type, const void *buf, size_t len, SSL *ssl,
-                    void *arg))(fp);
-                return (1);
-        default:
-                return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp));
-        }
-}
-int
-ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b)
-{
-        long    l;
-        l = a->id - b->id;
-        if (l == 0L)
-                return (0);
-        else
-                return ((l > 0) ? 1:-1);
-}
-int
-ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
-    const SSL_CIPHER * const *bp)
-{
-        long    l;
-        l = (*ap)->id - (*bp)->id;
-        if (l == 0L)
-                return (0);
-        else
-                return ((l > 0) ? 1:-1);
-}
-/*
- * Return a STACK of the ciphers available for the SSL and in order of
- * preference.
- */
-STACK_OF(SSL_CIPHER) *
-SSL_get_ciphers(const SSL *s)
-{
-        if (s != NULL) {
-                if (s->cipher_list != NULL) {
-                        return (s->cipher_list);
-                } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) {
-                        return (s->ctx->cipher_list);
-                }
-        }
-        return (NULL);
-}
-/*
- * Return a STACK of the ciphers available for the SSL and in order of
- * algorithm id.
- */
-STACK_OF(SSL_CIPHER) *
-ssl_get_ciphers_by_id(SSL *s)
-{
-        if (s != NULL) {
-                if (s->cipher_list_by_id != NULL) {
-                        return (s->cipher_list_by_id);
-                } else if ((s->ctx != NULL) &&
-                    (s->ctx->cipher_list_by_id != NULL)) {
-                        return (s->ctx->cipher_list_by_id);
-                }
-        }
-        return (NULL);
-}
-/* The old interface to get the same thing as SSL_get_ciphers(). */
-const char *
-SSL_get_cipher_list(const SSL *s, int n)
-{
-        SSL_CIPHER              *c;
-        STACK_OF(SSL_CIPHER)    *sk;
-        if (s == NULL)
-                return (NULL);
-        sk = SSL_get_ciphers(s);
-        if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n))
-                return (NULL);
-        c = sk_SSL_CIPHER_value(sk, n);
-        if (c == NULL)
-                return (NULL);
-        return (c->name);
-}
-/* Specify the ciphers to be used by default by the SSL_CTX. */
-int
-SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
-{
-        STACK_OF(SSL_CIPHER)    *sk;
-        sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
-            &ctx->cipher_list_by_id, str);
-        /*
-         * ssl_create_cipher_list may return an empty stack if it
-         * was unable to find a cipher matching the given rule string
-         * (for example if the rule string specifies a cipher which
-         * has been disabled). This is not an error as far as
-         * ssl_create_cipher_list is concerned, and hence
-         * ctx->cipher_list and ctx->cipher_list_by_id has been
-         * updated.
-         */
-        if (sk == NULL)
-                return (0);
-        else if (sk_SSL_CIPHER_num(sk) == 0) {
-                SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
-                return (0);
-        }
-        return (1);
-}
-/* Specify the ciphers to be used by the SSL. */
-int
-SSL_set_cipher_list(SSL *s, const char *str)
-{
-        STACK_OF(SSL_CIPHER)    *sk;
-        sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
-        &s->cipher_list_by_id, str);
-        /* see comment in SSL_CTX_set_cipher_list */
-        if (sk == NULL)
-                return (0);
-        else if (sk_SSL_CIPHER_num(sk) == 0) {
-                SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
-                return (0);
-        }
-        return (1);
-}
-/* works well for SSLv2, not so good for SSLv3 */
-char *
-SSL_get_shared_ciphers(const SSL *s, char *buf, int len)
-{
-        char                    *end;
-        STACK_OF(SSL_CIPHER)    *sk;
-        SSL_CIPHER              *c;
-        size_t                   curlen = 0;
-        int                      i;
-        if (s->session == NULL || s->session->ciphers == NULL || len < 2)
-                return (NULL);
-        sk = s->session->ciphers;
-        if (sk_SSL_CIPHER_num(sk) == 0)
-                return (NULL);
-        buf[0] = '\0';
-        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-                c = sk_SSL_CIPHER_value(sk, i);
-                end = buf + curlen;
-                if (strlcat(buf, c->name, len) >= len ||
-                    (curlen = strlcat(buf, ":", len)) >= len) {
-                        /* remove truncated cipher from list */
-                        *end = '\0';
-                        break;
-                }
-        }
-        /* remove trailing colon */
-        if ((end = strrchr(buf, ':')) != NULL)
-                *end = '\0';
-        return (buf);
-}
-int
-ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p)
-{
-        int              i;
-        SSL_CIPHER      *c;
-        unsigned char   *q;
-        if (sk == NULL)
-                return (0);
-        q = p;
-        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-                c = sk_SSL_CIPHER_value(sk, i);
-                /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */
-                if ((c->algorithm_ssl & SSL_TLSV1_2) &&
-                    (TLS1_get_client_version(s) < TLS1_2_VERSION))
-                        continue;
-                s2n(ssl3_cipher_get_value(c), p);
-        }
-        /*
-         * If p == q, no ciphers and caller indicates an error. Otherwise
-         * add SCSV if not renegotiating.
-         */
-        if (p != q && !s->renegotiate)
-                s2n(SSL3_CK_SCSV & SSL3_CK_VALUE_MASK, p);
-        return (p - q);
-}
-STACK_OF(SSL_CIPHER) *
-ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p, int num)
-{
-        CBS                      cbs;
-        const SSL_CIPHER        *c;
-        STACK_OF(SSL_CIPHER)    *sk = NULL;
-        unsigned long            cipher_id;
-        uint16_t                 cipher_value, max_version;
-        if (s->s3)
-                s->s3->send_connection_binding = 0;
-        /*
-         * RFC 5246 section 7.4.1.2 defines the interval as [2,2^16-2].
-         */
-        if (num < 2 || num > 0x10000 - 2) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                    SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                return (NULL);
-        }
-        if ((sk = sk_SSL_CIPHER_new_null()) == NULL) {
-                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        CBS_init(&cbs, p, num);
-        while (CBS_len(&cbs) > 0) {
-                if (!CBS_get_u16(&cbs, &cipher_value)) {
-                        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                            SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
-                        goto err;
-                }
-                cipher_id = SSL3_CK_ID | cipher_value;
-                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
-                        /*
-                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
-                         * renegotiating.
-                         */
-                        if (s->renegotiate) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                                    SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                    SSL_AD_HANDSHAKE_FAILURE);
-                                goto err;
-                        }
-                        s->s3->send_connection_binding = 1;
-                        continue;
-                }
-                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
-                        /*
-                         * TLS_FALLBACK_SCSV indicates that the client
-                         * previously tried a higher protocol version.
-                         * Fail if the current version is an unexpected
-                         * downgrade.
-                         */
-                        max_version = ssl_max_server_version(s);
-                        if (max_version == 0 || s->version < max_version) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                                    SSL_R_INAPPROPRIATE_FALLBACK);
-                                if (s->s3 != NULL)
-                                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                                            SSL_AD_INAPPROPRIATE_FALLBACK);
-                                goto err;
-                        }
-                        continue;
-                }
-                if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
-                        if (!sk_SSL_CIPHER_push(sk, c)) {
-                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                }
-        }
-        return (sk);
-err:
-        sk_SSL_CIPHER_free(sk);
-        return (NULL);
-}
-/*
- * Return a servername extension value if provided in Client Hello, or NULL.
- * So far, only host_name types are defined (RFC 3546).
- */
-const char *
-SSL_get_servername(const SSL *s, const int type)
-{
-        if (type != TLSEXT_NAMETYPE_host_name)
-                return (NULL);
-        return (s->session && !s->tlsext_hostname ?
-            s->session->tlsext_hostname :
-            s->tlsext_hostname);
-}
-int
-SSL_get_servername_type(const SSL *s)
-{
-        if (s->session &&
-            (!s->tlsext_hostname ?
-            s->session->tlsext_hostname : s->tlsext_hostname))
-                return (TLSEXT_NAMETYPE_host_name);
-        return (-1);
-}
-/*
- * SSL_select_next_proto implements the standard protocol selection. It is
- * expected that this function is called from the callback set by
- * SSL_CTX_set_next_proto_select_cb.
- *
- * The protocol data is assumed to be a vector of 8-bit, length prefixed byte
- * strings. The length byte itself is not included in the length. A byte
- * string of length 0 is invalid. No byte string may be truncated.
- *
- * The current, but experimental algorithm for selecting the protocol is:
- *
- * 1) If the server doesn't support NPN then this is indicated to the
- * callback. In this case, the client application has to abort the connection
- * or have a default application level protocol.
- *
- * 2) If the server supports NPN, but advertises an empty list then the
- * client selects the first protcol in its list, but indicates via the
- * API that this fallback case was enacted.
- *
- * 3) Otherwise, the client finds the first protocol in the server's list
- * that it supports and selects this protocol. This is because it's
- * assumed that the server has better information about which protocol
- * a client should use.
- *
- * 4) If the client doesn't support any of the server's advertised
- * protocols, then this is treated the same as case 2.
- *
- * It returns either
- * OPENSSL_NPN_NEGOTIATED if a common protocol was found, or
- * OPENSSL_NPN_NO_OVERLAP if the fallback case was reached.
- */
-int
-SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-    const unsigned char *server, unsigned int server_len,
-    const unsigned char *client, unsigned int client_len)
-{
-        unsigned int             i, j;
-        const unsigned char     *result;
-        int                      status = OPENSSL_NPN_UNSUPPORTED;
-        /*
-         * For each protocol in server preference order,
-         * see if we support it.
-         */
-        for (i = 0; i < server_len; ) {
-                for (j = 0; j < client_len; ) {
-                        if (server[i] == client[j] &&
-                            memcmp(&server[i + 1],
-                            &client[j + 1], server[i]) == 0) {
-                                /* We found a match */
-                                result = &server[i];
-                                status = OPENSSL_NPN_NEGOTIATED;
-                                goto found;
-                        }
-                        j += client[j];
-                        j++;
-                }
-                i += server[i];
-                i++;
-        }
-        /* There's no overlap between our protocols and the server's list. */
-        result = client;
-        status = OPENSSL_NPN_NO_OVERLAP;
-found:
-        *out = (unsigned char *) result + 1;
-        *outlen = result[0];
-        return (status);
-}
-/*
- * SSL_get0_next_proto_negotiated sets *data and *len to point to the client's
- * requested protocol for this connection and returns 0. If the client didn't
- * request any protocol, then *data is set to NULL.
- *
- * Note that the client can request any protocol it chooses. The value returned
- * from this function need not be a member of the list of supported protocols
- * provided by the callback.
- */
-void
-SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
-    unsigned *len)
-{
-        *data = s->next_proto_negotiated;
-        if (!*data) {
-                *len = 0;
-        } else {
-                *len = s->next_proto_negotiated_len;
-        }
-}
-/*
- * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
- * TLS server needs a list of supported protocols for Next Protocol
- * Negotiation. The returned list must be in wire format.  The list is returned
- * by setting |out| to point to it and |outlen| to its length. This memory will
- * not be modified, but one should assume that the SSL* keeps a reference to
- * it.
- *
- * The callback should return SSL_TLSEXT_ERR_OK if it wishes to advertise.
- * Otherwise, no such extension will be included in the ServerHello.
- */
-void
-SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, int (*cb) (SSL *ssl,
-    const unsigned char **out, unsigned int *outlen, void *arg), void *arg)
-{
-        ctx->next_protos_advertised_cb = cb;
-        ctx->next_protos_advertised_cb_arg = arg;
-}
-/*
- * SSL_CTX_set_next_proto_select_cb sets a callback that is called when a
- * client needs to select a protocol from the server's provided list. |out|
- * must be set to point to the selected protocol (which may be within |in|).
- * The length of the protocol name must be written into |outlen|. The server's
- * advertised protocols are provided in |in| and |inlen|. The callback can
- * assume that |in| is syntactically valid.
- *
- * The client must select a protocol. It is fatal to the connection if this
- * callback returns a value other than SSL_TLSEXT_ERR_OK.
- */
-void
-SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s,
-    unsigned char **out, unsigned char *outlen, const unsigned char *in,
-    unsigned int inlen, void *arg), void *arg)
-{
-        ctx->next_proto_select_cb = cb;
-        ctx->next_proto_select_cb_arg = arg;
-}
-/*
- * SSL_CTX_set_alpn_protos sets the ALPN protocol list to the specified
- * protocols, which must be in wire-format (i.e. a series of non-empty,
- * 8-bit length-prefixed strings). Returns 0 on success.
- */
-int
-SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
-    unsigned int protos_len)
-{
-        free(ctx->alpn_client_proto_list);
-        if ((ctx->alpn_client_proto_list = malloc(protos_len)) == NULL)
-                return (1);
-        memcpy(ctx->alpn_client_proto_list, protos, protos_len);
-        ctx->alpn_client_proto_list_len = protos_len;
-        return (0);
-}
-/*
- * SSL_set_alpn_protos sets the ALPN protocol list to the specified
- * protocols, which must be in wire-format (i.e. a series of non-empty,
- * 8-bit length-prefixed strings). Returns 0 on success.
- */
-int
-SSL_set_alpn_protos(SSL *ssl, const unsigned char* protos,
-    unsigned int protos_len)
-{
-        free(ssl->alpn_client_proto_list);
-        if ((ssl->alpn_client_proto_list = malloc(protos_len)) == NULL)
-                return (1);
-        memcpy(ssl->alpn_client_proto_list, protos, protos_len);
-        ssl->alpn_client_proto_list_len = protos_len;
-        return (0);
-}
-/*
- * SSL_CTX_set_alpn_select_cb sets a callback function that is called during
- * ClientHello processing in order to select an ALPN protocol from the
- * client's list of offered protocols.
- */
-void
-SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx,
-    int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen,
-    const unsigned char *in, unsigned int inlen, void *arg), void *arg)
-{
-        ctx->alpn_select_cb = cb;
-        ctx->alpn_select_cb_arg = arg;
-}
-/*
- * SSL_get0_alpn_selected gets the selected ALPN protocol (if any). On return
- * it sets data to point to len bytes of protocol name (not including the
- * leading length-prefix byte). If the server didn't respond with* a negotiated
- * protocol then len will be zero.
- */
-void
-SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
-    unsigned *len)
-{
-        *data = NULL;
-        *len = 0;
-        if (ssl->s3 != NULL) {
-                *data = ssl->s3->alpn_selected;
-                *len = ssl->s3->alpn_selected_len;
-        }
-}
-int
-SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-    const char *label, size_t llen, const unsigned char *p, size_t plen,
-    int use_context)
-{
-        return (s->method->ssl3_enc->export_keying_material(s, out, olen,
-            label, llen, p, plen, use_context));
-}
-static unsigned long
-ssl_session_hash(const SSL_SESSION *a)
-{
-        unsigned long   l;
-        l = (unsigned long)
-            ((unsigned int) a->session_id[0]     )|
-            ((unsigned int) a->session_id[1]<< 8L)|
-            ((unsigned long)a->session_id[2]<<16L)|
-            ((unsigned long)a->session_id[3]<<24L);
-        return (l);
-}
-/*
- * NB: If this function (or indeed the hash function which uses a sort of
- * coarser function than this one) is changed, ensure
- * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
- * able to construct an SSL_SESSION that will collide with any existing session
- * with a matching session ID.
- */
-static int
-ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b)
-{
-        if (a->ssl_version != b->ssl_version)
-                return (1);
-        if (a->session_id_length != b->session_id_length)
-                return (1);
-        if (timingsafe_memcmp(a->session_id, b->session_id, a->session_id_length) != 0)
-                return (1);
-        return (0);
-}
-/*
- * These wrapper functions should remain rather than redeclaring
- * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
- * variable. The reason is that the functions aren't static, they're exposed via
- * ssl.h.
- */
-static
-IMPLEMENT_LHASH_HASH_FN(ssl_session, SSL_SESSION)
-static
-IMPLEMENT_LHASH_COMP_FN(ssl_session, SSL_SESSION)
-SSL_CTX *
-SSL_CTX_new(const SSL_METHOD *meth)
-{
-        SSL_CTX *ret = NULL;
-        if (meth == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED);
-                return (NULL);
-        }
-        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
-                    SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
-                goto err;
-        }
-        ret = calloc(1, sizeof(SSL_CTX));
-        if (ret == NULL)
-                goto err;
-        ret->method = meth;
-        ret->cert_store = NULL;
-        ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
-        ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
-        ret->session_cache_head = NULL;
-        ret->session_cache_tail = NULL;
-        /* We take the system default */
-        ret->session_timeout = meth->get_timeout();
-        ret->new_session_cb = 0;
-        ret->remove_session_cb = 0;
-        ret->get_session_cb = 0;
-        ret->generate_session_id = 0;
-        memset((char *)&ret->stats, 0, sizeof(ret->stats));
-        ret->references = 1;
-        ret->quiet_shutdown = 0;
-        ret->info_callback = NULL;
-        ret->app_verify_callback = 0;
-        ret->app_verify_arg = NULL;
-        ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
-        ret->read_ahead = 0;
-        ret->msg_callback = 0;
-        ret->msg_callback_arg = NULL;
-        ret->verify_mode = SSL_VERIFY_NONE;
-        ret->sid_ctx_length = 0;
-        ret->default_verify_callback = NULL;
-        if ((ret->cert = ssl_cert_new()) == NULL)
-                goto err;
-        ret->default_passwd_callback = 0;
-        ret->default_passwd_callback_userdata = NULL;
-        ret->client_cert_cb = 0;
-        ret->app_gen_cookie_cb = 0;
-        ret->app_verify_cookie_cb = 0;
-        ret->sessions = lh_SSL_SESSION_new();
-        if (ret->sessions == NULL)
-                goto err;
-        ret->cert_store = X509_STORE_new();
-        if (ret->cert_store == NULL)
-                goto err;
-        ssl_create_cipher_list(ret->method, &ret->cipher_list,
-            &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
-        if (ret->cipher_list == NULL ||
-            sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
-                goto err2;
-        }
-        ret->param = X509_VERIFY_PARAM_new();
-        if (!ret->param)
-                goto err;
-        if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
-                    SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
-                goto err2;
-        }
-        if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_NEW,
-                    SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
-                goto err2;
-        }
-        if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL)
-                goto err;
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
-        ret->extra_certs = NULL;
-        ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
-        ret->tlsext_servername_callback = 0;
-        ret->tlsext_servername_arg = NULL;
-        /* Setup RFC4507 ticket keys */
-        arc4random_buf(ret->tlsext_tick_key_name, 16);
-        arc4random_buf(ret->tlsext_tick_hmac_key, 16);
-        arc4random_buf(ret->tlsext_tick_aes_key, 16);
-        ret->tlsext_status_cb = 0;
-        ret->tlsext_status_arg = NULL;
-        ret->next_protos_advertised_cb = 0;
-        ret->next_proto_select_cb = 0;
-#ifndef OPENSSL_NO_ENGINE
-        ret->client_cert_engine = NULL;
-#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
-#define eng_strx(x)     #x
-#define eng_str(x)      eng_strx(x)
-        /* Use specific client engine automatically... ignore errors */
-        {
-                ENGINE *eng;
-                eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-                if (!eng) {
-                        ERR_clear_error();
-                        ENGINE_load_builtin_engines();
-                        eng = ENGINE_by_id(eng_str(
-                            OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-                }
-                if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
-                        ERR_clear_error();
-        }
-#endif
-#endif
-        /*
-         * Default is to connect to non-RI servers. When RI is more widely
-         * deployed might change this.
-         */
-        ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-        return (ret);
-err:
-        SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
-err2:
-        SSL_CTX_free(ret);
-        return (NULL);
-}
-void
-SSL_CTX_free(SSL_CTX *a)
-{
-        int     i;
-        if (a == NULL)
-                return;
-        i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX);
-        if (i > 0)
-                return;
-        if (a->param)
-                X509_VERIFY_PARAM_free(a->param);
-        /*
-         * Free internal session cache. However: the remove_cb() may reference
-         * the ex_data of SSL_CTX, thus the ex_data store can only be removed
-         * after the sessions were flushed.
-         * As the ex_data handling routines might also touch the session cache,
-         * the most secure solution seems to be: empty (flush) the cache, then
-         * free ex_data, then finally free the cache.
-         * (See ticket [openssl.org #212].)
-         */
-        if (a->sessions != NULL)
-                SSL_CTX_flush_sessions(a, 0);
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
-        if (a->sessions != NULL)
-                lh_SSL_SESSION_free(a->sessions);
-        if (a->cert_store != NULL)
-                X509_STORE_free(a->cert_store);
-        if (a->cipher_list != NULL)
-                sk_SSL_CIPHER_free(a->cipher_list);
-        if (a->cipher_list_by_id != NULL)
-                sk_SSL_CIPHER_free(a->cipher_list_by_id);
-        if (a->cert != NULL)
-                ssl_cert_free(a->cert);
-        if (a->client_CA != NULL)
-                sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
-        if (a->extra_certs != NULL)
-                sk_X509_pop_free(a->extra_certs, X509_free);
-#ifndef OPENSSL_NO_SRTP
-        if (a->srtp_profiles)
-                sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
-#endif
-#ifndef OPENSSL_NO_ENGINE
-        if (a->client_cert_engine)
-                ENGINE_finish(a->client_cert_engine);
-#endif
-        free(a->alpn_client_proto_list);
-        free(a);
-}
-void
-SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
-{
-        ctx->default_passwd_callback = cb;
-}
-void
-SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
-{
-        ctx->default_passwd_callback_userdata = u;
-}
-void
-SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,
-    void *), void *arg)
-{
-        ctx->app_verify_callback = cb;
-        ctx->app_verify_arg = arg;
-}
-void
-SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *))
-{
-        ctx->verify_mode = mode;
-        ctx->default_verify_callback = cb;
-}
-void
-SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
-{
-        X509_VERIFY_PARAM_set_depth(ctx->param, depth);
-}
-void
-ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
-{
-        CERT_PKEY       *cpk;
-        int              rsa_enc, rsa_sign, dh_tmp, dsa_sign;
-        unsigned long    mask_k, mask_a;
-        int              have_ecc_cert, ecdh_ok, ecdsa_ok;
-        int              have_ecdh_tmp;
-        X509            *x = NULL;
-        EVP_PKEY        *ecc_pkey = NULL;
-        int              signature_nid = 0, pk_nid = 0, md_nid = 0;
-        if (c == NULL)
-                return;
-        dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL ||
-            c->dh_tmp_auto != 0);
-        have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL ||
-            c->ecdh_tmp_auto != 0);
-        cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]);
-        rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]);
-        rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]);
-        dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL);
-/* FIX THIS EAY EAY EAY */
-        cpk = &(c->pkeys[SSL_PKEY_ECC]);
-        have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL);
-        mask_k = 0;
-        mask_a = 0;
-        cpk = &(c->pkeys[SSL_PKEY_GOST01]);
-        if (cpk->x509 != NULL && cpk->privatekey !=NULL) {
-                mask_k |= SSL_kGOST;
-                mask_a |= SSL_aGOST01;
-        }
-        if (rsa_enc)
-                mask_k|=SSL_kRSA;
-        if (dh_tmp)
-                mask_k|=SSL_kDHE;
-        if (rsa_enc || rsa_sign)
-                mask_a|=SSL_aRSA;
-        if (dsa_sign)
-                mask_a|=SSL_aDSS;
-        mask_a|=SSL_aNULL;
-        /*
-         * An ECC certificate may be usable for ECDH and/or
-         * ECDSA cipher suites depending on the key usage extension.
-         */
-        if (have_ecc_cert) {
-                /* This call populates extension flags (ex_flags) */
-                x = (c->pkeys[SSL_PKEY_ECC]).x509;
-                X509_check_purpose(x, -1, 0);
-                ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
-                (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
-                ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
-                (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
-                ecc_pkey = X509_get_pubkey(x);
-                EVP_PKEY_free(ecc_pkey);
-                if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-                        signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-                        OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-                }
-                if (ecdh_ok) {
-                        if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) {
-                                mask_k|=SSL_kECDHr;
-                                mask_a|=SSL_aECDH;
-                        }
-                        if (pk_nid == NID_X9_62_id_ecPublicKey) {
-                                mask_k|=SSL_kECDHe;
-                                mask_a|=SSL_aECDH;
-                        }
-                }
-                if (ecdsa_ok)
-                        mask_a|=SSL_aECDSA;
-        }
-        if (have_ecdh_tmp) {
-                mask_k|=SSL_kECDHE;
-        }
-        c->mask_k = mask_k;
-        c->mask_a = mask_a;
-        c->valid = 1;
-}
-/* This handy macro borrowed from crypto/x509v3/v3_purp.c */
-#define ku_reject(x, usage) \
-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-int
-ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
-{
-        unsigned long            alg_k, alg_a;
-        int                      signature_nid = 0, md_nid = 0, pk_nid = 0;
-        const SSL_CIPHER        *cs = s->s3->tmp.new_cipher;
-        alg_k = cs->algorithm_mkey;
-        alg_a = cs->algorithm_auth;
-        /* This call populates the ex_flags field correctly */
-        X509_check_purpose(x, -1, 0);
-        if ((x->sig_alg) && (x->sig_alg->algorithm)) {
-                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-                OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
-        }
-        if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) {
-                /* key usage, if present, must allow key agreement */
-                if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) {
-                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                            SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
-                        return (0);
-                }
-                if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) <
-                    TLS1_2_VERSION) {
-                        /* signature alg must be ECDSA */
-                        if (pk_nid != NID_X9_62_id_ecPublicKey) {
-                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                                    SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
-                                return (0);
-                        }
-                }
-                if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) <
-                    TLS1_2_VERSION) {
-                        /* signature alg must be RSA */
-                        if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) {
-                                SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                                    SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
-                                return (0);
-                        }
-                }
-        }
-        if (alg_a & SSL_aECDSA) {
-                /* key usage, if present, must allow signing */
-                if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) {
-                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG,
-                            SSL_R_ECC_CERT_NOT_FOR_SIGNING);
-                        return (0);
-                }
-        }
-        return (1);
-        /* all checks are ok */
-}
-/* THIS NEEDS CLEANING UP */
-CERT_PKEY *
-ssl_get_server_send_pkey(const SSL *s)
-{
-        unsigned long    alg_k, alg_a;
-        CERT            *c;
-        int              i;
-        c = s->cert;
-        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
-        if (alg_k & (SSL_kECDHr|SSL_kECDHe)) {
-                /*
-                 * We don't need to look at SSL_kECDHE
-                 * since no certificate is needed for
-                 * anon ECDH and for authenticated
-                 * ECDHE, the check for the auth
-                 * algorithm will set i correctly
-                 * NOTE: For ECDH-RSA, we need an ECC
-                 * not an RSA cert but for EECDH-RSA
-                 * we need an RSA cert. Placing the
-                 * checks for SSL_kECDH before RSA
-                 * checks ensures the correct cert is chosen.
-                 */
-                i = SSL_PKEY_ECC;
-        } else if (alg_a & SSL_aECDSA) {
-                i = SSL_PKEY_ECC;
-        } else if (alg_a & SSL_aDSS) {
-                i = SSL_PKEY_DSA_SIGN;
-        } else if (alg_a & SSL_aRSA) {
-                if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
-                        i = SSL_PKEY_RSA_SIGN;
-                else
-                        i = SSL_PKEY_RSA_ENC;
-        } else if (alg_a & SSL_aGOST01) {
-                i = SSL_PKEY_GOST01;
-        } else { /* if (alg_a & SSL_aNULL) */
-                SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY, ERR_R_INTERNAL_ERROR);
-                return (NULL);
-        }
-        return (c->pkeys + i);
-}
-X509 *
-ssl_get_server_send_cert(const SSL *s)
-{
-        CERT_PKEY       *cpk;
-        cpk = ssl_get_server_send_pkey(s);
-        if (!cpk)
-                return (NULL);
-        return (cpk->x509);
-}
-EVP_PKEY *
-ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd)
-{
-        unsigned long    alg_a;
-        CERT            *c;
-        int              idx = -1;
-        alg_a = cipher->algorithm_auth;
-        c = s->cert;
-        if ((alg_a & SSL_aDSS) &&
-            (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
-                idx = SSL_PKEY_DSA_SIGN;
-        else if (alg_a & SSL_aRSA) {
-                if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
-                        idx = SSL_PKEY_RSA_SIGN;
-                else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL)
-                        idx = SSL_PKEY_RSA_ENC;
-        } else if ((alg_a & SSL_aECDSA) &&
-            (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
-                idx = SSL_PKEY_ECC;
-        if (idx == -1) {
-                SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR);
-                return (NULL);
-        }
-        if (pmd)
-                *pmd = c->pkeys[idx].digest;
-        return (c->pkeys[idx].privatekey);
-}
-DH *
-ssl_get_auto_dh(SSL *s)
-{
-        CERT_PKEY *cpk;
-        int keylen;
-        DH *dhp;
-        if (s->cert->dh_tmp_auto == 2) {
-                keylen = 1024;
-        } else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) {
-                keylen = 1024;
-                if (s->s3->tmp.new_cipher->strength_bits == 256)
-                        keylen = 3072;
-        } else {
-                if ((cpk = ssl_get_server_send_pkey(s)) == NULL)
-                        return (NULL);
-                if (cpk->privatekey == NULL || cpk->privatekey->pkey.dh == NULL)
-                        return (NULL);
-                keylen = EVP_PKEY_bits(cpk->privatekey);
-        }
-        if ((dhp = DH_new()) == NULL)
-                return (NULL);
-        dhp->g = BN_new();
-        if (dhp->g != NULL)
-                BN_set_word(dhp->g, 2);
-        if (keylen >= 8192)
-                dhp->p = get_rfc3526_prime_8192(NULL);
-        else if (keylen >= 4096)
-                dhp->p = get_rfc3526_prime_4096(NULL);
-        else if (keylen >= 3072)
-                dhp->p = get_rfc3526_prime_3072(NULL);
-        else if (keylen >= 2048)
-                dhp->p = get_rfc3526_prime_2048(NULL);
-        else if (keylen >= 1536)
-                dhp->p = get_rfc3526_prime_1536(NULL);
-        else
-                dhp->p = get_rfc2409_prime_1024(NULL);
-        if (dhp->p == NULL || dhp->g == NULL) {
-                DH_free(dhp);
-                return (NULL);
-        }
-        return (dhp);
-}
-void
-ssl_update_cache(SSL *s, int mode)
-{
-        int     i;
-        /*
-         * If the session_id_length is 0, we are not supposed to cache it,
-         * and it would be rather hard to do anyway :-)
-         */
-        if (s->session->session_id_length == 0)
-                return;
-        i = s->session_ctx->session_cache_mode;
-        if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
-            || SSL_CTX_add_session(s->session_ctx, s->session))
-            && (s->session_ctx->new_session_cb != NULL)) {
-                CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
-                if (!s->session_ctx->new_session_cb(s, s->session))
-                        SSL_SESSION_free(s->session);
-        }
-        /* auto flush every 255 connections */
-        if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) &&
-            ((i & mode) == mode)) {
-                if ((((mode & SSL_SESS_CACHE_CLIENT) ?
-                    s->session_ctx->stats.sess_connect_good :
-                    s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) {
-                        SSL_CTX_flush_sessions(s->session_ctx, time(NULL));
-                }
-        }
-}
-const SSL_METHOD *
-SSL_get_ssl_method(SSL *s)
-{
-        return (s->method);
-}
-int
-SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth)
-{
-        int     conn = -1;
-        int     ret = 1;
-        if (s->method != meth) {
-                if (s->handshake_func != NULL)
-                        conn = (s->handshake_func == s->method->ssl_connect);
-                if (s->method->version == meth->version)
-                        s->method = meth;
-                else {
-                        s->method->ssl_free(s);
-                        s->method = meth;
-                        ret = s->method->ssl_new(s);
-                }
-                if (conn == 1)
-                        s->handshake_func = meth->ssl_connect;
-                else if (conn == 0)
-                        s->handshake_func = meth->ssl_accept;
-        }
-        return (ret);
-}
-int
-SSL_get_error(const SSL *s, int i)
-{
-        int              reason;
-        unsigned long    l;
-        BIO             *bio;
-        if (i > 0)
-                return (SSL_ERROR_NONE);
-        /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake
-         * etc, where we do encode the error */
-        if ((l = ERR_peek_error()) != 0) {
-                if (ERR_GET_LIB(l) == ERR_LIB_SYS)
-                        return (SSL_ERROR_SYSCALL);
-                else
-                        return (SSL_ERROR_SSL);
-        }
-        if ((i < 0) && SSL_want_read(s)) {
-                bio = SSL_get_rbio(s);
-                if (BIO_should_read(bio)) {
-                        return (SSL_ERROR_WANT_READ);
-                } else if (BIO_should_write(bio)) {
-                        /*
-                         * This one doesn't make too much sense...  We never
-                         * try to write to the rbio, and an application
-                         * program where rbio and wbio are separate couldn't
-                         * even know what it should wait for.  However if we
-                         * ever set s->rwstate incorrectly (so that we have
-                         * SSL_want_read(s) instead of SSL_want_write(s))
-                         * and rbio and wbio *are* the same, this test works
-                         * around that bug; so it might be safer to keep it.
-                         */
-                        return (SSL_ERROR_WANT_WRITE);
-                } else if (BIO_should_io_special(bio)) {
-                        reason = BIO_get_retry_reason(bio);
-                        if (reason == BIO_RR_CONNECT)
-                                return (SSL_ERROR_WANT_CONNECT);
-                        else if (reason == BIO_RR_ACCEPT)
-                                return (SSL_ERROR_WANT_ACCEPT);
-                        else
-                                return (SSL_ERROR_SYSCALL); /* unknown */
-                }
-        }
-        if ((i < 0) && SSL_want_write(s)) {
-                bio = SSL_get_wbio(s);
-                if (BIO_should_write(bio)) {
-                        return (SSL_ERROR_WANT_WRITE);
-                } else if (BIO_should_read(bio)) {
-                        /*
-                         * See above (SSL_want_read(s) with
-                         * BIO_should_write(bio))
-                         */
-                        return (SSL_ERROR_WANT_READ);
-                } else if (BIO_should_io_special(bio)) {
-                        reason = BIO_get_retry_reason(bio);
-                        if (reason == BIO_RR_CONNECT)
-                                return (SSL_ERROR_WANT_CONNECT);
-                        else if (reason == BIO_RR_ACCEPT)
-                                return (SSL_ERROR_WANT_ACCEPT);
-                        else
-                                return (SSL_ERROR_SYSCALL);
-                }
-        }
-        if ((i < 0) && SSL_want_x509_lookup(s)) {
-                return (SSL_ERROR_WANT_X509_LOOKUP);
-        }
-        if (i == 0) {
-                if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
-                    (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY))
-                return (SSL_ERROR_ZERO_RETURN);
-        }
-        return (SSL_ERROR_SYSCALL);
-}
-int
-SSL_do_handshake(SSL *s)
-{
-        int     ret = 1;
-        if (s->handshake_func == NULL) {
-                SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET);
-                return (-1);
-        }
-        s->method->ssl_renegotiate_check(s);
-        if (SSL_in_init(s) || SSL_in_before(s)) {
-                ret = s->handshake_func(s);
-        }
-        return (ret);
-}
-/*
- * For the next 2 functions, SSL_clear() sets shutdown and so
- * one of these calls will reset it
- */
-void
-SSL_set_accept_state(SSL *s)
-{
-        s->server = 1;
-        s->shutdown = 0;
-        s->state = SSL_ST_ACCEPT|SSL_ST_BEFORE;
-        s->handshake_func = s->method->ssl_accept;
-        /* clear the current cipher */
-        ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->read_hash);
-        ssl_clear_hash_ctx(&s->write_hash);
-}
-void
-SSL_set_connect_state(SSL *s)
-{
-        s->server = 0;
-        s->shutdown = 0;
-        s->state = SSL_ST_CONNECT|SSL_ST_BEFORE;
-        s->handshake_func = s->method->ssl_connect;
-        /* clear the current cipher */
-        ssl_clear_cipher_ctx(s);
-        ssl_clear_hash_ctx(&s->read_hash);
-        ssl_clear_hash_ctx(&s->write_hash);
-}
-int
-ssl_undefined_function(SSL *s)
-{
-        SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION,
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return (0);
-}
-int
-ssl_undefined_void_function(void)
-{
-        SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION,
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return (0);
-}
-int
-ssl_undefined_const_function(const SSL *s)
-{
-        SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION,
-            ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-        return (0);
-}
-const char *
-ssl_version_string(int ver)
-{
-        switch (ver) {
-        case DTLS1_VERSION:
-                return (SSL_TXT_DTLS1);
-        case TLS1_VERSION:
-                return (SSL_TXT_TLSV1);
-        case TLS1_1_VERSION:
-                return (SSL_TXT_TLSV1_1);
-        case TLS1_2_VERSION:
-                return (SSL_TXT_TLSV1_2);
-        default:
-                return ("unknown");
-        }
-}
-const char *
-SSL_get_version(const SSL *s)
-{
-        return ssl_version_string(s->version);
-}
-uint16_t
-ssl_max_server_version(SSL *s)
-{
-        uint16_t max_version;
-        /*
-         * The SSL method will be changed during version negotiation, as such
-         * we want to use the SSL method from the context.
-         */
-        max_version = s->ctx->method->version;
-        if (SSL_IS_DTLS(s))
-                return (DTLS1_VERSION);
-        if ((s->options & SSL_OP_NO_TLSv1_2) == 0 &&
-            max_version >= TLS1_2_VERSION)
-                return (TLS1_2_VERSION);
-        if ((s->options & SSL_OP_NO_TLSv1_1) == 0 &&
-            max_version >= TLS1_1_VERSION)
-                return (TLS1_1_VERSION);
-        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
-            max_version >= TLS1_VERSION)
-                return (TLS1_VERSION);
-        return (0);
-}
-SSL *
-SSL_dup(SSL *s)
-{
-        STACK_OF(X509_NAME) *sk;
-        X509_NAME *xn;
-        SSL *ret;
-        int i;
-        if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL)
-                return (NULL);
-        ret->version = s->version;
-        ret->type = s->type;
-        ret->method = s->method;
-        if (s->session != NULL) {
-                /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
-                SSL_copy_session_id(ret, s);
-        } else {
-                /*
-                 * No session has been established yet, so we have to expect
-                 * that s->cert or ret->cert will be changed later --
-                 * they should not both point to the same object,
-                 * and thus we can't use SSL_copy_session_id.
-                 */
-                ret->method->ssl_free(ret);
-                ret->method = s->method;
-                ret->method->ssl_new(ret);
-                if (s->cert != NULL) {
-                        if (ret->cert != NULL) {
-                                ssl_cert_free(ret->cert);
-                        }
-                        ret->cert = ssl_cert_dup(s->cert);
-                        if (ret->cert == NULL)
-                                goto err;
-                }
-                SSL_set_session_id_context(ret,
-                s->sid_ctx, s->sid_ctx_length);
-        }
-        ret->options = s->options;
-        ret->mode = s->mode;
-        SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
-        SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
-        ret->msg_callback = s->msg_callback;
-        ret->msg_callback_arg = s->msg_callback_arg;
-        SSL_set_verify(ret, SSL_get_verify_mode(s),
-        SSL_get_verify_callback(s));
-        SSL_set_verify_depth(ret, SSL_get_verify_depth(s));
-        ret->generate_session_id = s->generate_session_id;
-        SSL_set_info_callback(ret, SSL_get_info_callback(s));
-        ret->debug = s->debug;
-        /* copy app data, a little dangerous perhaps */
-        if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL,
-            &ret->ex_data, &s->ex_data))
-                goto err;
-        /* setup rbio, and wbio */
-        if (s->rbio != NULL) {
-                if (!BIO_dup_state(s->rbio,(char *)&ret->rbio))
-                        goto err;
-        }
-        if (s->wbio != NULL) {
-                if (s->wbio != s->rbio) {
-                        if (!BIO_dup_state(s->wbio,(char *)&ret->wbio))
-                                goto err;
-                } else
-                        ret->wbio = ret->rbio;
-        }
-        ret->rwstate = s->rwstate;
-        ret->in_handshake = s->in_handshake;
-        ret->handshake_func = s->handshake_func;
-        ret->server = s->server;
-        ret->renegotiate = s->renegotiate;
-        ret->new_session = s->new_session;
-        ret->quiet_shutdown = s->quiet_shutdown;
-        ret->shutdown = s->shutdown;
-        /* SSL_dup does not really work at any state, though */
-        ret->state=s->state;
-        ret->rstate = s->rstate;
-        /*
-         * Would have to copy ret->init_buf, ret->init_msg, ret->init_num,
-         * ret->init_off
-         */
-        ret->init_num = 0;
-        ret->hit = s->hit;
-        X509_VERIFY_PARAM_inherit(ret->param, s->param);
-        /* dup the cipher_list and cipher_list_by_id stacks */
-        if (s->cipher_list != NULL) {
-                if ((ret->cipher_list =
-                    sk_SSL_CIPHER_dup(s->cipher_list)) == NULL)
-                        goto err;
-        }
-        if (s->cipher_list_by_id != NULL) {
-                if ((ret->cipher_list_by_id =
-                    sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL)
-                        goto err;
-        }
-        /* Dup the client_CA list */
-        if (s->client_CA != NULL) {
-                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
-                        ret->client_CA = sk;
-                for (i = 0; i < sk_X509_NAME_num(sk); i++) {
-                        xn = sk_X509_NAME_value(sk, i);
-                        if (sk_X509_NAME_set(sk, i,
-                            X509_NAME_dup(xn)) == NULL) {
-                                X509_NAME_free(xn);
-                                goto err;
-                        }
-                }
-        }
-        if (0) {
-err:
-                if (ret != NULL)
-                        SSL_free(ret);
-                ret = NULL;
-        }
-        return (ret);
-}
-void
-ssl_clear_cipher_ctx(SSL *s)
-{
-        EVP_CIPHER_CTX_free(s->enc_read_ctx);
-        s->enc_read_ctx = NULL;
-        EVP_CIPHER_CTX_free(s->enc_write_ctx);
-        s->enc_write_ctx = NULL;
-        if (s->aead_read_ctx != NULL) {
-                EVP_AEAD_CTX_cleanup(&s->aead_read_ctx->ctx);
-                free(s->aead_read_ctx);
-                s->aead_read_ctx = NULL;
-        }
-        if (s->aead_write_ctx != NULL) {
-                EVP_AEAD_CTX_cleanup(&s->aead_write_ctx->ctx);
-                free(s->aead_write_ctx);
-                s->aead_write_ctx = NULL;
-        }
-}
-/* Fix this function so that it takes an optional type parameter */
-X509 *
-SSL_get_certificate(const SSL *s)
-{
-        if (s->cert != NULL)
-                return (s->cert->key->x509);
-        else
-                return (NULL);
-}
-/* Fix this function so that it takes an optional type parameter */
-EVP_PKEY *
-SSL_get_privatekey(SSL *s)
-{
-        if (s->cert != NULL)
-                return (s->cert->key->privatekey);
-        else
-                return (NULL);
-}
-const SSL_CIPHER *
-SSL_get_current_cipher(const SSL *s)
-{
-        if ((s->session != NULL) && (s->session->cipher != NULL))
-                return (s->session->cipher);
-        return (NULL);
-}
-const void *
-SSL_get_current_compression(SSL *s)
-{
-        return (NULL);
-}
-const void *
-SSL_get_current_expansion(SSL *s)
-{
-        return (NULL);
-}
-int
-ssl_init_wbio_buffer(SSL *s, int push)
-{
-        BIO     *bbio;
-        if (s->bbio == NULL) {
-                bbio = BIO_new(BIO_f_buffer());
-                if (bbio == NULL)
-                        return (0);
-                s->bbio = bbio;
-        } else {
-                bbio = s->bbio;
-                if (s->bbio == s->wbio)
-                        s->wbio = BIO_pop(s->wbio);
-        }
-        (void)BIO_reset(bbio);
-/*      if (!BIO_set_write_buffer_size(bbio,16*1024)) */
-        if (!BIO_set_read_buffer_size(bbio, 1)) {
-                SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB);
-                return (0);
-        }
-        if (push) {
-                if (s->wbio != bbio)
-                        s->wbio = BIO_push(bbio, s->wbio);
-        } else {
-                if (s->wbio == bbio)
-                        s->wbio = BIO_pop(bbio);
-        }
-        return (1);
-}
-void
-ssl_free_wbio_buffer(SSL *s)
-{
-        if (s == NULL)
-                return;
-        if (s->bbio == NULL)
-                return;
-        if (s->bbio == s->wbio) {
-                /* remove buffering */
-                s->wbio = BIO_pop(s->wbio);
-        }
-        BIO_free(s->bbio);
-        s->bbio = NULL;
-}
-void
-SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode)
-{
-        ctx->quiet_shutdown = mode;
-}
-int
-SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx)
-{
-        return (ctx->quiet_shutdown);
-}
-void
-SSL_set_quiet_shutdown(SSL *s, int mode)
-{
-        s->quiet_shutdown = mode;
-}
-int
-SSL_get_quiet_shutdown(const SSL *s)
-{
-        return (s->quiet_shutdown);
-}
-void
-SSL_set_shutdown(SSL *s, int mode)
-{
-        s->shutdown = mode;
-}
-int
-SSL_get_shutdown(const SSL *s)
-{
-        return (s->shutdown);
-}
-int
-SSL_version(const SSL *s)
-{
-        return (s->version);
-}
-SSL_CTX *
-SSL_get_SSL_CTX(const SSL *ssl)
-{
-        return (ssl->ctx);
-}
-SSL_CTX *
-SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
-{
-        if (ssl->ctx == ctx)
-                return (ssl->ctx);
-        if (ctx == NULL)
-                ctx = ssl->initial_ctx;
-        if (ssl->cert != NULL)
-                ssl_cert_free(ssl->cert);
-        ssl->cert = ssl_cert_dup(ctx->cert);
-        CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
-        SSL_CTX_free(ssl->ctx); /* decrement reference count */
-        ssl->ctx = ctx;
-        return (ssl->ctx);
-}
-int
-SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
-{
-        return (X509_STORE_set_default_paths(ctx->cert_store));
-}
-int
-SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
-    const char *CApath)
-{
-        return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath));
-}
-int
-SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len)
-{
-        return (X509_STORE_load_mem(ctx->cert_store, buf, len));
-}
-void
-SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val))
-{
-        ssl->info_callback = cb;
-}
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val)
-{
-        return (ssl->info_callback);
-}
-int
-SSL_state(const SSL *ssl)
-{
-        return (ssl->state);
-}
-void
-SSL_set_state(SSL *ssl, int state)
-{
-        ssl->state = state;
-}
-void
-SSL_set_verify_result(SSL *ssl, long arg)
-{
-        ssl->verify_result = arg;
-}
-long
-SSL_get_verify_result(const SSL *ssl)
-{
-        return (ssl->verify_result);
-}
-int
-SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-    CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-{
-        return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
-            new_func, dup_func, free_func));
-}
-int
-SSL_set_ex_data(SSL *s, int idx, void *arg)
-{
-        return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
-}
-void *
-SSL_get_ex_data(const SSL *s, int idx)
-{
-        return (CRYPTO_get_ex_data(&s->ex_data, idx));
-}
-int
-SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-    CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-{
-        return (CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
-            new_func, dup_func, free_func));
-}
-int
-SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg)
-{
-        return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
-}
-void *
-SSL_CTX_get_ex_data(const SSL_CTX *s, int idx)
-{
-        return (CRYPTO_get_ex_data(&s->ex_data, idx));
-}
-int
-ssl_ok(SSL *s)
-{
-        return (1);
-}
-X509_STORE *
-SSL_CTX_get_cert_store(const SSL_CTX *ctx)
-{
-        return (ctx->cert_store);
-}
-void
-SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store)
-{
-        if (ctx->cert_store != NULL)
-                X509_STORE_free(ctx->cert_store);
-        ctx->cert_store = store;
-}
-int
-SSL_want(const SSL *s)
-{
-        return (s->rwstate);
-}
-void
-SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export,
-    int keylength))
-{
-        SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
-}
-void
-SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
-    int keylength))
-{
-        SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB,(void (*)(void))cb);
-}
-void
-SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export,
-    int keylength))
-{
-        SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
-}
-void
-SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
-    int keylength))
-{
-        SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
-}
-void
-SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl,
-    int is_export, int keylength))
-{
-        SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB,
-            (void (*)(void))ecdh);
-}
-void
-SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export,
-    int keylength))
-{
-        SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
-}
-void
-SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version,
-    int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
-{
-        SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK,
-            (void (*)(void))cb);
-}
-void
-SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
-    int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
-{
-        SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
-}
-void
-ssl_clear_hash_ctx(EVP_MD_CTX **hash)
-{
-        if (*hash)
-                EVP_MD_CTX_destroy(*hash);
-        *hash = NULL;
-}
-void
-SSL_set_debug(SSL *s, int debug)
-{
-        s->debug = debug;
-}
-int
-SSL_cache_hit(SSL *s)
-{
-        return (s->hit);
-}
-IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
deleted file mode 100644
index 2a521fe26a..0000000000
--- a/src/lib/libssl/ssl_locl.h
+++ /dev/null
@@ -1,847 +0,0 @@
-/* $OpenBSD: ssl_locl.h,v 1.129 2016/04/28 16:39:45 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#ifndef HEADER_SSL_LOCL_H
-#define HEADER_SSL_LOCL_H
-#include <sys/types.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-#include <openssl/opensslconf.h>
-#include <openssl/bio.h>
-#include <openssl/buffer.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
-#include <openssl/ssl.h>
-#include <openssl/stack.h>
-#define c2l(c,l)        (l = ((unsigned long)(*((c)++)))     , \
-                         l|=(((unsigned long)(*((c)++)))<< 8), \
-                         l|=(((unsigned long)(*((c)++)))<<16), \
-                         l|=(((unsigned long)(*((c)++)))<<24))
-/* NOTE - c is not incremented as per c2l */
-#define c2ln(c,l1,l2,n) { \
-                        c+=n; \
-                        l1=l2=0; \
-                        switch (n) { \
-                        case 8: l2 =((unsigned long)(*(--(c))))<<24; \
-                        case 7: l2|=((unsigned long)(*(--(c))))<<16; \
-                        case 6: l2|=((unsigned long)(*(--(c))))<< 8; \
-                        case 5: l2|=((unsigned long)(*(--(c))));     \
-                        case 4: l1 =((unsigned long)(*(--(c))))<<24; \
-                        case 3: l1|=((unsigned long)(*(--(c))))<<16; \
-                        case 2: l1|=((unsigned long)(*(--(c))))<< 8; \
-                        case 1: l1|=((unsigned long)(*(--(c))));     \
-                                } \
-                        }
-#define l2c(l,c)        (*((c)++)=(unsigned char)(((l)    )&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>24)&0xff))
-#define n2l(c,l)        (l =((unsigned long)(*((c)++)))<<24, \
-                         l|=((unsigned long)(*((c)++)))<<16, \
-                         l|=((unsigned long)(*((c)++)))<< 8, \
-                         l|=((unsigned long)(*((c)++))))
-#define l2n(l,c)        (*((c)++)=(unsigned char)(((l)>>24)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-                         *((c)++)=(unsigned char)(((l)    )&0xff))
-#define l2n8(l,c)       (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>48)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>40)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>32)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>24)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-                         *((c)++)=(unsigned char)(((l)    )&0xff))
-/* NOTE - c is not incremented as per l2c */
-#define l2cn(l1,l2,c,n) { \
-                        c+=n; \
-                        switch (n) { \
-                        case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
-                        case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
-                        case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
-                        case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
-                        case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
-                        case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
-                        case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
-                        case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
-                                } \
-                        }
-#define n2s(c,s)        ((s=(((unsigned int)(c[0]))<< 8)| \
-                            (((unsigned int)(c[1]))    )),c+=2)
-#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
-                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
-#define n2l3(c,l)       ((l =(((unsigned long)(c[0]))<<16)| \
-                             (((unsigned long)(c[1]))<< 8)| \
-                             (((unsigned long)(c[2]))    )),c+=3)
-#define l2n3(l,c)       ((c[0]=(unsigned char)(((l)>>16)&0xff), \
-                          c[1]=(unsigned char)(((l)>> 8)&0xff), \
-                          c[2]=(unsigned char)(((l)    )&0xff)),c+=3)
-/* LOCAL STUFF */
-#define SSL_DECRYPT     0
-#define SSL_ENCRYPT     1
-/*
- * Define the Bitmasks for SSL_CIPHER.algorithms.
- * This bits are used packed as dense as possible. If new methods/ciphers
- * etc will be added, the bits a likely to change, so this information
- * is for internal library use only, even though SSL_CIPHER.algorithms
- * can be publicly accessed.
- * Use the according functions for cipher management instead.
- *
- * The bit mask handling in the selection and sorting scheme in
- * ssl_create_cipher_list() has only limited capabilities, reflecting
- * that the different entities within are mutually exclusive:
- * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
- */
-/* Bits for algorithm_mkey (key exchange algorithm) */
-#define SSL_kRSA                0x00000001L /* RSA key exchange */
-#define SSL_kDHE                0x00000008L /* tmp DH key no DH cert */
-#define SSL_kECDHr              0x00000020L /* ECDH cert, RSA CA cert */
-#define SSL_kECDHe              0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kECDHE              0x00000080L /* ephemeral ECDH */
-#define SSL_kGOST               0x00000200L /* GOST key exchange */
-/* Bits for algorithm_auth (server authentication) */
-#define SSL_aRSA                0x00000001L /* RSA auth */
-#define SSL_aDSS                0x00000002L /* DSS auth */
-#define SSL_aNULL               0x00000004L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDH               0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aECDSA              0x00000040L /* ECDSA auth*/
-#define SSL_aGOST01             0x00000200L /* GOST R 34.10-2001 signature auth */
-/* Bits for algorithm_enc (symmetric encryption) */
-#define SSL_DES                 0x00000001L
-#define SSL_3DES                0x00000002L
-#define SSL_RC4                 0x00000004L
-#define SSL_IDEA                0x00000008L
-#define SSL_eNULL               0x00000010L
-#define SSL_AES128              0x00000020L
-#define SSL_AES256              0x00000040L
-#define SSL_CAMELLIA128         0x00000080L
-#define SSL_CAMELLIA256         0x00000100L
-#define SSL_eGOST2814789CNT     0x00000200L
-#define SSL_AES128GCM           0x00000400L
-#define SSL_AES256GCM           0x00000800L
-#define SSL_CHACHA20POLY1305    0x00001000L
-#define SSL_CHACHA20POLY1305_OLD        0x00002000L
-#define SSL_AES                 (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM)
-#define SSL_CAMELLIA            (SSL_CAMELLIA128|SSL_CAMELLIA256)
-/* Bits for algorithm_mac (symmetric authentication) */
-#define SSL_MD5                 0x00000001L
-#define SSL_SHA1                0x00000002L
-#define SSL_GOST94      0x00000004L
-#define SSL_GOST89MAC   0x00000008L
-#define SSL_SHA256              0x00000010L
-#define SSL_SHA384              0x00000020L
-/* Not a real MAC, just an indication it is part of cipher */
-#define SSL_AEAD                0x00000040L
-#define SSL_STREEBOG256         0x00000080L
-#define SSL_STREEBOG512         0x00000100L
-/* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV3               0x00000002L
-#define SSL_TLSV1               SSL_SSLV3       /* for now */
-#define SSL_TLSV1_2             0x00000004L
-/* Bits for algorithm2 (handshake digests and other extra flags) */
-#define SSL_HANDSHAKE_MAC_MD5 0x10
-#define SSL_HANDSHAKE_MAC_SHA 0x20
-#define SSL_HANDSHAKE_MAC_GOST94 0x40
-#define SSL_HANDSHAKE_MAC_SHA256 0x80
-#define SSL_HANDSHAKE_MAC_SHA384 0x100
-#define SSL_HANDSHAKE_MAC_STREEBOG256 0x200
-#define SSL_HANDSHAKE_MAC_STREEBOG512 0x400
-#define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
-/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
- * make sure to update this constant too */
-#define SSL_MAX_DIGEST 8
-#define SSL3_CK_ID              0x03000000
-#define SSL3_CK_VALUE_MASK      0x0000ffff
-#define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_DGST_SHIFT 10
-#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_GOST94 (SSL_HANDSHAKE_MAC_GOST94 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
-/* Stream MAC for GOST ciphersuites from cryptopro draft
- * (currently this also goes into algorithm2) */
-#define TLS1_STREAM_MAC 0x04
-/*
- * SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD is an algorithm2 flag that
- * indicates that the variable part of the nonce is included as a prefix of
- * the record (AES-GCM, for example, does this with an 8-byte variable nonce.)
- */
-#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22)
-/*
- * SSL_CIPHER_ALGORITHM2_AEAD is an algorithm2 flag that indicates the cipher
- * is implemented via an EVP_AEAD.
- */
-#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
-/*
- * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce
- * for an SSL_CIPHER with the SSL_CIPHER_ALGORITHM2_AEAD flag.
- */
-#define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \
-        (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2)
-/*
- * Cipher strength information.
- */
-#define SSL_STRONG_MASK         0x000001fcL
-#define SSL_STRONG_NONE         0x00000004L
-#define SSL_LOW                 0x00000020L
-#define SSL_MEDIUM              0x00000040L
-#define SSL_HIGH                0x00000080L
-/*
- * The keylength (measured in RSA key bits, I guess)  for temporary keys.
- * Cipher argument is so that this can be variable in the future.
- */
-#define SSL_C_PKEYLENGTH(c)     1024
-/* Check if an SSL structure is using DTLS. */
-#define SSL_IS_DTLS(s) (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
-/* See if we need explicit IV. */
-#define SSL_USE_EXPLICIT_IV(s) \
-        (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV)
-/* See if we use signature algorithms extension. */
-#define SSL_USE_SIGALGS(s) \
-        (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SIGALGS)
-/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
-#define SSL_USE_TLS1_2_CIPHERS(s) \
-        (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)
-/* Mostly for SSLv3 */
-#define SSL_PKEY_RSA_ENC        0
-#define SSL_PKEY_RSA_SIGN       1
-#define SSL_PKEY_DSA_SIGN       2
-#define SSL_PKEY_DH_RSA         3
-#define SSL_PKEY_DH_DSA         4
-#define SSL_PKEY_ECC            5
-#define SSL_PKEY_GOST01         6
-#define SSL_PKEY_NUM            7
-/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
- *          <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
- * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
- * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
- * SSL_aRSA <- RSA_ENC | RSA_SIGN
- * SSL_aDSS <- DSA_SIGN
- */
-/*
-#define CERT_INVALID            0
-#define CERT_PUBLIC_KEY         1
-#define CERT_PRIVATE_KEY        2
-*/
-/* From ECC-TLS draft, used in encoding the curve type in
- * ECParameters
- */
-#define EXPLICIT_PRIME_CURVE_TYPE  1
-#define EXPLICIT_CHAR2_CURVE_TYPE  2
-#define NAMED_CURVE_TYPE           3
-typedef struct cert_pkey_st {
-        X509 *x509;
-        EVP_PKEY *privatekey;
-        /* Digest to use when signing */
-        const EVP_MD *digest;
-} CERT_PKEY;
-typedef struct cert_st {
-        /* Current active set */
-        CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
-                         * Probably it would make more sense to store
-                         * an index, not a pointer. */
-        /* The following masks are for the key and auth
-         * algorithms that are supported by the certs below */
-        int valid;
-        unsigned long mask_k;
-        unsigned long mask_a;
-        DH *dh_tmp;
-        DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
-        int dh_tmp_auto;
-        EC_KEY *ecdh_tmp;
-        EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
-        int ecdh_tmp_auto;
-        CERT_PKEY pkeys[SSL_PKEY_NUM];
-        int references; /* >1 only if SSL_copy_session_id is used */
-} CERT;
-typedef struct sess_cert_st {
-        STACK_OF(X509) *cert_chain; /* as received from peer */
-        /* The 'peer_...' members are used only by clients. */
-        int peer_cert_type;
-        CERT_PKEY *peer_key; /* points to an element of peer_pkeys (never NULL!) */
-        CERT_PKEY peer_pkeys[SSL_PKEY_NUM];
-        /* Obviously we don't have the private keys of these,
-         * so maybe we shouldn't even use the CERT_PKEY type here. */
-        DH *peer_dh_tmp;
-        EC_KEY *peer_ecdh_tmp;
-        int references; /* actually always 1 at the moment */
-} SESS_CERT;
-/*#define SSL_DEBUG     */
-/*#define RSA_DEBUG     */
-/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
- * It is a bit of a mess of functions, but hell, think of it as
- * an opaque structure :-) */
-typedef struct ssl3_enc_method {
-        int (*enc)(SSL *, int);
-        int (*mac)(SSL *, unsigned char *, int);
-        int (*setup_key_block)(SSL *);
-        int (*generate_master_secret)(SSL *, unsigned char *,
-            unsigned char *, int);
-        int (*change_cipher_state)(SSL *, int);
-        int (*final_finish_mac)(SSL *,  const char *, int, unsigned char *);
-        int finish_mac_length;
-        int (*cert_verify_mac)(SSL *, int, unsigned char *);
-        const char *client_finished_label;
-        int client_finished_label_len;
-        const char *server_finished_label;
-        int server_finished_label_len;
-        int (*alert_value)(int);
-        int (*export_keying_material)(SSL *, unsigned char *, size_t,
-            const char *, size_t, const unsigned char *, size_t,
-            int use_context);
-        /* Flags indicating protocol version requirements. */
-        unsigned int enc_flags;
-} SSL3_ENC_METHOD;
-/*
- * Flag values for enc_flags.
- */
-/* Uses explicit IV. */
-#define SSL_ENC_FLAG_EXPLICIT_IV        (1 << 0)
-/* Uses signature algorithms extension. */
-#define SSL_ENC_FLAG_SIGALGS            (1 << 1)
-/* Uses SHA256 default PRF. */
-#define SSL_ENC_FLAG_SHA256_PRF         (1 << 2)
-/* Is DTLS. */
-#define SSL_ENC_FLAG_DTLS               (1 << 3)
-/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */
-#define SSL_ENC_FLAG_TLS1_2_CIPHERS     (1 << 4)
-/*
- * ssl_aead_ctx_st contains information about an AEAD that is being used to
- * encrypt an SSL connection.
- */
-struct ssl_aead_ctx_st {
-        EVP_AEAD_CTX ctx;
-        /*
-         * fixed_nonce contains any bytes of the nonce that are fixed for all
-         * records.
-         */
-        unsigned char fixed_nonce[12];
-        unsigned char fixed_nonce_len;
-        unsigned char variable_nonce_len;
-        unsigned char xor_fixed_nonce;
-        unsigned char tag_len;
-        /*
-         * variable_nonce_in_record is non-zero if the variable nonce
-         * for a record is included as a prefix before the ciphertext.
-         */
-        char variable_nonce_in_record;
-};
-extern SSL3_ENC_METHOD ssl3_undef_enc_method;
-extern SSL_CIPHER ssl3_ciphers[];
-const char *ssl_version_string(int ver);
-uint16_t ssl_max_server_version(SSL *s);
-extern SSL3_ENC_METHOD DTLSv1_enc_data;
-extern SSL3_ENC_METHOD TLSv1_enc_data;
-extern SSL3_ENC_METHOD TLSv1_1_enc_data;
-extern SSL3_ENC_METHOD TLSv1_2_enc_data;
-void ssl_clear_cipher_ctx(SSL *s);
-int ssl_clear_bad_session(SSL *s);
-CERT *ssl_cert_new(void);
-CERT *ssl_cert_dup(CERT *cert);
-int ssl_cert_inst(CERT **o);
-void ssl_cert_free(CERT *c);
-SESS_CERT *ssl_sess_cert_new(void);
-void ssl_sess_cert_free(SESS_CERT *sc);
-int ssl_get_new_session(SSL *s, int session);
-int ssl_get_prev_session(SSL *s, unsigned char *session, int len,
-    const unsigned char *limit);
-int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b);
-DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
-int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap,
-    const SSL_CIPHER * const *bp);
-STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const unsigned char *p,
-    int num);
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
-    unsigned char *p);
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
-    STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted,
-    const char *rule_str);
-void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
-int ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead);
-int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md);
-int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
-int ssl_undefined_function(SSL *s);
-int ssl_undefined_void_function(void);
-int ssl_undefined_const_function(const SSL *s);
-CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
-X509 *ssl_get_server_send_cert(const SSL *);
-EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd);
-DH *ssl_get_auto_dh(SSL *s);
-int ssl_cert_type(X509 *x, EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
-STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
-int ssl_verify_alarm_type(long type);
-void ssl_load_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
-int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
-int ssl3_send_server_certificate(SSL *s);
-int ssl3_send_newsession_ticket(SSL *s);
-int ssl3_send_cert_status(SSL *s);
-int ssl3_get_finished(SSL *s, int state_a, int state_b);
-int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b);
-int ssl3_do_write(SSL *s, int type);
-int ssl3_send_alert(SSL *s, int level, int desc);
-int ssl3_get_req_cert_type(SSL *s, unsigned char *p);
-long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-int ssl3_num_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
-const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id);
-const SSL_CIPHER *ssl3_get_cipher_by_value(uint16_t value);
-uint16_t ssl3_cipher_get_value(const SSL_CIPHER *c);
-int ssl3_renegotiate(SSL *ssl);
-int ssl3_renegotiate_check(SSL *ssl);
-int ssl3_dispatch_alert(SSL *s);
-int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
-int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
-SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
-    STACK_OF(SSL_CIPHER) *srvr);
-int     ssl3_setup_buffers(SSL *s);
-int     ssl3_setup_init_buffer(SSL *s);
-int     ssl3_setup_read_buffer(SSL *s);
-int     ssl3_setup_write_buffer(SSL *s);
-int     ssl3_release_read_buffer(SSL *s);
-int     ssl3_release_write_buffer(SSL *s);
-int     ssl3_new(SSL *s);
-void    ssl3_free(SSL *s);
-int     ssl3_accept(SSL *s);
-int     ssl3_connect(SSL *s);
-int     ssl3_read(SSL *s, void *buf, int len);
-int     ssl3_peek(SSL *s, void *buf, int len);
-int     ssl3_write(SSL *s, const void *buf, int len);
-int     ssl3_shutdown(SSL *s);
-void    ssl3_clear(SSL *s);
-long    ssl3_ctrl(SSL *s, int cmd, long larg, void *parg);
-long    ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg);
-long    ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
-long    ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
-int     ssl3_pending(const SSL *s);
-int ssl3_handshake_msg_hdr_len(SSL *s);
-unsigned char *ssl3_handshake_msg_start(SSL *s, uint8_t htype);
-void ssl3_handshake_msg_finish(SSL *s, unsigned int len);
-int ssl3_handshake_write(SSL *s);
-void tls1_record_sequence_increment(unsigned char *seq);
-int ssl3_do_change_cipher_spec(SSL *ssl);
-int ssl23_read(SSL *s, void *buf, int len);
-int ssl23_peek(SSL *s, void *buf, int len);
-int ssl23_write(SSL *s, const void *buf, int len);
-long ssl23_default_timeout(void);
-long tls1_default_timeout(void);
-int dtls1_do_write(SSL *s, int type);
-int ssl3_read_n(SSL *s, int n, int max, int extend);
-int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
-int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
-    unsigned int len);
-unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
-    unsigned char mt, unsigned long len, unsigned long frag_off,
-    unsigned long frag_len);
-int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
-int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
-int dtls1_send_change_cipher_spec(SSL *s, int a, int b);
-unsigned long dtls1_output_cert_chain(SSL *s, X509 *x);
-int dtls1_read_failed(SSL *s, int code);
-int dtls1_buffer_message(SSL *s, int ccs);
-int dtls1_retransmit_message(SSL *s, unsigned short seq,
-    unsigned long frag_off, int *found);
-int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
-int dtls1_retransmit_buffered_messages(SSL *s);
-void dtls1_clear_record_buffer(SSL *s);
-int dtls1_get_message_header(unsigned char *data,
-    struct hm_header_st *msg_hdr);
-void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
-void dtls1_reset_seq_numbers(SSL *s, int rw);
-void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq,
-    unsigned short epoch);
-long dtls1_default_timeout(void);
-struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft);
-int dtls1_check_timeout_num(SSL *s);
-int dtls1_handle_timeout(SSL *s);
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
-void dtls1_start_timer(SSL *s);
-void dtls1_stop_timer(SSL *s);
-int dtls1_is_timer_expired(SSL *s);
-void dtls1_double_timeout(SSL *s);
-unsigned int dtls1_min_mtu(void);
-/* some client-only functions */
-int ssl3_client_hello(SSL *s);
-int ssl3_get_server_hello(SSL *s);
-int ssl3_get_certificate_request(SSL *s);
-int ssl3_get_new_session_ticket(SSL *s);
-int ssl3_get_cert_status(SSL *s);
-int ssl3_get_server_done(SSL *s);
-int ssl3_send_client_verify(SSL *s);
-int ssl3_send_client_certificate(SSL *s);
-int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
-int ssl3_send_client_key_exchange(SSL *s);
-int ssl3_get_key_exchange(SSL *s);
-int ssl3_get_server_certificate(SSL *s);
-int ssl3_check_cert_and_algorithm(SSL *s);
-int ssl3_check_finished(SSL *s);
-int ssl3_send_next_proto(SSL *s);
-int dtls1_send_client_certificate(SSL *s);
-/* some server-only functions */
-int ssl3_get_client_hello(SSL *s);
-int ssl3_send_server_hello(SSL *s);
-int ssl3_send_hello_request(SSL *s);
-int ssl3_send_server_key_exchange(SSL *s);
-int ssl3_send_certificate_request(SSL *s);
-int ssl3_send_server_done(SSL *s);
-int ssl3_get_client_certificate(SSL *s);
-int ssl3_get_client_key_exchange(SSL *s);
-int ssl3_get_cert_verify(SSL *s);
-int ssl3_get_next_proto(SSL *s);
-int dtls1_send_server_certificate(SSL *s);
-int ssl23_accept(SSL *s);
-int ssl23_connect(SSL *s);
-int ssl23_read_bytes(SSL *s, int n);
-int ssl23_write_bytes(SSL *s);
-int tls1_new(SSL *s);
-void tls1_free(SSL *s);
-void tls1_clear(SSL *s);
-long tls1_ctrl(SSL *s, int cmd, long larg, void *parg);
-long tls1_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
-int dtls1_new(SSL *s);
-int dtls1_accept(SSL *s);
-int dtls1_connect(SSL *s);
-void dtls1_free(SSL *s);
-void dtls1_clear(SSL *s);
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
-int dtls1_shutdown(SSL *s);
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int dtls1_get_record(SSL *s);
-int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
-    unsigned int len);
-int dtls1_dispatch_alert(SSL *s);
-int dtls1_enc(SSL *s, int snd);
-int ssl_init_wbio_buffer(SSL *s, int push);
-void ssl_free_wbio_buffer(SSL *s);
-int tls1_init_finished_mac(SSL *s);
-void tls1_finish_mac(SSL *s, const unsigned char *buf, int len);
-void tls1_free_digest_list(SSL *s);
-void tls1_cleanup_key_block(SSL *s);
-int tls1_digest_cached_records(SSL *s);
-int tls1_change_cipher_state(SSL *s, int which);
-int tls1_setup_key_block(SSL *s);
-int tls1_enc(SSL *s, int snd);
-int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *p);
-int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
-int tls1_mac(SSL *ssl, unsigned char *md, int snd);
-int tls1_generate_master_secret(SSL *s, unsigned char *out,
-    unsigned char *p, int len);
-int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-    const char *label, size_t llen, const unsigned char *p, size_t plen,
-    int use_context);
-int tls1_alert_code(int code);
-int ssl_ok(SSL *s);
-int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
-SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
-int tls1_ec_curve_id2nid(uint16_t curve_id);
-uint16_t tls1_ec_nid2curve_id(int nid);
-int tls1_check_curve(SSL *s, const unsigned char *p, size_t len);
-int tls1_get_shared_curve(SSL *s);
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p,
-    unsigned char *limit);
-unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p,
-    unsigned char *limit);
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data,
-    unsigned char *d, int n, int *al);
-int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
-    unsigned char *d, int n, int *al);
-int ssl_check_clienthello_tlsext_early(SSL *s);
-int ssl_check_clienthello_tlsext_late(SSL *s);
-int ssl_check_serverhello_tlsext(SSL *s);
-#define tlsext_tick_md  EVP_sha256
-int tls1_process_ticket(SSL *s, const unsigned char *session_id, int len,
-    const unsigned char *limit, SSL_SESSION **ret);
-int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
-    const EVP_MD *md);
-int tls12_get_sigid(const EVP_PKEY *pk);
-const EVP_MD *tls12_get_hash(unsigned char hash_alg);
-void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
-int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p,
-    int *len, int maxlen);
-int ssl_parse_serverhello_renegotiate_ext(SSL *s, const unsigned char *d,
-    int len, int *al);
-int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p,
-    int *len, int maxlen);
-int ssl_parse_clienthello_renegotiate_ext(SSL *s, const unsigned char *d,
-    int len, int *al);
-long ssl_get_algorithm2(SSL *s);
-int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize);
-int tls12_get_req_sig_algs(SSL *s, unsigned char *p);
-int tls1_check_ec_server_key(SSL *s);
-int tls1_check_ec_tmp_key(SSL *s);
-int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p,
-    int *len, int maxlen);
-int ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d,
-    int len, int *al);
-int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p,
-    int *len, int maxlen);
-int ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d,
-    int len, int *al);
-/* s3_cbc.c */
-void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec,
-    unsigned md_size, unsigned orig_len);
-int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec,
-    unsigned block_size, unsigned mac_size);
-char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
-    size_t *md_out_size, const unsigned char header[13],
-    const unsigned char *data, size_t data_plus_mac_size,
-    size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret,
-    unsigned mac_secret_length, char is_sslv3);
-#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
deleted file mode 100644
index 7481524942..0000000000
--- a/src/lib/libssl/ssl_rsa.c
+++ /dev/null
@@ -1,751 +0,0 @@
-/* $OpenBSD: ssl_rsa.c,v 1.21 2016/03/11 07:08:45 mmcc Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-#include <openssl/bio.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-static int ssl_set_cert(CERT *c, X509 *x509);
-static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
-static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *);
-int
-SSL_use_certificate(SSL *ssl, X509 *x)
-{
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        return (ssl_set_cert(ssl->cert, x));
-}
-int
-SSL_use_certificate_file(SSL *ssl, const char *file, int type)
-{
-        int j;
-        BIO *in;
-        int ret = 0;
-        X509 *x = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                x = d2i_X509_bio(in, NULL);
-        } else if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                x = PEM_read_bio_X509(in, NULL,
-                    ssl->ctx->default_passwd_callback,
-                    ssl->ctx->default_passwd_callback_userdata);
-        } else {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_FILE, j);
-                goto end;
-        }
-        ret = SSL_use_certificate(ssl, x);
-end:
-        X509_free(x);
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
-{
-        X509 *x;
-        int ret;
-        x = d2i_X509(NULL, &d,(long)len);
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_use_certificate(ssl, x);
-        X509_free(x);
-        return (ret);
-}
-int
-SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
-{
-        EVP_PKEY *pkey;
-        int ret;
-        if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        if ((pkey = EVP_PKEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
-                return (0);
-        }
-        RSA_up_ref(rsa);
-        EVP_PKEY_assign_RSA(pkey, rsa);
-        ret = ssl_set_pkey(ssl->cert, pkey);
-        EVP_PKEY_free(pkey);
-        return (ret);
-}
-static int
-ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
-{
-        int i;
-        i = ssl_cert_type(NULL, pkey);
-        if (i < 0) {
-                SSLerr(SSL_F_SSL_SET_PKEY, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                return (0);
-        }
-        if (c->pkeys[i].x509 != NULL) {
-                EVP_PKEY *pktmp;
-                pktmp = X509_get_pubkey(c->pkeys[i].x509);
-                EVP_PKEY_copy_parameters(pktmp, pkey);
-                EVP_PKEY_free(pktmp);
-                ERR_clear_error();
-                /*
-                 * Don't check the public/private key, this is mostly
-                 * for smart cards.
-                 */
-                if ((pkey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
-;
-                else
-                if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
-                        X509_free(c->pkeys[i].x509);
-                        c->pkeys[i].x509 = NULL;
-                        return 0;
-                }
-        }
-        EVP_PKEY_free(c->pkeys[i].privatekey);
-        CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
-        c->pkeys[i].privatekey = pkey;
-        c->key = &(c->pkeys[i]);
-        c->valid = 0;
-        return (1);
-}
-int
-SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
-{
-        int j, ret = 0;
-        BIO *in;
-        RSA *rsa = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                rsa = d2i_RSAPrivateKey_bio(in, NULL);
-        } else if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
-                    ssl->ctx->default_passwd_callback,
-                    ssl->ctx->default_passwd_callback_userdata);
-        } else {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE, j);
-                goto end;
-        }
-        ret = SSL_use_RSAPrivateKey(ssl, rsa);
-        RSA_free(rsa);
-end:
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
-{
-        int ret;
-        const unsigned char *p;
-        RSA *rsa;
-        p = d;
-        if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_use_RSAPrivateKey(ssl, rsa);
-        RSA_free(rsa);
-        return (ret);
-}
-int
-SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
-{
-        int ret;
-        if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ssl->cert)) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        ret = ssl_set_pkey(ssl->cert, pkey);
-        return (ret);
-}
-int
-SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
-{
-        int j, ret = 0;
-        BIO *in;
-        EVP_PKEY *pkey = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                pkey = PEM_read_bio_PrivateKey(in, NULL,
-                    ssl->ctx->default_passwd_callback,
-                    ssl->ctx->default_passwd_callback_userdata);
-        } else if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                pkey = d2i_PrivateKey_bio(in, NULL);
-        } else {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FILE, j);
-                goto end;
-        }
-        ret = SSL_use_PrivateKey(ssl, pkey);
-        EVP_PKEY_free(pkey);
-end:
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
-{
-        int ret;
-        const unsigned char *p;
-        EVP_PKEY *pkey;
-        p = d;
-        if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_use_PrivateKey(ssl, pkey);
-        EVP_PKEY_free(pkey);
-        return (ret);
-}
-int
-SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
-{
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ctx->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        return (ssl_set_cert(ctx->cert, x));
-}
-static int
-ssl_set_cert(CERT *c, X509 *x)
-{
-        EVP_PKEY *pkey;
-        int i;
-        pkey = X509_get_pubkey(x);
-        if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_SET_CERT, SSL_R_X509_LIB);
-                return (0);
-        }
-        i = ssl_cert_type(x, pkey);
-        if (i < 0) {
-                SSLerr(SSL_F_SSL_SET_CERT, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
-                EVP_PKEY_free(pkey);
-                return (0);
-        }
-        if (c->pkeys[i].privatekey != NULL) {
-                EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
-                ERR_clear_error();
-                /*
-                 * Don't check the public/private key, this is mostly
-                 * for smart cards.
-                 */
-                if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
-                        (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
-                RSA_METHOD_FLAG_NO_CHECK))
-;
-                else
-                if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
-                        /*
-                         * don't fail for a cert/key mismatch, just free
-                         * current private key (when switching to a different
-                         * cert & key, first this function should be used,
-                         * then ssl_set_pkey
-                         */
-                        EVP_PKEY_free(c->pkeys[i].privatekey);
-                        c->pkeys[i].privatekey = NULL;
-                        /* clear error queue */
-                        ERR_clear_error();
-                }
-        }
-        EVP_PKEY_free(pkey);
-        X509_free(c->pkeys[i].x509);
-        CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-        c->pkeys[i].x509 = x;
-        c->key = &(c->pkeys[i]);
-        c->valid = 0;
-        return (1);
-}
-int
-SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
-{
-        int j;
-        BIO *in;
-        int ret = 0;
-        X509 *x = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                x = d2i_X509_bio(in, NULL);
-        } else if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
-                    ctx->default_passwd_callback_userdata);
-        } else {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, j);
-                goto end;
-        }
-        ret = SSL_CTX_use_certificate(ctx, x);
-end:
-        X509_free(x);
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
-{
-        X509 *x;
-        int ret;
-        x = d2i_X509(NULL, &d,(long)len);
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_CTX_use_certificate(ctx, x);
-        X509_free(x);
-        return (ret);
-}
-int
-SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
-{
-        int ret;
-        EVP_PKEY *pkey;
-        if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ctx->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        if ((pkey = EVP_PKEY_new()) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY, ERR_R_EVP_LIB);
-                return (0);
-        }
-        RSA_up_ref(rsa);
-        EVP_PKEY_assign_RSA(pkey, rsa);
-        ret = ssl_set_pkey(ctx->cert, pkey);
-        EVP_PKEY_free(pkey);
-        return (ret);
-}
-int
-SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-{
-        int j, ret = 0;
-        BIO *in;
-        RSA *rsa = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                rsa = d2i_RSAPrivateKey_bio(in, NULL);
-        } else if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
-                    ctx->default_passwd_callback,
-                    ctx->default_passwd_callback_userdata);
-        } else {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (rsa == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE, j);
-                goto end;
-        }
-        ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
-        RSA_free(rsa);
-end:
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
-{
-        int ret;
-        const unsigned char *p;
-        RSA *rsa;
-        p = d;
-        if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
-        RSA_free(rsa);
-        return (ret);
-}
-int
-SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
-{
-        if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY,
-                    ERR_R_PASSED_NULL_PARAMETER);
-                return (0);
-        }
-        if (!ssl_cert_inst(&ctx->cert)) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        return (ssl_set_pkey(ctx->cert, pkey));
-}
-int
-SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-{
-        int j, ret = 0;
-        BIO *in;
-        EVP_PKEY *pkey = NULL;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        if (type == SSL_FILETYPE_PEM) {
-                j = ERR_R_PEM_LIB;
-                pkey = PEM_read_bio_PrivateKey(in, NULL,
-                    ctx->default_passwd_callback,
-                    ctx->default_passwd_callback_userdata);
-        } else if (type == SSL_FILETYPE_ASN1) {
-                j = ERR_R_ASN1_LIB;
-                pkey = d2i_PrivateKey_bio(in, NULL);
-        } else {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,
-                    SSL_R_BAD_SSL_FILETYPE);
-                goto end;
-        }
-        if (pkey == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE, j);
-                goto end;
-        }
-        ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-        EVP_PKEY_free(pkey);
-end:
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
-    long len)
-{
-        int ret;
-        const unsigned char *p;
-        EVP_PKEY *pkey;
-        p = d;
-        if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1, ERR_R_ASN1_LIB);
-                return (0);
-        }
-        ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-        EVP_PKEY_free(pkey);
-        return (ret);
-}
-/*
- * Read a bio that contains our certificate in "PEM" format,
- * possibly followed by a sequence of CA certificates that should be
- * sent to the peer in the Certificate message.
- */
-static int
-ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
-{
-        int ret = 0;
-        X509 *x = NULL;
-        ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
-        x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-            ctx->default_passwd_callback_userdata);
-        if (x == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
-                goto end;
-        }
-        ret = SSL_CTX_use_certificate(ctx, x);
-        if (ERR_peek_error() != 0)
-                ret = 0;
-        /* Key/certificate mismatch doesn't imply ret==0 ... */
-        if (ret) {
-                /*
-                 * If we could set up our certificate, now proceed to
-                 * the CA certificates.
-                 */
-                X509 *ca;
-                int r;
-                unsigned long err;
-                if (ctx->extra_certs != NULL) {
-                        sk_X509_pop_free(ctx->extra_certs, X509_free);
-                        ctx->extra_certs = NULL;
-                }
-                while ((ca = PEM_read_bio_X509(in, NULL,
-                    ctx->default_passwd_callback,
-                    ctx->default_passwd_callback_userdata)) != NULL) {
-                        r = SSL_CTX_add_extra_chain_cert(ctx, ca);
-                        if (!r) {
-                                X509_free(ca);
-                                ret = 0;
-                                goto end;
-                        }
-                        /*
-                         * Note that we must not free r if it was successfully
-                         * added to the chain (while we must free the main
-                         * certificate, since its reference count is increased
-                         * by SSL_CTX_use_certificate).
-                         */
-                }
-                /* When the while loop ends, it's usually just EOF. */
-                err = ERR_peek_last_error();
-                if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
-                    ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
-                        ERR_clear_error();
-                else
-                        ret = 0; /* some real error */
-        }
-end:
-        X509_free(x);
-        return (ret);
-}
-int
-SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
-{
-        BIO *in;
-        int ret = 0;
-        in = BIO_new(BIO_s_file_internal());
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        if (BIO_read_filename(in, file) <= 0) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_SYS_LIB);
-                goto end;
-        }
-        ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
-end:
-        BIO_free(in);
-        return (ret);
-}
-int
-SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
-{
-        BIO *in;
-        int ret = 0;
-        in = BIO_new_mem_buf(buf, len);
-        if (in == NULL) {
-                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
-                goto end;
-        }
-        ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
-end:
-        BIO_free(in);
-        return (ret);
-}
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
deleted file mode 100644
index 16dd5c444c..0000000000
--- a/src/lib/libssl/ssl_sess.c
+++ /dev/null
@@ -1,1099 +0,0 @@
-/* $OpenBSD: ssl_sess.c,v 1.49 2016/03/11 07:08:45 mmcc Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <openssl/lhash.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-#include "ssl_locl.h"
-static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
-static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
-static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
-/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
-SSL_SESSION *
-SSL_get_session(const SSL *ssl)
-{
-        return (ssl->session);
-}
-/* variant of SSL_get_session: caller really gets something */
-SSL_SESSION *
-SSL_get1_session(SSL *ssl)
-{
-        SSL_SESSION *sess;
-        /*
-         * Need to lock this all up rather than just use CRYPTO_add so that
-         * somebody doesn't free ssl->session between when we check it's
-         * non-null and when we up the reference count.
-         */
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
-        sess = ssl->session;
-        if (sess)
-                sess->references++;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
-        return (sess);
-}
-int
-SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-    CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-{
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION,
-            argl, argp, new_func, dup_func, free_func);
-}
-int
-SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
-{
-        return (CRYPTO_set_ex_data(&s->ex_data, idx, arg));
-}
-void *
-SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
-{
-        return (CRYPTO_get_ex_data(&s->ex_data, idx));
-}
-SSL_SESSION *
-SSL_SESSION_new(void)
-{
-        SSL_SESSION *ss;
-        ss = calloc(1, sizeof(SSL_SESSION));
-        if (ss == NULL) {
-                SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE);
-                return (0);
-        }
-        ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
-        ss->references = 1;
-        ss->timeout=60*5+4; /* 5 minute timeout by default */
-        ss->time = time(NULL);
-        ss->prev = NULL;
-        ss->next = NULL;
-        ss->tlsext_hostname = NULL;
-        ss->tlsext_ecpointformatlist_length = 0;
-        ss->tlsext_ecpointformatlist = NULL;
-        ss->tlsext_ellipticcurvelist_length = 0;
-        ss->tlsext_ellipticcurvelist = NULL;
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        return (ss);
-}
-const unsigned char *
-SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
-{
-        if (len)
-                *len = s->session_id_length;
-        return s->session_id;
-}
-unsigned int
-SSL_SESSION_get_compress_id(const SSL_SESSION *s)
-{
-        return 0;
-}
-/*
- * SSLv3/TLSv1 has 32 bytes (256 bits) of session ID space. As such, filling
- * the ID with random gunk repeatedly until we have no conflict is going to
- * complete in one iteration pretty much "most" of the time (btw:
- * understatement). So, if it takes us 10 iterations and we still can't avoid
- * a conflict - well that's a reasonable point to call it quits. Either the
- * arc4random code is broken or someone is trying to open roughly very close to
- * 2^128 (or 2^256) SSL sessions to our server. How you might store that many
- * sessions is perhaps a more interesting question...
- */
-#define MAX_SESS_ID_ATTEMPTS 10
-static int
-def_generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len)
-{
-        unsigned int retry = 0;
-        do {
-                arc4random_buf(id, *id_len);
-        } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
-            (++retry < MAX_SESS_ID_ATTEMPTS));
-        if (retry < MAX_SESS_ID_ATTEMPTS)
-                return 1;
-        /* else - woops a session_id match */
-        /* XXX We should also check the external cache --
-         * but the probability of a collision is negligible, and
-         * we could not prevent the concurrent creation of sessions
-         * with identical IDs since we currently don't have means
-         * to atomically check whether a session ID already exists
-         * and make a reservation for it if it does not
-         * (this problem applies to the internal cache as well).
-         */
-        return 0;
-}
-int
-ssl_get_new_session(SSL *s, int session)
-{
-        unsigned int tmp;
-        SSL_SESSION *ss = NULL;
-        GEN_SESSION_CB cb = def_generate_session_id;
-        /* This gets used by clients and servers. */
-        if ((ss = SSL_SESSION_new()) == NULL)
-                return (0);
-        /* If the context has a default timeout, use it */
-        if (s->session_ctx->session_timeout == 0)
-                ss->timeout = SSL_get_default_timeout(s);
-        else
-                ss->timeout = s->session_ctx->session_timeout;
-        if (s->session != NULL) {
-                SSL_SESSION_free(s->session);
-                s->session = NULL;
-        }
-        if (session) {
-                switch (s->version) {
-                case TLS1_VERSION:
-                case TLS1_1_VERSION:
-                case TLS1_2_VERSION:
-                case DTLS1_VERSION:
-                        ss->ssl_version = s->version;
-                        ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
-                        break;
-                default:
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                            SSL_R_UNSUPPORTED_SSL_VERSION);
-                        SSL_SESSION_free(ss);
-                        return (0);
-                }
-                /* If RFC4507 ticket use empty session ID. */
-                if (s->tlsext_ticket_expected) {
-                        ss->session_id_length = 0;
-                        goto sess_id_done;
-                }
-                /* Choose which callback will set the session ID. */
-                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-                if (s->generate_session_id)
-                        cb = s->generate_session_id;
-                else if (s->session_ctx->generate_session_id)
-                        cb = s->session_ctx->generate_session_id;
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                /* Choose a session ID. */
-                tmp = ss->session_id_length;
-                if (!cb(s, ss->session_id, &tmp)) {
-                        /* The callback failed */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                        SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
-                        SSL_SESSION_free(ss);
-                        return (0);
-                }
-                /*
-                 * Don't allow the callback to set the session length to zero.
-                 * nor set it higher than it was.
-                 */
-                if (!tmp || (tmp > ss->session_id_length)) {
-                        /* The callback set an illegal length */
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                        SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
-                        SSL_SESSION_free(ss);
-                        return (0);
-                }
-                ss->session_id_length = tmp;
-                /* Finally, check for a conflict. */
-                if (SSL_has_matching_session_id(s, ss->session_id,
-                        ss->session_id_length)) {
-                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                        SSL_R_SSL_SESSION_ID_CONFLICT);
-                        SSL_SESSION_free(ss);
-                        return (0);
-                }
-sess_id_done:
-                if (s->tlsext_hostname) {
-                        ss->tlsext_hostname = strdup(s->tlsext_hostname);
-                        if (ss->tlsext_hostname == NULL) {
-                                SSLerr(SSL_F_SSL_GET_NEW_SESSION,
-                                    ERR_R_INTERNAL_ERROR);
-                                SSL_SESSION_free(ss);
-                                return 0;
-                        }
-                }
-        } else {
-                ss->session_id_length = 0;
-        }
-        if (s->sid_ctx_length > sizeof ss->sid_ctx) {
-                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
-                SSL_SESSION_free(ss);
-                return 0;
-        }
-        memcpy(ss->sid_ctx, s->sid_ctx, s->sid_ctx_length);
-        ss->sid_ctx_length = s->sid_ctx_length;
-        s->session = ss;
-        ss->ssl_version = s->version;
-        ss->verify_result = X509_V_OK;
-        return (1);
-}
-/*
- * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this
- * connection. It is only called by servers.
- *
- *   session_id: points at the session ID in the ClientHello. This code will
- *       read past the end of this in order to parse out the session ticket
- *       extension, if any.
- *   len: the length of the session ID.
- *   limit: a pointer to the first byte after the ClientHello.
- *
- * Returns:
- *   -1: error
- *    0: a session may have been found.
- *
- * Side effects:
- *   - If a session is found then s->session is pointed at it (after freeing
- *     an existing session if need be) and s->verify_result is set from the
- *     session.
- *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set
- *     to 1 if the server should issue a new session ticket (to 0 otherwise).
- */
-int
-ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-    const unsigned char *limit)
-{
-        SSL_SESSION *ret = NULL;
-        int fatal = 0;
-        int try_session_cache = 1;
-        int r;
-        /* This is used only by servers. */
-        if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
-                goto err;
-        if (len == 0)
-                try_session_cache = 0;
-        /* Sets s->tlsext_ticket_expected. */
-        r = tls1_process_ticket(s, session_id, len, limit, &ret);
-        switch (r) {
-        case -1: /* Error during processing */
-                fatal = 1;
-                goto err;
-        case 0: /* No ticket found */
-        case 1: /* Zero length ticket found */
-                break; /* Ok to carry on processing session id. */
-        case 2: /* Ticket found but not decrypted. */
-        case 3: /* Ticket decrypted, *ret has been set. */
-                try_session_cache = 0;
-                break;
-        default:
-                abort();
-        }
-        if (try_session_cache && ret == NULL &&
-            !(s->session_ctx->session_cache_mode &
-             SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
-                SSL_SESSION data;
-                data.ssl_version = s->version;
-                data.session_id_length = len;
-                memcpy(data.session_id, session_id, len);
-                CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
-                ret = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data);
-                if (ret != NULL) {
-                        /* Don't allow other threads to steal it. */
-                        CRYPTO_add(&ret->references, 1,
-                            CRYPTO_LOCK_SSL_SESSION);
-                }
-                CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
-                if (ret == NULL)
-                        s->session_ctx->stats.sess_miss++;
-        }
-        if (try_session_cache && ret == NULL &&
-            s->session_ctx->get_session_cb != NULL) {
-                int copy = 1;
-                if ((ret = s->session_ctx->get_session_cb(s, session_id,
-                    len, &copy))) {
-                        s->session_ctx->stats.sess_cb_hit++;
-                        /*
-                         * Increment reference count now if the session
-                         * callback asks us to do so (note that if the session
-                         * structures returned by the callback are shared
-                         * between threads, it must handle the reference count
-                         * itself [i.e. copy == 0], or things won't be
-                         * thread-safe).
-                         */
-                        if (copy)
-                                CRYPTO_add(&ret->references, 1,
-                                    CRYPTO_LOCK_SSL_SESSION);
-                        /*
-                         * Add the externally cached session to the internal
-                         * cache as well if and only if we are supposed to.
-                         */
-                        if (!(s->session_ctx->session_cache_mode &
-                            SSL_SESS_CACHE_NO_INTERNAL_STORE))
-                                /*
-                                 * The following should not return 1,
-                                 * otherwise, things are very strange.
-                                 */
-                                SSL_CTX_add_session(s->session_ctx, ret);
-                }
-        }
-        if (ret == NULL)
-                goto err;
-        /* Now ret is non-NULL and we own one of its reference counts. */
-        if (ret->sid_ctx_length != s->sid_ctx_length ||
-            timingsafe_memcmp(ret->sid_ctx,
-                s->sid_ctx, ret->sid_ctx_length) != 0) {
-                /* We have the session requested by the client, but we don't
-                 * want to use it in this context. */
-                goto err; /* treat like cache miss */
-        }
-        if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) {
-                /*
-                 * We can't be sure if this session is being used out of
-                 * context, which is especially important for SSL_VERIFY_PEER.
-                 * The application should have used
-                 * SSL[_CTX]_set_session_id_context.
-                 *
-                 * For this error case, we generate an error instead of treating
-                 * the event like a cache miss (otherwise it would be easy for
-                 * applications to effectively disable the session cache by
-                 * accident without anyone noticing).
-                 */
-                SSLerr(SSL_F_SSL_GET_PREV_SESSION,
-                    SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-                fatal = 1;
-                goto err;
-        }
-        if (ret->cipher == NULL) {
-                ret->cipher = ssl3_get_cipher_by_id(ret->cipher_id);
-                if (ret->cipher == NULL)
-                        goto err;
-        }
-        if (ret->timeout < (time(NULL) - ret->time)) {
-                /* timeout */
-                s->session_ctx->stats.sess_timeout++;
-                if (try_session_cache) {
-                        /* session was from the cache, so remove it */
-                        SSL_CTX_remove_session(s->session_ctx, ret);
-                }
-                goto err;
-        }
-        s->session_ctx->stats.sess_hit++;
-        if (s->session != NULL)
-                SSL_SESSION_free(s->session);
-        s->session = ret;
-        s->verify_result = s->session->verify_result;
-        return 1;
-err:
-        if (ret != NULL) {
-                SSL_SESSION_free(ret);
-                if (!try_session_cache) {
-                        /*
-                         * The session was from a ticket, so we should
-                         * issue a ticket for the new session.
-                         */
-                        s->tlsext_ticket_expected = 1;
-                }
-        }
-        if (fatal)
-                return -1;
-        else
-                return 0;
-}
-int
-SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
-{
-        int ret = 0;
-        SSL_SESSION *s;
-        /*
-         * Add just 1 reference count for the SSL_CTX's session cache
-         * even though it has two ways of access: each session is in a
-         * doubly linked list and an lhash.
-         */
-        CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
-        /*
-         * If session c is in already in cache, we take back the increment
-         * later.
-         */
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        s = lh_SSL_SESSION_insert(ctx->sessions, c);
-        /*
-         * s != NULL iff we already had a session with the given PID.
-         * In this case, s == c should hold (then we did not really modify
-         * ctx->sessions), or we're in trouble.
-         */
-        if (s != NULL && s != c) {
-                /* We *are* in trouble ... */
-                SSL_SESSION_list_remove(ctx, s);
-                SSL_SESSION_free(s);
-                /*
-                 * ... so pretend the other session did not exist in cache
-                 * (we cannot handle two SSL_SESSION structures with identical
-                 * session ID in the same cache, which could happen e.g. when
-                 * two threads concurrently obtain the same session from an
-                 * external cache).
-                 */
-                s = NULL;
-        }
-        /* Put at the head of the queue unless it is already in the cache */
-        if (s == NULL)
-                SSL_SESSION_list_add(ctx, c);
-        if (s != NULL) {
-                /*
-                 * existing cache entry -- decrement previously incremented
-                 * reference count because it already takes into account the
-                 * cache.
-                 */
-                SSL_SESSION_free(s); /* s == c */
-                ret = 0;
-        } else {
-                /*
-                 * New cache entry -- remove old ones if cache has become
-                 * too large.
-                 */
-                ret = 1;
-                if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
-                        while (SSL_CTX_sess_number(ctx) >
-                            SSL_CTX_sess_get_cache_size(ctx)) {
-                                if (!remove_session_lock(ctx,
-                                    ctx->session_cache_tail, 0))
-                                        break;
-                                else
-                                        ctx->stats.sess_cache_full++;
-                        }
-                }
-        }
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        return (ret);
-}
-int
-SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c)
-{
-        return remove_session_lock(ctx, c, 1);
-}
-static int
-remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
-{
-        SSL_SESSION *r;
-        int ret = 0;
-        if ((c != NULL) && (c->session_id_length != 0)) {
-                if (lck)
-                        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) {
-                        ret = 1;
-                        r = lh_SSL_SESSION_delete(ctx->sessions, c);
-                        SSL_SESSION_list_remove(ctx, c);
-                }
-                if (lck)
-                        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-                if (ret) {
-                        r->not_resumable = 1;
-                        if (ctx->remove_session_cb != NULL)
-                                ctx->remove_session_cb(ctx, r);
-                        SSL_SESSION_free(r);
-                }
-        } else
-                ret = 0;
-        return (ret);
-}
-void
-SSL_SESSION_free(SSL_SESSION *ss)
-{
-        int i;
-        if (ss == NULL)
-                return;
-        i = CRYPTO_add(&ss->references, -1, CRYPTO_LOCK_SSL_SESSION);
-        if (i > 0)
-                return;
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-        explicit_bzero(ss->master_key, sizeof ss->master_key);
-        explicit_bzero(ss->session_id, sizeof ss->session_id);
-        if (ss->sess_cert != NULL)
-                ssl_sess_cert_free(ss->sess_cert);
-        X509_free(ss->peer);
-        if (ss->ciphers != NULL)
-                sk_SSL_CIPHER_free(ss->ciphers);
-        free(ss->tlsext_hostname);
-        free(ss->tlsext_tick);
-        ss->tlsext_ecpointformatlist_length = 0;
-        free(ss->tlsext_ecpointformatlist);
-        ss->tlsext_ellipticcurvelist_length = 0;
-        free(ss->tlsext_ellipticcurvelist);
-        explicit_bzero(ss, sizeof(*ss));
-        free(ss);
-}
-int
-SSL_set_session(SSL *s, SSL_SESSION *session)
-{
-        int ret = 0;
-        const SSL_METHOD *meth;
-        if (session != NULL) {
-                meth = s->ctx->method->get_ssl_method(session->ssl_version);
-                if (meth == NULL)
-                        meth = s->method->get_ssl_method(session->ssl_version);
-                if (meth == NULL) {
-                        SSLerr(SSL_F_SSL_SET_SESSION,
-                            SSL_R_UNABLE_TO_FIND_SSL_METHOD);
-                        return (0);
-                }
-                if (meth != s->method) {
-                        if (!SSL_set_ssl_method(s, meth))
-                                return (0);
-                }
-                /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
-                CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
-                if (s->session != NULL)
-                        SSL_SESSION_free(s->session);
-                s->session = session;
-                s->verify_result = s->session->verify_result;
-                /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
-                ret = 1;
-        } else {
-                if (s->session != NULL) {
-                        SSL_SESSION_free(s->session);
-                        s->session = NULL;
-                }
-                meth = s->ctx->method;
-                if (meth != s->method) {
-                        if (!SSL_set_ssl_method(s, meth))
-                                return (0);
-                }
-                ret = 1;
-        }
-        return (ret);
-}
-long
-SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
-{
-        if (s == NULL)
-                return (0);
-        s->timeout = t;
-        return (1);
-}
-long
-SSL_SESSION_get_timeout(const SSL_SESSION *s)
-{
-        if (s == NULL)
-                return (0);
-        return (s->timeout);
-}
-/* XXX 2038 */
-long
-SSL_SESSION_get_time(const SSL_SESSION *s)
-{
-        if (s == NULL)
-                return (0);
-        return (s->time);
-}
-/* XXX 2038 */
-long
-SSL_SESSION_set_time(SSL_SESSION *s, long t)
-{
-        if (s == NULL)
-                return (0);
-        s->time = t;
-        return (t);
-}
-X509 *
-SSL_SESSION_get0_peer(SSL_SESSION *s)
-{
-        return s->peer;
-}
-int
-SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
-    unsigned int sid_ctx_len)
-{
-        if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) {
-                SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT,
-                    SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
-                return 0;
-        }
-        s->sid_ctx_length = sid_ctx_len;
-        memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
-        return 1;
-}
-long
-SSL_CTX_set_timeout(SSL_CTX *s, long t)
-{
-        long l;
-        if (s == NULL)
-                return (0);
-        l = s->session_timeout;
-        s->session_timeout = t;
-        return (l);
-}
-long
-SSL_CTX_get_timeout(const SSL_CTX *s)
-{
-        if (s == NULL)
-                return (0);
-        return (s->session_timeout);
-}
-int
-SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s,
-    void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers,
-    SSL_CIPHER **cipher, void *arg), void *arg)
-{
-        if (s == NULL)
-                return (0);
-        s->tls_session_secret_cb = tls_session_secret_cb;
-        s->tls_session_secret_cb_arg = arg;
-        return (1);
-}
-int
-SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
-    void *arg)
-{
-        if (s == NULL)
-                return (0);
-        s->tls_session_ticket_ext_cb = cb;
-        s->tls_session_ticket_ext_cb_arg = arg;
-        return (1);
-}
-int
-SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
-{
-        if (s->version >= TLS1_VERSION) {
-                free(s->tlsext_session_ticket);
-                s->tlsext_session_ticket =
-                    malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
-                if (!s->tlsext_session_ticket) {
-                        SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT,
-                            ERR_R_MALLOC_FAILURE);
-                        return 0;
-                }
-                if (ext_data) {
-                        s->tlsext_session_ticket->length = ext_len;
-                        s->tlsext_session_ticket->data =
-                            s->tlsext_session_ticket + 1;
-                        memcpy(s->tlsext_session_ticket->data,
-                            ext_data, ext_len);
-                } else {
-                        s->tlsext_session_ticket->length = 0;
-                        s->tlsext_session_ticket->data = NULL;
-                }
-                return 1;
-        }
-        return 0;
-}
-typedef struct timeout_param_st {
-        SSL_CTX *ctx;
-        long time;
-        LHASH_OF(SSL_SESSION) *cache;
-} TIMEOUT_PARAM;
-static void
-timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
-{
-        if ((p->time == 0) || (p->time > (s->time + s->timeout))) {
-                /* timeout */
-                /* The reason we don't call SSL_CTX_remove_session() is to
-                 * save on locking overhead */
-                (void)lh_SSL_SESSION_delete(p->cache, s);
-                SSL_SESSION_list_remove(p->ctx, s);
-                s->not_resumable = 1;
-                if (p->ctx->remove_session_cb != NULL)
-                        p->ctx->remove_session_cb(p->ctx, s);
-                SSL_SESSION_free(s);
-        }
-}
-static
-IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM)
-/* XXX 2038 */
-void
-SSL_CTX_flush_sessions(SSL_CTX *s, long t)
-{
-        unsigned long i;
-        TIMEOUT_PARAM tp;
-        tp.ctx = s;
-        tp.cache = s->sessions;
-        if (tp.cache == NULL)
-                return;
-        tp.time = t;
-        CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-        i = CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load;
-        CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = 0;
-        lh_SSL_SESSION_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout),
-        TIMEOUT_PARAM, &tp);
-        CHECKED_LHASH_OF(SSL_SESSION, tp.cache)->down_load = i;
-        CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-}
-int
-ssl_clear_bad_session(SSL *s)
-{
-        if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) &&
-            !(SSL_in_init(s) || SSL_in_before(s))) {
-                SSL_CTX_remove_session(s->ctx, s->session);
-                return (1);
-        } else
-                return (0);
-}
-/* locked by SSL_CTX in the calling function */
-static void
-SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
-{
-        if ((s->next == NULL) || (s->prev == NULL))
-                return;
-        if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) {
-                /* last element in list */
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
-                        /* only one element in list */
-                        ctx->session_cache_head = NULL;
-                        ctx->session_cache_tail = NULL;
-                } else {
-                        ctx->session_cache_tail = s->prev;
-                        s->prev->next =
-                            (SSL_SESSION *)&(ctx->session_cache_tail);
-                }
-        } else {
-                if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) {
-                        /* first element in list */
-                        ctx->session_cache_head = s->next;
-                        s->next->prev =
-                            (SSL_SESSION *)&(ctx->session_cache_head);
-                } else {
-                        /* middle of list */
-                        s->next->prev = s->prev;
-                        s->prev->next = s->next;
-                }
-        }
-        s->prev = s->next = NULL;
-}
-static void
-SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
-{
-        if ((s->next != NULL) && (s->prev != NULL))
-                SSL_SESSION_list_remove(ctx, s);
-        if (ctx->session_cache_head == NULL) {
-                ctx->session_cache_head = s;
-                ctx->session_cache_tail = s;
-                s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
-                s->next = (SSL_SESSION *)&(ctx->session_cache_tail);
-        } else {
-                s->next = ctx->session_cache_head;
-                s->next->prev = s;
-                s->prev = (SSL_SESSION *)&(ctx->session_cache_head);
-                ctx->session_cache_head = s;
-        }
-}
-void
-SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
-    int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) {
-        ctx->new_session_cb = cb;
-}
-int
-(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
-{
-        return ctx->new_session_cb;
-}
-void
-SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
-    void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess))
-{
-        ctx->remove_session_cb = cb;
-}
-void
-(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess)
-{
-        return ctx->remove_session_cb;
-}
-void
-SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl,
-    unsigned char *data, int len, int *copy))
-{
-        ctx->get_session_cb = cb;
-}
-SSL_SESSION *
-(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data,
-    int len, int *copy)
-{
-        return ctx->get_session_cb;
-}
-void
-SSL_CTX_set_info_callback(SSL_CTX *ctx,
-    void (*cb)(const SSL *ssl, int type, int val))
-{
-        ctx->info_callback = cb;
-}
-void
-(*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val)
-{
-        return ctx->info_callback;
-}
-void
-SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
-    int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
-{
-        ctx->client_cert_cb = cb;
-}
-int
-(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509,
-    EVP_PKEY **pkey)
-{
-        return ctx->client_cert_cb;
-}
-#ifndef OPENSSL_NO_ENGINE
-int
-SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
-{
-        if (!ENGINE_init(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
-                    ERR_R_ENGINE_LIB);
-                return 0;
-        }
-        if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE,
-                    SSL_R_NO_CLIENT_CERT_METHOD);
-                ENGINE_finish(e);
-                return 0;
-        }
-        ctx->client_cert_engine = e;
-        return 1;
-}
-#endif
-void
-SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
-    int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
-{
-        ctx->app_gen_cookie_cb = cb;
-}
-void
-SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
-    int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
-{
-        ctx->app_verify_cookie_cb = cb;
-}
-IMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
deleted file mode 100644
index 6d67d19c25..0000000000
--- a/src/lib/libssl/ssl_stat.c
+++ /dev/null
@@ -1,801 +0,0 @@
-/* $OpenBSD: ssl_stat.c,v 1.12 2014/11/16 14:12:47 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <stdio.h>
-#include "ssl_locl.h"
-const char *
-SSL_state_string_long(const SSL *s)
-{
-        const char *str;
-        switch (s->state) {
-        case SSL_ST_BEFORE:
-                str = "before SSL initialization";
-                break;
-        case SSL_ST_ACCEPT:
-                str = "before accept initialization";
-                break;
-        case SSL_ST_CONNECT:
-                str = "before connect initialization";
-                break;
-        case SSL_ST_OK:
-                str = "SSL negotiation finished successfully";
-                break;
-        case SSL_ST_RENEGOTIATE:
-                str = "SSL renegotiate ciphers";
-                break;
-        case SSL_ST_BEFORE|SSL_ST_CONNECT:
-                str = "before/connect initialization";
-                break;
-        case SSL_ST_OK|SSL_ST_CONNECT:
-                str = "ok/connect SSL initialization";
-                break;
-        case SSL_ST_BEFORE|SSL_ST_ACCEPT:
-                str = "before/accept initialization";
-                break;
-        case SSL_ST_OK|SSL_ST_ACCEPT:
-                str = "ok/accept SSL initialization";
-                break;
-        /* SSLv3 additions */
-        case SSL3_ST_CW_CLNT_HELLO_A:
-                str = "SSLv3 write client hello A";
-                break;
-        case SSL3_ST_CW_CLNT_HELLO_B:
-                str = "SSLv3 write client hello B";
-                break;
-        case SSL3_ST_CR_SRVR_HELLO_A:
-                str = "SSLv3 read server hello A";
-                break;
-        case SSL3_ST_CR_SRVR_HELLO_B:
-                str = "SSLv3 read server hello B";
-                break;
-        case SSL3_ST_CR_CERT_A:
-                str = "SSLv3 read server certificate A";
-                break;
-        case SSL3_ST_CR_CERT_B:
-                str = "SSLv3 read server certificate B";
-                break;
-        case SSL3_ST_CR_KEY_EXCH_A:
-                str = "SSLv3 read server key exchange A";
-                break;
-        case SSL3_ST_CR_KEY_EXCH_B:
-                str = "SSLv3 read server key exchange B";
-                break;
-        case SSL3_ST_CR_CERT_REQ_A:
-                str = "SSLv3 read server certificate request A";
-                break;
-        case SSL3_ST_CR_CERT_REQ_B:
-                str = "SSLv3 read server certificate request B";
-                break;
-        case SSL3_ST_CR_SESSION_TICKET_A:
-                str = "SSLv3 read server session ticket A";
-                break;
-        case SSL3_ST_CR_SESSION_TICKET_B:
-                str = "SSLv3 read server session ticket B";
-                break;
-        case SSL3_ST_CR_SRVR_DONE_A:
-                str = "SSLv3 read server done A";
-                break;
-        case SSL3_ST_CR_SRVR_DONE_B:
-                str = "SSLv3 read server done B";
-                break;
-        case SSL3_ST_CW_CERT_A:
-                str = "SSLv3 write client certificate A";
-                break;
-        case SSL3_ST_CW_CERT_B:
-                str = "SSLv3 write client certificate B";
-                break;
-        case SSL3_ST_CW_CERT_C:
-                str = "SSLv3 write client certificate C";
-                break;
-        case SSL3_ST_CW_CERT_D:
-                str = "SSLv3 write client certificate D";
-                break;
-        case SSL3_ST_CW_KEY_EXCH_A:
-                str = "SSLv3 write client key exchange A";
-                break;
-        case SSL3_ST_CW_KEY_EXCH_B:
-                str = "SSLv3 write client key exchange B";
-                break;
-        case SSL3_ST_CW_CERT_VRFY_A:
-                str = "SSLv3 write certificate verify A";
-                break;
-        case SSL3_ST_CW_CERT_VRFY_B:
-                str = "SSLv3 write certificate verify B";
-                break;
-        case SSL3_ST_CW_CHANGE_A:
-        case SSL3_ST_SW_CHANGE_A:
-                str = "SSLv3 write change cipher spec A";
-                break;
-        case SSL3_ST_CW_CHANGE_B:
-        case SSL3_ST_SW_CHANGE_B:
-                str = "SSLv3 write change cipher spec B";
-                break;
-        case SSL3_ST_CW_FINISHED_A:
-        case SSL3_ST_SW_FINISHED_A:
-                str = "SSLv3 write finished A";
-                break;
-        case SSL3_ST_CW_FINISHED_B:
-        case SSL3_ST_SW_FINISHED_B:
-                str = "SSLv3 write finished B";
-                break;
-        case SSL3_ST_CR_CHANGE_A:
-        case SSL3_ST_SR_CHANGE_A:
-                str = "SSLv3 read change cipher spec A";
-                break;
-        case SSL3_ST_CR_CHANGE_B:
-        case SSL3_ST_SR_CHANGE_B:
-                str = "SSLv3 read change cipher spec B";
-                break;
-        case SSL3_ST_CR_FINISHED_A:
-        case SSL3_ST_SR_FINISHED_A:
-                str = "SSLv3 read finished A";
-                break;
-        case SSL3_ST_CR_FINISHED_B:
-        case SSL3_ST_SR_FINISHED_B:
-                str = "SSLv3 read finished B";
-                break;
-        case SSL3_ST_CW_FLUSH:
-        case SSL3_ST_SW_FLUSH:
-                str = "SSLv3 flush data";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_A:
-                str = "SSLv3 read client hello A";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_B:
-                str = "SSLv3 read client hello B";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_C:
-                str = "SSLv3 read client hello C";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_A:
-                str = "SSLv3 write hello request A";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_B:
-                str = "SSLv3 write hello request B";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_C:
-                str = "SSLv3 write hello request C";
-                break;
-        case SSL3_ST_SW_SRVR_HELLO_A:
-                str = "SSLv3 write server hello A";
-                break;
-        case SSL3_ST_SW_SRVR_HELLO_B:
-                str = "SSLv3 write server hello B";
-                break;
-        case SSL3_ST_SW_CERT_A:
-                str = "SSLv3 write certificate A";
-                break;
-        case SSL3_ST_SW_CERT_B:
-                str = "SSLv3 write certificate B";
-                break;
-        case SSL3_ST_SW_KEY_EXCH_A:
-                str = "SSLv3 write key exchange A";
-                break;
-        case SSL3_ST_SW_KEY_EXCH_B:
-                str = "SSLv3 write key exchange B";
-                break;
-        case SSL3_ST_SW_CERT_REQ_A:
-                str = "SSLv3 write certificate request A";
-                break;
-        case SSL3_ST_SW_CERT_REQ_B:
-                str = "SSLv3 write certificate request B";
-                break;
-        case SSL3_ST_SW_SESSION_TICKET_A:
-                str = "SSLv3 write session ticket A";
-                break;
-        case SSL3_ST_SW_SESSION_TICKET_B:
-                str = "SSLv3 write session ticket B";
-                break;
-        case SSL3_ST_SW_SRVR_DONE_A:
-                str = "SSLv3 write server done A";
-                break;
-        case SSL3_ST_SW_SRVR_DONE_B:
-                str = "SSLv3 write server done B";
-                break;
-        case SSL3_ST_SR_CERT_A:
-                str = "SSLv3 read client certificate A";
-                break;
-        case SSL3_ST_SR_CERT_B:
-                str = "SSLv3 read client certificate B";
-                break;
-        case SSL3_ST_SR_KEY_EXCH_A:
-                str = "SSLv3 read client key exchange A";
-                break;
-        case SSL3_ST_SR_KEY_EXCH_B:
-                str = "SSLv3 read client key exchange B";
-                break;
-        case SSL3_ST_SR_CERT_VRFY_A:
-                str = "SSLv3 read certificate verify A";
-                break;
-        case SSL3_ST_SR_CERT_VRFY_B:
-                str = "SSLv3 read certificate verify B";
-                break;
-        /* DTLS */
-        case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
-                str = "DTLS1 read hello verify request A";
-                break;
-        case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
-                str = "DTLS1 read hello verify request B";
-                break;
-        case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-                str = "DTLS1 write hello verify request A";
-                break;
-        case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-                str = "DTLS1 write hello verify request B";
-                break;
-        default:
-                str = "unknown state";
-                break;
-        }
-        return (str);
-}
-const char *
-SSL_rstate_string_long(const SSL *s)
-{
-        const char *str;
-        switch (s->rstate) {
-        case SSL_ST_READ_HEADER:
-                str = "read header";
-                break;
-        case SSL_ST_READ_BODY:
-                str = "read body";
-                break;
-        case SSL_ST_READ_DONE:
-                str = "read done";
-                break;
-        default:
-                str = "unknown";
-                break;
-        }
-        return (str);
-}
-const char *
-SSL_state_string(const SSL *s)
-{
-        const char *str;
-        switch (s->state) {
-        case SSL_ST_BEFORE:
-                str = "PINIT ";
-                break;
-        case SSL_ST_ACCEPT:
-                str = "AINIT ";
-                break;
-        case SSL_ST_CONNECT:
-                str = "CINIT ";
-                break;
-        case SSL_ST_OK:
-                str = "SSLOK ";
-                break;
-        /* SSLv3 additions */
-        case SSL3_ST_SW_FLUSH:
-        case SSL3_ST_CW_FLUSH:
-                str = "3FLUSH";
-                break;
-        case SSL3_ST_CW_CLNT_HELLO_A:
-                str = "3WCH_A";
-                break;
-        case SSL3_ST_CW_CLNT_HELLO_B:
-                str = "3WCH_B";
-                break;
-        case SSL3_ST_CR_SRVR_HELLO_A:
-                str = "3RSH_A";
-                break;
-        case SSL3_ST_CR_SRVR_HELLO_B:
-                str = "3RSH_B";
-                break;
-        case SSL3_ST_CR_CERT_A:
-                str = "3RSC_A";
-                break;
-        case SSL3_ST_CR_CERT_B:
-                str = "3RSC_B";
-                break;
-        case SSL3_ST_CR_KEY_EXCH_A:
-                str = "3RSKEA";
-                break;
-        case SSL3_ST_CR_KEY_EXCH_B:
-                str = "3RSKEB";
-                break;
-        case SSL3_ST_CR_CERT_REQ_A:
-                str = "3RCR_A";
-                break;
-        case SSL3_ST_CR_CERT_REQ_B:
-                str = "3RCR_B";
-                break;
-        case SSL3_ST_CR_SRVR_DONE_A:
-                str = "3RSD_A";
-                break;
-        case SSL3_ST_CR_SRVR_DONE_B:
-                str = "3RSD_B";
-                break;
-        case SSL3_ST_CW_CERT_A:
-                str = "3WCC_A";
-                break;
-        case SSL3_ST_CW_CERT_B:
-                str = "3WCC_B";
-                break;
-        case SSL3_ST_CW_CERT_C:
-                str = "3WCC_C";
-                break;
-        case SSL3_ST_CW_CERT_D:
-                str = "3WCC_D";
-                break;
-        case SSL3_ST_CW_KEY_EXCH_A:
-                str = "3WCKEA";
-                break;
-        case SSL3_ST_CW_KEY_EXCH_B:
-                str = "3WCKEB";
-                break;
-        case SSL3_ST_CW_CERT_VRFY_A:
-                str = "3WCV_A";
-                break;
-        case SSL3_ST_CW_CERT_VRFY_B:
-                str = "3WCV_B";
-                break;
-        case SSL3_ST_SW_CHANGE_A:
-        case SSL3_ST_CW_CHANGE_A:
-                str = "3WCCSA";
-                break;
-        case SSL3_ST_SW_CHANGE_B:
-        case SSL3_ST_CW_CHANGE_B:
-                str = "3WCCSB";
-                break;
-        case SSL3_ST_SW_FINISHED_A:
-        case SSL3_ST_CW_FINISHED_A:
-                str = "3WFINA";
-                break;
-        case SSL3_ST_SW_FINISHED_B:
-        case SSL3_ST_CW_FINISHED_B:
-                str = "3WFINB";
-                break;
-        case SSL3_ST_SR_CHANGE_A:
-        case SSL3_ST_CR_CHANGE_A:
-                str = "3RCCSA";
-                break;
-        case SSL3_ST_SR_CHANGE_B:
-        case SSL3_ST_CR_CHANGE_B:
-                str = "3RCCSB";
-                break;
-        case SSL3_ST_SR_FINISHED_A:
-        case SSL3_ST_CR_FINISHED_A:
-                str = "3RFINA";
-                break;
-        case SSL3_ST_SR_FINISHED_B:
-        case SSL3_ST_CR_FINISHED_B:
-                str = "3RFINB";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_A:
-                str = "3WHR_A";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_B:
-                str = "3WHR_B";
-                break;
-        case SSL3_ST_SW_HELLO_REQ_C:
-                str = "3WHR_C";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_A:
-                str = "3RCH_A";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_B:
-                str = "3RCH_B";
-                break;
-        case SSL3_ST_SR_CLNT_HELLO_C:
-                str = "3RCH_C";
-                break;
-        case SSL3_ST_SW_SRVR_HELLO_A:
-                str = "3WSH_A";
-                break;
-        case SSL3_ST_SW_SRVR_HELLO_B:
-                str = "3WSH_B";
-                break;
-        case SSL3_ST_SW_CERT_A:
-                str = "3WSC_A";
-                break;
-        case SSL3_ST_SW_CERT_B:
-                str = "3WSC_B";
-                break;
-        case SSL3_ST_SW_KEY_EXCH_A:
-                str = "3WSKEA";
-                break;
-        case SSL3_ST_SW_KEY_EXCH_B:
-                str = "3WSKEB";
-                break;
-        case SSL3_ST_SW_CERT_REQ_A:
-                str = "3WCR_A";
-                break;
-        case SSL3_ST_SW_CERT_REQ_B:
-                str = "3WCR_B";
-                break;
-        case SSL3_ST_SW_SRVR_DONE_A:
-                str = "3WSD_A";
-                break;
-        case SSL3_ST_SW_SRVR_DONE_B:
-                str = "3WSD_B";
-                break;
-        case SSL3_ST_SR_CERT_A:
-                str = "3RCC_A";
-                break;
-        case SSL3_ST_SR_CERT_B:
-                str = "3RCC_B";
-                break;
-        case SSL3_ST_SR_KEY_EXCH_A:
-                str = "3RCKEA";
-                break;
-        case SSL3_ST_SR_KEY_EXCH_B:
-                str = "3RCKEB";
-                break;
-        case SSL3_ST_SR_CERT_VRFY_A:
-                str = "3RCV_A";
-                break;
-        case SSL3_ST_SR_CERT_VRFY_B:
-                str = "3RCV_B";
-                break;
-        /* DTLS */
-        case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
-                str = "DRCHVA";
-                break;
-        case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
-                str = "DRCHVB";
-                break;
-        case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-                str = "DWCHVA";
-                break;
-        case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-                str = "DWCHVB";
-                break;
-        default:
-                str = "UNKWN ";
-                break;
-        }
-        return (str);
-}
-const char *
-SSL_alert_type_string_long(int value)
-{
-        value >>= 8;
-        if (value == SSL3_AL_WARNING)
-                return ("warning");
-        else if (value == SSL3_AL_FATAL)
-                return ("fatal");
-        else
-                return ("unknown");
-}
-const char *
-SSL_alert_type_string(int value)
-{
-        value >>= 8;
-        if (value == SSL3_AL_WARNING)
-                return ("W");
-        else if (value == SSL3_AL_FATAL)
-                return ("F");
-        else
-                return ("U");
-}
-const char *
-SSL_alert_desc_string(int value)
-{
-        const char *str;
-        switch (value & 0xff) {
-        case SSL3_AD_CLOSE_NOTIFY:
-                str = "CN";
-                break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:
-                str = "UM";
-                break;
-        case SSL3_AD_BAD_RECORD_MAC:
-                str = "BM";
-                break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:
-                str = "DF";
-                break;
-        case SSL3_AD_HANDSHAKE_FAILURE:
-                str = "HF";
-                break;
-        case SSL3_AD_NO_CERTIFICATE:
-                str = "NC";
-                break;
-        case SSL3_AD_BAD_CERTIFICATE:
-                str = "BC";
-                break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
-                str = "UC";
-                break;
-        case SSL3_AD_CERTIFICATE_REVOKED:
-                str = "CR";
-                break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:
-                str = "CE";
-                break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:
-                str = "CU";
-                break;
-        case SSL3_AD_ILLEGAL_PARAMETER:
-                str = "IP";
-                break;
-        case TLS1_AD_DECRYPTION_FAILED:
-                str = "DC";
-                break;
-        case TLS1_AD_RECORD_OVERFLOW:
-                str = "RO";
-                break;
-        case TLS1_AD_UNKNOWN_CA:
-                str = "CA";
-                break;
-        case TLS1_AD_ACCESS_DENIED:
-                str = "AD";
-                break;
-        case TLS1_AD_DECODE_ERROR:
-                str = "DE";
-                break;
-        case TLS1_AD_DECRYPT_ERROR:
-                str = "CY";
-                break;
-        case TLS1_AD_EXPORT_RESTRICTION:
-                str = "ER";
-                break;
-        case TLS1_AD_PROTOCOL_VERSION:
-                str = "PV";
-                break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:
-                str = "IS";
-                break;
-        case TLS1_AD_INTERNAL_ERROR:
-                str = "IE";
-                break;
-        case TLS1_AD_USER_CANCELLED:
-                str = "US";
-                break;
-        case TLS1_AD_NO_RENEGOTIATION:
-                str = "NR";
-                break;
-        case TLS1_AD_UNSUPPORTED_EXTENSION:
-                str = "UE";
-                break;
-        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
-                str = "CO";
-                break;
-        case TLS1_AD_UNRECOGNIZED_NAME:
-                str = "UN";
-                break;
-        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                str = "BR";
-                break;
-        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
-                str = "BH";
-                break;
-        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
-                str = "UP";
-                break;
-        default:
-                str = "UK";
-                break;
-        }
-        return (str);
-}
-const char *
-SSL_alert_desc_string_long(int value)
-{
-        const char *str;
-        switch (value & 0xff) {
-        case SSL3_AD_CLOSE_NOTIFY:
-                str = "close notify";
-                break;
-        case SSL3_AD_UNEXPECTED_MESSAGE:
-                str = "unexpected_message";
-                break;
-        case SSL3_AD_BAD_RECORD_MAC:
-                str = "bad record mac";
-                break;
-        case SSL3_AD_DECOMPRESSION_FAILURE:
-                str = "decompression failure";
-                break;
-        case SSL3_AD_HANDSHAKE_FAILURE:
-                str = "handshake failure";
-                break;
-        case SSL3_AD_NO_CERTIFICATE:
-                str = "no certificate";
-                break;
-        case SSL3_AD_BAD_CERTIFICATE:
-                str = "bad certificate";
-                break;
-        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
-                str = "unsupported certificate";
-                break;
-        case SSL3_AD_CERTIFICATE_REVOKED:
-                str = "certificate revoked";
-                break;
-        case SSL3_AD_CERTIFICATE_EXPIRED:
-                str = "certificate expired";
-                break;
-        case SSL3_AD_CERTIFICATE_UNKNOWN:
-                str = "certificate unknown";
-                break;
-        case SSL3_AD_ILLEGAL_PARAMETER:
-                str = "illegal parameter";
-                break;
-        case TLS1_AD_DECRYPTION_FAILED:
-                str = "decryption failed";
-                break;
-        case TLS1_AD_RECORD_OVERFLOW:
-                str = "record overflow";
-                break;
-        case TLS1_AD_UNKNOWN_CA:
-                str = "unknown CA";
-                break;
-        case TLS1_AD_ACCESS_DENIED:
-                str = "access denied";
-                break;
-        case TLS1_AD_DECODE_ERROR:
-                str = "decode error";
-                break;
-        case TLS1_AD_DECRYPT_ERROR:
-                str = "decrypt error";
-                break;
-        case TLS1_AD_EXPORT_RESTRICTION:
-                str = "export restriction";
-                break;
-        case TLS1_AD_PROTOCOL_VERSION:
-                str = "protocol version";
-                break;
-        case TLS1_AD_INSUFFICIENT_SECURITY:
-                str = "insufficient security";
-                break;
-        case TLS1_AD_INTERNAL_ERROR:
-                str = "internal error";
-                break;
-        case TLS1_AD_USER_CANCELLED:
-                str = "user canceled";
-                break;
-        case TLS1_AD_NO_RENEGOTIATION:
-                str = "no renegotiation";
-                break;
-        case TLS1_AD_UNSUPPORTED_EXTENSION:
-                str = "unsupported extension";
-                break;
-        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
-                str = "certificate unobtainable";
-                break;
-        case TLS1_AD_UNRECOGNIZED_NAME:
-                str = "unrecognized name";
-                break;
-        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                str = "bad certificate status response";
-                break;
-        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
-                str = "bad certificate hash value";
-                break;
-        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
-                str = "unknown PSK identity";
-                break;
-        default:
-                str = "unknown";
-                break;
-        }
-        return (str);
-}
-const char *
-SSL_rstate_string(const SSL *s)
-{
-        const char *str;
-        switch (s->rstate) {
-        case SSL_ST_READ_HEADER:
-                str = "RH";
-                break;
-        case SSL_ST_READ_BODY:
-                str = "RB";
-                break;
-        case SSL_ST_READ_DONE:
-                str = "RD";
-                break;
-        default:
-                str = "unknown";
-                break;
-        }
-        return (str);
-}
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
deleted file mode 100644
index c3626dc03a..0000000000
--- a/src/lib/libssl/ssl_txt.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/* $OpenBSD: ssl_txt.c,v 1.26 2014/12/14 15:30:50 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <stdio.h>
-#include <openssl/buffer.h>
-#include "ssl_locl.h"
-int
-SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x)
-{
-        BIO *b;
-        int ret;
-        if ((b = BIO_new(BIO_s_file_internal())) == NULL) {
-                SSLerr(SSL_F_SSL_SESSION_PRINT_FP, ERR_R_BUF_LIB);
-                return (0);
-        }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
-        ret = SSL_SESSION_print(b, x);
-        BIO_free(b);
-        return (ret);
-}
-int
-SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
-{
-        unsigned int i;
-        const char *s;
-        if (x == NULL)
-                goto err;
-        if (BIO_puts(bp, "SSL-Session:\n") <= 0)
-                goto err;
-        s = ssl_version_string(x->ssl_version);
-        if (BIO_printf(bp, "    Protocol  : %s\n", s) <= 0)
-                goto err;
-        if (x->cipher == NULL) {
-                if (((x->cipher_id) & 0xff000000) == 0x02000000) {
-                        if (BIO_printf(bp, "    Cipher    : %06lX\n", x->cipher_id&0xffffff) <= 0)
-                                goto err;
-                } else {
-                        if (BIO_printf(bp, "    Cipher    : %04lX\n", x->cipher_id&0xffff) <= 0)
-                                goto err;
-                }
-        } else {
-                if (BIO_printf(bp, "    Cipher    : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0)
-                        goto err;
-        }
-        if (BIO_puts(bp, "    Session-ID: ") <= 0)
-                goto err;
-        for (i = 0; i < x->session_id_length; i++) {
-                if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0)
-                        goto err;
-        }
-        if (BIO_puts(bp, "\n    Session-ID-ctx: ") <= 0)
-                goto err;
-        for (i = 0; i < x->sid_ctx_length; i++) {
-                if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0)
-                        goto err;
-        }
-        if (BIO_puts(bp, "\n    Master-Key: ") <= 0)
-                goto err;
-        for (i = 0; i < (unsigned int)x->master_key_length; i++) {
-                if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0)
-                        goto err;
-        }
-        if (x->tlsext_tick_lifetime_hint) {
-                if (BIO_printf(bp,
-                    "\n    TLS session ticket lifetime hint: %ld (seconds)",
-                    x->tlsext_tick_lifetime_hint) <= 0)
-                        goto err;
-        }
-        if (x->tlsext_tick) {
-                if (BIO_puts(bp, "\n    TLS session ticket:\n") <= 0)
-                        goto err;
-                if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0)
-                        goto err;
-        }
-        if (x->time != 0) {
-                if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
-                        goto err;
-        }
-        if (x->timeout != 0L) {
-                if (BIO_printf(bp, "\n    Timeout   : %ld (sec)", x->timeout) <= 0)
-                        goto err;
-        }
-        if (BIO_puts(bp, "\n") <= 0)
-                goto err;
-        if (BIO_puts(bp, "    Verify return code: ") <= 0)
-                goto err;
-        if (BIO_printf(bp, "%ld (%s)\n", x->verify_result,
-            X509_verify_cert_error_string(x->verify_result)) <= 0)
-                goto err;
-        return (1);
-err:
-        return (0);
-}